Author Topic: Password Hack/Malicious Email  (Read 2315 times)

Password Hack/Malicious Email
« on: May 13, 2020, 09:00:12 am »
I've had a very malicious email from someone today. It purports to be from someone who claims to have installed malware on my device - it doesn't say which and has the base version of my password. That is actually correct. It claims to have recorded me wanking to a porn site. It also says it will send a video to 9 random contacts if I don't cough up.
Now, the password isn't one I use, because I adapt it for every site I access and use. I don't log into any porn sites - though I do use them for research purposes, natch.
I suspect someone has accessed the database of a company somehow and is sending the details to as many people on the hacked list as possible.
However, just to be on the safe side, how would I check if my computers are infected? I would know how to do that on a Windoze machine, but on Ubuntu? And android?
Haggerty F, Haggerty R, Tomkins, Noble, Carrick, Robson, Crapper, Dewhurst, Macintyre, Treadmore, Davitt.

Re: Password Hack/Malicious Email
« Reply #1 on: May 13, 2020, 09:10:07 am »
Wouldn't take it that seriously, if they geneinely did have video of you and were serious about blackmail they would send an excerpt to prove it. It's a scattergun approach.
Just keep your software up to date, back up everything important to both the cloud and an unconnected physical disk, don't click links in dodgy emails, and you should be ok.
It is what it is. It's not what it's not, so it must be what it is.

Re: Password Hack/Malicious Email
« Reply #2 on: May 13, 2020, 09:15:46 am »
I get those too, probably at least one a month turns up in my SPAM folder. They got the password from a hack sometime in the past when some companies server got pawned. Then they just mailshot everyone with the same mail with the password and name auto replaced.
Ignore it unless its your entire current password for something in which case change that password fast.
If they have the base password maybe also worth using a new base password as if they have the say the first 6 digits of a 9 digit password then it will be a lot easier to brute force the rest of it.
I think you'll find it's a bit more complicated than that.

Regulator

  • That's Councillor Regulator to you...
Re: Password Hack/Malicious Email
« Reply #3 on: May 13, 2020, 09:22:34 am »
I get those too, probably at least one a month turns up in my SPAM folder. They got the password from a hack sometime in the past when some companies server got pawned. Then they just mailshot everyone with the same mail with the password and name auto replaced.
Ignore it unless its your entire current password for something in which case change that password fast.
If they have the base password maybe also worth using a new base password as if they have the say the first 6 digits of a 9 digit password then it will be a lot easier to brute force the rest of it.


^^^
This!


I seem to get them in batches, for a few days each month.  They quote an old password that hasn't been used for years.
Quote from: clarion
I completely agree with Reg.

Green Party Councillor

ian

  • feat. Undead Jess & Finestre, Queen of Hell
Re: Password Hack/Malicious Email
« Reply #4 on: May 13, 2020, 09:24:58 am »
Common as a very common thing, it's the scam du jour. I've had one (ahoy, TalkTalk password), my wife gets them. As said, pwned list and a spam cannon.

There are decent odds that most blokes and a fair number of women are using porn sites for research every now and again, so a large potentially guilty population. Only a small number of these filthy-minded fools have to cough up some cash and it's a profitable venture.

Bin it.
Support the Great Surrey Bear Census 2020

fuaran

  • rothair gasta
Re: Password Hack/Malicious Email
« Reply #5 on: May 13, 2020, 10:00:29 am »
Check Have I Been Pwned. It might give you a clue where the password came from. https://haveibeenpwned.com/
Just make sure you never reuse the same passwords for different sites. Get a proper password manager, and generate unique passwords for everything.

And stick some duct tape over the webcam, just to make sure...

Re: Password Hack/Malicious Email
« Reply #6 on: May 13, 2020, 10:09:38 am »
Some Thinkpads used to come with a little slider that physical covered the webcam.
I think you'll find it's a bit more complicated than that.

Re: Password Hack/Malicious Email
« Reply #7 on: May 13, 2020, 10:13:23 am »
And "base password" sounds a bit risky, I know some people who've had other accounts hacked because they've used a scheme like:-

Arg!3Barg!3wiggle for wiggle
Arg!3Barg!3ebay for ebay
Arg!3Barg!3amazon for amazon
...etc...

As soon as one plaintext password is leaked by some random site then it doesn't take much for the rest to be automatically checked against other sites.

Get a proper password manager, and generate unique passwords for everything.

Is the right answer, it's a bit of a pain (especially getting it all to sync across different devices (Linux, Windows, mobile phone, etc) ) but you do get used to it.
"Yes please" said Squirrel "biscuits are our favourite things."

ian

  • feat. Undead Jess & Finestre, Queen of Hell
Re: Password Hack/Malicious Email
« Reply #8 on: May 13, 2020, 10:26:49 am »
Alternatively, charge them for your webcam show. I am told that's the usual business model.

One that my wife got claimed he could see her 'shiny car.' We've checked everywhere in her office and have yet to find it.

(If you think about this scam, even given the filthy-minded prevalence of web users, they'd have to be looking at billions of hours of webcam footage on the off-chance of catching an incriminating wrist-shuffle.)
Support the Great Surrey Bear Census 2020

Re: Password Hack/Malicious Email
« Reply #9 on: May 13, 2020, 10:29:58 am »
The base password thing I think is because some password schemes only depended on the first few letters and used an insecure hashing scheme that makes it easy to decrypt what they were. They may or may not actually have the rest of the password.

(though of course some hacked sites stored full passwords in plain text)

Jaded

  • The Codfather
  • Formerly known as Jaded
Re: Password Hack/Malicious Email
« Reply #10 on: May 13, 2020, 10:34:16 am »
Check Have I Been Pwned. It might give you a clue where the password came from. https://haveibeenpwned.com/
Just make sure you never reuse the same passwords for different sites. Get a proper password manager, and generate unique passwords for everything.

And stick some duct tape over the webcam, just to make sure...

Also remember the acronym

Strong Passwords Avoid Fapping Fraud
If you don't like your democracy, vote against it.

Re: Password Hack/Malicious Email
« Reply #11 on: May 13, 2020, 10:48:03 am »
I had a bit of a panic. Then read the hits were for databases of email addresses.

It does not surprise me that my email addresses are on databases out there otherwise I would not get so much spam.


Sent from my iPad using Tapatalk

Re: Password Hack/Malicious Email
« Reply #12 on: May 13, 2020, 11:57:39 am »
Cover up the webcam before wanking

Re: Password Hack/Malicious Email
« Reply #13 on: May 13, 2020, 12:25:26 pm »
The base password thing I think is because some password schemes only depended on the first few letters and used an insecure hashing scheme that makes it easy to decrypt what they were. They may or may not actually have the rest of the password.

(though of course some hacked sites stored full passwords in plain text)

There are many routes to password leaks:-

a) By far the most common is a database that gets copied somehow (usually because it does not have adequate protection) and the passwords are stored in plain text.

Storing passwords in plain text is criminal (and literally criminal in some countries).

b) Next up is the passwords are stored in a database but the passwords are hashed using a weak hashing algorithm.

Although password hashes are one way (there's no way to decrypt them directly) it is possible to try lots of different strings until you find something that, when hashed, gives the desired hash value.

MD5 hashed passwords (with no salt[1]) can be computed very very quickly, which means it is possible to work out the vast majority of weak (and even medium strength) passwords using a few hours of computing time. You can get even more once you throw multiple CPUs and GPUs at the problem and use precomputed fun things like Rainbow Tables[2] and the like.

c) Stronger hashing algorithms are better, but if one of your passwords has already been leaked once elsewhere then that can be used as the basis for more guessing. This is when people use 'base passwords' like the above.

Stronger hashing algorithms require more computation, which slows down people trying to guess (or 'crack') the passwords, but also requires lots more infrastructure at the company to support a steady stream of login operations.

This is also where botnets come in as they are sometimes used as a giant supercomputer to help crack the password hashes by spreading the work around hundreds of thousands of computers.

d) Even having the strongest hashing algorithms isn't enough if the hackers have managed to get access to the code on the remote site that handles the logins, and have been able to get away with making changes.

The password you send to login to a site is sent in plaintext, it may be encrypted over the wire due to SSL/TLS but it will still need to get to the login code on the other side in plaintext in order for the login code to hash it and check it against what is in the DB.

There have been cases where companies have had their code hacked so that the supplied username/password are intercepted during the login code operation and the username/password data is exfiltrated. No need to steal the DB here, or worry about the hashing algorithm, just get the plaintext username/password pairs every time someone logs in.

This is quite rare though.

--

This is why it's important to have unique passwords for each site and not part of a guessable scheme.

Ideally losing one password should not require you to change your password anywhere else (using a predictable scheme does require you to do this).

1. https://en.wikipedia.org/wiki/Salt_(cryptography)
2. https://en.wikipedia.org/wiki/Rainbow_table
"Yes please" said Squirrel "biscuits are our favourite things."

Re: Password Hack/Malicious Email
« Reply #14 on: May 13, 2020, 01:09:07 pm »
I agree with the password manager advice. I've never even seen most of my passwords - I just told the password manager to generate them, and it does the rest. They are all totally random strings, often with non-alphanumeric characters as well. So don't ask me what my password for this system is, because I've no idea.

Re: Password Hack/Malicious Email
« Reply #15 on: May 13, 2020, 03:20:44 pm »
Yeah, I panicked at first. You can't get teenage eskimo in Wantage.

The root password that theyve gleaned from a database hack isn't used anywhere. The one site I know it was on I've changed it.

Pure phishing, but it did get me going. FWIW, I should've thought first, as there isn't a working webcam on my Ubuntu device.
Haggerty F, Haggerty R, Tomkins, Noble, Carrick, Robson, Crapper, Dewhurst, Macintyre, Treadmore, Davitt.

Re: Password Hack/Malicious Email
« Reply #16 on: May 13, 2020, 03:31:22 pm »
Mrs DF was sent one of these last night. Likeliest source is a previous data breach through Yahoo. Change passwords and forget it

Mrs DF upset last night but ok now

A

Re: Password Hack/Malicious Email
« Reply #17 on: May 13, 2020, 04:03:11 pm »
Dropbox breach many moons ago was where they got mine.
I think you'll find it's a bit more complicated than that.

Re: Password Hack/Malicious Email
« Reply #18 on: May 13, 2020, 04:13:01 pm »
Dropbox breach many moons ago was where they got mine.

Yep, that's my only password entry in hibp. (There's another one - verifications.io - but that doesn't have password data, only some other PII).
"Yes please" said Squirrel "biscuits are our favourite things."

Re: Password Hack/Malicious Email
« Reply #19 on: May 19, 2020, 08:33:54 am »
https://haveibeenpwned.com/ will let you know if your login appears in any breaches.
"Yes please" said Squirrel "biscuits are our favourite things."

ian

  • feat. Undead Jess & Finestre, Queen of Hell
Re: Password Hack/Malicious Email
« Reply #20 on: May 19, 2020, 09:25:33 am »
There have been tons of breaches of companies where logins and passwords were stolen, including LinkedIn, Yahoo and more.

I have received quite of few of those sort of emails saying I've been filmed watching naughty things online and I should pay otherwise they will tell everyone in my address book  ::-)

Fortunately, no one in my address book would be surprised, so I am immune to this scam.
Support the Great Surrey Bear Census 2020

Mr Larrington

  • A bit ov a lyv wyr by slof standirds
  • Custard Wallah
    • Mr Larrington's Automatic Diary
Re: Password Hack/Malicious Email
« Reply #21 on: May 19, 2020, 10:34:24 am »
There have been tons of breaches of companies where logins and passwords were stolen, including LinkedIn, Yahoo and more.

I have received quite of few of those sort of emails saying I've been filmed watching naughty things online and I should pay otherwise they will tell everyone in my address book  ::-)

Fortunately, no one in my address book would be surprised, so I am immune to this scam.

Having neither a webcam nor any entries in my address bok I'm doubly immune.
External Transparent Wall Inspection Operative & Mayor of Mortagne-au-Perche
Satisfying the Bloodlust of the Masses in Peacetime

Re: Password Hack/Malicious Email
« Reply #22 on: May 27, 2020, 11:06:44 am »
https://haveibeenpwned.com/ will let you know if your login appears in any breaches.

This. Everyone should do this.
And any important accounts you are using that base password with, go and change them now. Use a password manager to generate random passwords.
A Few Apples Short of a Strudel

Re: Password Hack/Malicious Email
« Reply #23 on: June 15, 2020, 10:45:14 pm »
And cycling sites do get targeted:-

https://road.cc/content/news/wiggle-investigating-suspected-cyber-attack-274553

Just changed my wiggle password to something random. I think that's going to finally encourage me to go through all of my (checks, ugh) 689 logins stored in Firefox and make sure they're all on a unique password. Once that's done I'll then import the lot into a password manager so I have access to them on my mobile too. Just need a master password I'll never forget!
"Yes please" said Squirrel "biscuits are our favourite things."

Re: Password Hack/Malicious Email
« Reply #24 on: June 15, 2020, 11:25:59 pm »
Thanks. I've just changed my Wiggle password and checked I have no unexpected orders. Though you'd think they'd have the passwords stored hashed anyway.

They do say that two random, unconnected words are enough for a password these days. But I like to use daft but memorable phrases, for example:

"My first post on YACF was in 2012; now I am here far too often" - M1poYwi12nIahf2o

I don't know whether that's true by the way, and no password of mine is remotely like that, but you get the idea.