Anatomy of a scam, and LiveJournal's lost passwords

LiveJournal seems to have leaked plain-text passwords.

I found this out because I've just received three scam emails that are trying to blackmail me for bitcoin worth [$1600, $1100, $1100].

Here is one of the emails; the others look similar, but each one is phrased slightly differently in a way that suggests a template filled with randomly selected phrases:

It appears that, («REDACTED BUT ACCURATE»), 's your password. You might not know me and you are probably wondering why you are getting this e-mail, right?

in fact, I setup a trojans on the adult vids (adult) web-site and you know what, you visited this website to have fun (you know very well what I mean). When you were watching videos, your internet browser started out functioning like a RDP (Team Viewer) which gave me accessibility of your screen and web cam. and then, my software programs obtained your complete contacts out of your Messenger, Outlook, Facebook, along with emails.

What did I really do?

I made a double-screen video clip. 1st part shows the video you're watching (you have a good taste haha . . .), and 2nd part shows the recording of your web cam.

exactly what should you do?

Well, I think, $1100 is really a fair price for your little hidden secret. You'll make the payment by Bitcoin (if you do not know this, search "how to buy bitcoin" in Google).

Bitcoin Address: «REDACTED BY ME IN CASE PUBLISHING IT AFFECTS REPORTING TO THE AUTHORITIES»

(It's case sensitive, so copy and paste it)

Very important:

You've some days to make the payment. (I've a completely unique pixel within this e-mail, and at this moment I am aware that you've read through this email message). If I don't get the BitCoins, I will certainly send out your video recording to all of your contacts including family, coworkers, and so forth. Having said that, if I receive the payment, I'll destroy the video immidiately. If you need evidence, reply with "Yes!" and i'll definitely send out your videos to your 6 contacts. It is a non-negotiable offer, that being said don't waste my personal time and yours by responding to this message.

Here are some of the headers:

X-Spam-Flag: NO

X-Spam-Score: 3.875

X-Spam-Level: ***

X-Spam-Status: No, score=3.875 required=10 tests=[INVALID_MSGID=1.167,

RCVD_IN_MSPIKE_BL=0.01, RCVD_IN_MSPIKE_L5=2.599, SPF_PASS=-0.001,

TO_IN_SUBJ=0.1] autolearn=disabled

and

Content-Transfer-Encoding: 7bit

Content-Type: text/plain; charset=UTF-8

There are several clues here that it's a toothless scam, but I suspect some people will fall for it if I don't blog about it:

  1. There's duct tape covering my webcam
  2. I don't use Outlook
  3. There's duct tape covering my webcam
  4. I block Facebook on my computer, and only use it on my mobile, because it's a massive time-waster that stops me getting things done
  5. Did I mention there's duct tape covering my webcam?
  6. I'm not into videos. My teenage years were the dial-up days, where everyone had still pictures or plain text and that was good enough. (Hashtag Four Yorkshiremen Humblebrag). Plus, I'm a furry, so the stuff I like tends to be met with blank stares and the words "I can't even parse this image", not "you have a good taste haha".
  7. See #1
  8. The email is plain text and cannot contain a tracking pixel
  9. There's still duct tape covering my webcam

Now, I'm saying LiveJournal in particular is the source of that leaked password, because that password is one I only ever used for LiveJournal. Never anywhere else. (In case you're wondering, that LiveJournal blog has now been deleted owing to it being totally pointless).

I have confirmed via Troy Hunt's Have I Been Pwned? that the password is in publicly known databases of leaked passwords. To my surprise, Have I Been Pwned? thinks that password is in use in two places, not one. My own list of personal passwords says I only use it in one place, and the nature of the password does not lend itself to reuse (it's what you get if you mash a keyboard at random for 13 characters, not anything easily memorised).

Slightly more worrying is that when I duckduckgo'ed (Google found nothing) for the bitcoin addresses to see if they were known, one gave a single result for the https://www.sec.gov domain, and another gave a single result for https://www.panasonic.com/ — I have no reason to suspect either of those domains wittingly contained these bitcoin addresses, but this may be connected to a recent-ish Cryprojacking attack where many reputable websites included a third-party javascript library which had itself been hacked to mine bitcoin on the computers of unsuspecting users of unsuspecting websites.

When I've figured out the appropriate authorities, I'll be reporting these emails to them.

Original post: https://kitsunesoftware.wordpress.com/2018/08/09/anatomy-of-a-scam-and-livejournals-lost-passwords/

Original post timestamp: Thu, 09 Aug 2018 15:24:47 +0000

Tags: bitcoin, crime, Technology

Categories: Scams, Software

© Ben Wheatley — Licence: Attribution-NonCommercial-NoDerivs 4.0 International