Hacker News new | past | comments | ask | show | jobs | submit login
[flagged] “Change your password qwerty immediately. You have been hacked.” (lkml.org)
43 points by tbodt 4 months ago | hide | past | web | favorite | 36 comments

I've been getting these emails for a while now. If you realize that it's just a scam, they're providing a service similar to Have I Been Pwned, delivered directly to your inbox!

They've earned nearly 3BTC off of this scam if BitRef is accurate: https://bitref.com/15ZHnf1MPn6ybb8yUeAoCQ1AJtiKhg3NrP

We're receiving these spams from practically every continent. They ask for about 850 USD in btc, so tey always make about 6-12,000 USD per operation. They usually cash out in less than 5 days.

I grew tired of reporting their IP addresses to their ISPs, which definitely don't care. Specially the Asians.

Assuming they didn't move any of their own money to their own address.

For some reason, several addresses have their first transaction for the equivalent of a few cents USD. Some also leave change when cashing out. I wish they cleaned up properly, because if the address is disposable, those fractions of btc are lost forever.

I have been getting a variation of this email for months sent to mailer-daemon@ on a mail server on a VM that hosts absolutely no personal information or credential about anyone.

If you Google some phrases from it it seems like it's been going around nearly verbatim for years.

I think they are probing for mail servers which don't try to force any kind of authentication on From: headers. So mailing lists would probably be a fit for them. They have no idea who their targets are. They are just looking for gullible people to scam.

Note how this email includes a password. This particular form of scam relies on taking weak passwords acquired from database dumps and sending the scam email to the password owner, in the hopes that they'll recognize the password and think the email is legitimate (this is especially effective if the owner reuses passwords).

I'm not sure how a mailing list would end up in a dump like that though, as people don't generally sign up for sites using addresses belonging to mailing lists.

I wouldn't discount the idea that they made up a password rather than got it in a database dump. Even an incorrect password might be enough to freak somebody out.

I think these are not terribly sophisticated actors, they're running some scripts and looking for someone gullible enough to give them hundreds of dollars worth of Bitcoin based on what is in the end a pretty far fetched story.

Every previous instance of this particular scam I've seen mentioned before used a password that the recipient recognized.

I personally received this exact email just the other day, containing a password that I confirmed I actually used a very long time ago on a now-defunct site (which was known to be in at least one password dump).

I don't buy the "an incorrect password might freak someone out" argument, because the whole point of this scam is that the recipient recognizes the password. Without that password recognition, the inclusion of the password is harmful (because it proves the sender is full of shit) and at best makes the email have no more persuasive power than one that didn't include a password at all.

Hm. The mails my mailer-daemon account gets have a nearly identical message body but do not mention a specific password.

People do freak out and miss details. Kind of like what people say about 419 scams having poor grammar and spelling. This somewhat ensures that respondents are people who don't read carefully.

They do use a database dump. What's more - according to Have I been Pwned, linux-kernel@vger.kernel.org does show up in some databases.

> people don't generally sign up for sites using addresses belonging to mailing lists.

And yet some dingus in hyderabad keeps using my email address to sign up on all the job boards in india. Users are weird.

I'm surprised it doesn't include a link to a "security site" with a domain like "passwordcheck.ru" to verify that the new password is secure.

The thing that confuses me about this is that it includes the password. Certainly most people would go "that's not my password" and ignore it. Are they trying to filter out the results to only people with atrocious passwords?

I got three of these in quick succession a few months ago. The password was:

1) Real 2) Only ever used on one website 3) Was for a LiveJournal account I’d forgotten to delete


Looks similar enough I assume the same script was involved.

Googling the bitcoin addresses I was given gave me zero results, DuckDuckGo gave a small handful of results, so I guess those addresses are also used in bitcoin mining adverts or similar?

actually they've been using passwords from dumps, I got a similar email and it actually had an old password in it

Same, it kind of freaked me out to see a password i used regularly being sent to me in a spam email. Apparently mine came from the Dropbox hack.

I've received some in French that were really well written (it's often not the cas) containing old valid passwords.

To begin I freaked out a bit, then understood it was too old to be meaningfull.

But seeing a password you know in the subject of the mail is a bit scary.

On a side note, while checking here and there, I found a website [0] displaying password leaked associated with emails. I don't know if they are ok or dangerous, so be carefull.

I tried with emails I knew where in Troy Hunt DB and it gave me the passwords.

It seems that now they just give you the 3 first letters, which is better than last week when you could test other people email just in case !

[0] https://ghostproject.fr/

They definitely are using real passwords. I’ve seen them use 3 of my passwords I know were in password dumps. Fortunately I haven’t used those passwords for years, but other people will be seeing their current password.

So what happened is someone signed up for LinkedIn or something using the LKML as the email address and a bogus password. I'm somewhat surprised you can post to the LKML without being a member, that's a pretty common restriction for online listservs.

Ouch [1]

I like the cut of whoever sent 0.00000666 BTC's jib.

[1] https://www.blockchain.com/btc/address/15ZHnf1MPn6ybb8yUeAoC...

> This is a hacker code of honor.

Had me right there. The entertainment value alone would be worth it, if I did not also have to calm down those (few) of my clients who are a little more, shall we say, persuadable?

Then out comes the "good security practices" text, along with credit card monitoring recommendations text, etc.

"I know it's true, 'cause I saw it on tv." - John Fogerty

>From now on, I advise you to use good antiviruses and update them regularly (several times a day)!

This is my favorite

What happens if you keep sending them more "incriminating information/pics"?

a lot of people get this spam. I received as similar one. it's spam filter configuration of lkml and I doubt that it is an actual targeted attack.

> After that, I made a full dump of your disk (I have all your address book, history of viewing sites, all files, phone numbers and addresses of all your contacts).

> I made a screenshot of the intimate website where you have fun (you know what it is about, right?). After that, I took off your joys (using the camera of your device). It turned out beautifully, do not hesitate.

+1 for social engineering.

and very similar to the thousands of other such mails sent out every day by scammers.

I'm guessing a lot of people aren't familiar with this recent spam.

They're using email/password combinations from lists of leaked accounts. I use a distinct email address for every site (qmail's scheme: x-foo@mydomain), and so the setup was very transparent to me. But I can see the technique totally working on a basic user who reuses passwords and email addresses.

> Do not worry, the timer will start at the moment when you open this letter. Yes, yes .. it has already started!

The most impressive part of this hack is that he got read receipts for emails!

It turned out beautifully, do not hesitate.

The mysterious individual extorting me assures me that paying their ransom via bitcoin is even easier than a credit card transaction.

How informative and thoughtful of them.

according to blockchain dot com,

Total Received 2.98619488 BTC (apx $19k USD)

So not an unsuccessful campaign I guess

So now that all the crimes are a matter of public record, how do they get the money out without it being traced directly back to them? Shady local exchanges?

Wash it through an exchange for Monero or similar privacy-oriented currency, then back to Bitcoin/Ethereum/etc.

unless they sent money to themselves to make it seem like a credible solution to possible victims

I've seen similar emails in my DMARC rejected email reports.

The unique thing about these ones is that they send it from your own address. I.e. they spoof your address so that it looks like your account really has been compromised.

Like this:

From: me@example.com

To: me@example.com

That btc address started receiving txs last month and has almost 3 BTC in it. At time of writing that is worth ~20k USD

So I guess the question is: was the password for that email ever qwerty or how did it end up there?

This is spam people, how easily fooled are you!?

Applications are open for YC Summer 2019

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact