Email Account Compromised

[frase]

Had a customer call this morning, residential. He stated that he has been 'hacked', the people keep on changing passwords to his email account and FB.
They are demanding $AUS300 to stop the hack.

The thing is the customer states it started on his phone? So I would think that he has clicked on some dodgy email via his phone. Then from there they had gotten access to his email account and anything linked to this.

I stated first off to contact the bank even though it looks like no transaction had occurred at this stage.
Though to get the bank to look for anything out of the ordinary.

I suggested to contact his ISP and explain the situation, then get back to me. I can then go through anything that was connected to the network.

Anyone here have any suggestions further?

 

[britechguy]

There are all kinds of scams that are "phone specific" that are social engineering. I had someone on an iPhone who had somehow subscribed to a shared calendar that kept sending "reminders" that even they recognized could not be true.

If changing passwords from one computer results in a prompt change again by the nefarious actors, it's almost certainly directly linked to the source machine.

Change passwords after logging in on a machine or phone "far far away" from the one typically used, do the password changes, then see what happens.

 

[Markverhyden]

2fa on everything they have. But they need to properly dig through all the options in the accounts for recovery. I've seen hacks where they had put in one their emails for notifications/2fa.

 

[carmen617]

Back up and then wipe his phone. What kind of email address does he have? You have to log into his email account from a known clean machine and see what's going on in the settings - look for app specific passwords, filters on the account sending emails to trash, his mail being forwarded to a fake lookalike email address, blocked contacts, etc. Once in his account revoke all other devices, delete filters, unblock addresses, delete forwarding address, etc. Look in the trash, or for a folder he doesn't recognize, for filtered email and try to restore it. Turn on 2FA using his now clean phone. Good luck - if it's a Microsoft account even changing the passwords won't turn off access in Outlook, if that's what's happening, for several days.

 

[frase]

Yes it is a ISP linked email ie Telstra here in AUS. Cheers all will esp 2FA. They also seem to be sending out spam via his account to friends, so it look's like they have his address book as well. Customer is bringing in about 5,000 devices today..not really though about five or so.

Will need a nuclear reactor to N&P all these.

 

[Markverhyden]

Good luck - if it's a Microsoft account even changing the passwords won't turn off access in Outlook, if that's what's happening, for several days.

I know the Business 365 accounts have logins recorded and seem to remember seeing that with a free consumer one. That'll let them know if they are successfully logging in or not. Real example below.

 

[frase]

This is the actual email, generally I would just state it is a generic phish. Though customer is saying the pass is changed then they recieve another one with changed pass.

Sent from my iPhone

Begin forwarded message:

From: PCHACKED@open.ok
Date: 26 October 2021 at 2:15:15 am AEDT
To:
Subject: THIS #######<--- your password? Open.

Hey ########## i know your email !

Your computer was infected with my malware!

Your password for this mail : ####### --- Evidence that I own all the information.!

I hacked your computer 1 months ago.!

I kept saving information all the time, such as: browsing history, screen recordings, contacts, messages and much more.

I already wanted to forget you, but recently i saw something interesting on your desktop. I'm talking about the day you visited a porn site. I decided to record video from the desktop. Now i have a video of you masturbating yourself.

I have already written down all your contacts from the address book.

All contacts from friends, acquaintances, relatives. All this will be with me.

I am ready to forget about all this and completely stop accessing your computer and email.

I guarantee i will not send these videos and delete all archives with them.

After that i will leave and no longer bother you, but for that I want to have $300 worth of bitcoins in my wallet.

$300 to wallet BTC

In "comment" - send your email address - and i delete all compromat.

Bitcoin wallet address:

bc1qu8zhx0xl58nmrqfqqgezf3e3e6vy6rc6w07nzs

You have 12 hours after reading this email.

I still control your email and computer - and i know when you open them and read them.

Don't try to change your email password, everything is under control.

Do not try to contact me and answer this letter.

I sent it to you from your email address.

Take a look at the sender, you will see that i have complete control over your email and your computer.

If you do not know how to buy bitcoins, you can find information on how to buy bitcoins online. If you need help, you can read several articles about it.

https://localbitcoins.com/guides/how-to-buy-bitcoins

https://www.coinbase.com/buy-bitcoin?locale=en

https://paxful.com/how-to-buy-bitcoin

I look forward to your actions. If you don't need this data online and with all your friends, send $300 to my wallet BTC. After that I will erase all data and disappear from your life.

Do not be offended by me. If you pay, nothing happens.

 

[britechguy]

This is phishing.

And unless the password provided in the phishing message happens to have been current when it was received, which I have never seen occur, then report it and move along with life.

There are scads of password databases out there from breaches that include passwords you (the generic you) haven't used in years, and the fact that someone knows those is no surprise, really.

 

[Porthos]

This is the actual email, generally I would just state it is a generic phish. Though customer is saying the pass is changed then they recieve another one with changed pass.

Sent from my iPhone

Begin forwarded message:

Total scam and not real. Just hoping for a sucker to fall for it.
The password though, if it is the current one should be changed. if not no worries.
I get those 3-5 times a month.

 

[Porthos]

Another example.

Hello!
I am a professional coder and I hacked your device's OS when you visit̪ed adult̪ websit̪e.
I've been wat̪ching your act̪ivit̪y for a couple of mont̪hs.
If you don't̪ underst̪and what̪ I am t̪alking about̪ I can explain...
My t̪rojan malware let̪s me get̪ access t̪o my vict̪im's syst̪em.
It̪ is mult̪iplat̪form soft̪ware wit̪h hVNC t̪hat̪ can be inst̪alled on phones, PC and even t̪V OS...
It̪ doesn't̪ have any AV's det̪ect̪s because it̪ is encrypt̪ed and can't̪ be det̪ect̪ed becaause I updat̪e it̪'s signat̪ures every 4 hour.
I can t̪urn on your camera, save your logs and do everyt̪hing t̪hat̪ I want̪ and you won't̪ not̪ice anyt̪hing.
Now I have all your cont̪act̪s, sm dat̪a and all logs from chat̪s for t̪he lat̪est̪ 2 mont̪hs but̪ it̪ is not̪ very useful wit̪hout̪ somet̪hing t̪hat̪ can spoil your reput̪at̪ion...
I recorded your mast̪urbat̪ion and t̪he video t̪hat̪ you wat̪ched. It̪ was disgust̪ing.
I can dest̪roy your life by sending t̪his st̪uff t̪o everybody you know.
If you want̪ me t̪o delet̪e t̪his st̪uff and avoid any problems you have t̪o send $1225 t̪o my bit̪coin address: 133gp7wGpKFaB2C593B2MCk2G4abYnEj9j
If you don't̪ know how t̪o buy bit̪coins use Google, t̪here are a lot̪ of manuals about̪ using, spending and buying t̪his crypt̪ocurrency.
You have 50 hours from now t̪o complet̪e t̪he payment̪. I have a not̪ificat̪ion t̪hat̪ you are reading t̪his message...
t̪IME HAS GONE. Don't̪ t̪ry t̪o respond because t̪his email address is generat̪ed.
Don't̪ t̪ry t̪o complain because t̪his and my bit̪coin address can't̪ be t̪racked down.
If I not̪ice t̪hat̪ you shared t̪his message everybody will receive your dat̪a.
Bye!

 

[Porthos]

Get these all the time as well.

Thanks For Renewal

Hello

Thank You For Using Norton~Lifelock Premium Service.

Your Personal Subscription With Norton~Lifelock Will Expire Today. The Subscription Will Be Auto Renewed.
Please Review Your Order Summary Below.

Customer Care:- +1(833) 576-2204

Order ID:- 1827-3722-3347


PRODUCT DESCRIPTION

Account Type:- Personal Home Subscription

Product :- NORTON~Lifelock Premium

Quantity :- 1

Tenure :- 3 Years

Payment Mode:- Auto Debit

Renewal Amount - $ 349.90

This Email Confirms That You've Renewed Your 3 Year Subscription To Norton~Lifelock For $ 349.90 On June 03rd 2021.


This Subscription Will Auto Renew Every 3 Years Unless You Turn It Off,No Later Than 48 hours Before the end of Subscription Period

.

To Cancel The Subscription You Can reach Us Anytime.

Customer Care :- +1(833) 576-2204 ​

 

[britechguy]

My general statement is for the person receiving these emails to ask themselves:

1. Have I ever dealt with the individual or entity purporting to send them?

2. Does the From address correspond, in any way, with the entity that it claims to be from?

3. Am I required to "do something" in order to prevent disaster? If so, do you have any reason to believe that this would matter? Think hard about that.

Then, after having contemplated the above, delete the email or report it as spam, the latter being preferable as it also gets deleted as part of that.

These things are NEVER real.

 

[frase]

I know what it is though customer stated they changed the PW then it got changed again and an email sent again.
I understand what is going on the daft ISP they ask on the portal to change PW linked to the account.
Though the issue is the reset is sent to the same compromised account.

So have gotten onto ISP - managed to bypass questioning and had the password to the account changed temp via them reading it out to me.
Then changed password without needing verification via the said email address.

Not bothering wiping devices as too much time and not needed. Cheers!

 

[thatdude]

@Porthos said:

I recorded your mast̪urbat̪ion and t̪he video t̪hat̪ you wat̪ched. It̪ was disgust̪ing.

Oh how I just love "The Classics". Writings from Orwell, Twain, Thoreau and of course...that guy! First time a client called me and I read this I said....."Uhhhh George, you don't have a webcam attached to your computer."

Man, that phishing email is one that makes me laugh every time!

 

[britechguy]

"Uhhhh George, you don't have a webcam attached to your computer."

Which is another of those "pause and consider" things. It's impossible to record you on equipment you don't have and never have had - thus, scam, delete, move along with life.