Recently, a lot of web users started reporting a new scam email that sounds really convincing and menacing. The email comes from someone who claims to be a spyware software developer. Allegedly, this person was able to exploit the so-called Cisco router, vulnerability CVE-2018-0296, which has supposedly allowed them to gain access to the victim's device and take many pictures and videos from its camera, some of which are supposed to be really compromising.
As a "proof" of this, the self-proclaimed hacker highlights the fact that the email was sent from the victim's own email account, which looks like it is the case, as both "From" and "To" fields of the email have the same email address.
The full text of the email, with some variations, is as follows:
I am a spyware software developer. Your account has been hacked by me in the summer of 2018.
I understand that it is hard to believe, but here is my evidence (I sent you this email from your account).
The hacking was carried out using a hardware vulnerability through which you went online (Cisco router, vulnerability CVE-2018-0296).
I went around the security system in the router, installed an exploit there. When you went online, my exploit downloaded my malicious code (rootkit) to your device. This is driver software, I constantly updated it, so your antivirus is silent all time.
Since then I have been following you (I can connect to your device via the VNC protocol). That is, I can see absolutely everything that you do, view and download your files and any data to yourself. I also have access to the camera on your device, and I periodically take photos and videos with you.
At the moment, I have harvested a solid dirt... on you... I saved all your email and chats from your messangers. I also saved the entire history of the sites you visit.
I note that it is useless to change the passwords. My malware update passwords from your accounts every times.
I know what you like hard funs (adult sites). Oh, yes .. I'm know your secret life, which you are hiding from everyone. Oh my God, what are your like... I saw THIS ... Oh, you dirty naughty person ... :)
I took photos and videos of your most passionate funs with adult content, and synchronized them in real time with the image of your camera. Believe it turned out very high quality!
So, to the business! I'm sure you don't want to show these files and visiting history to all your contacts.
Transfer $912 to my Bitcoin cryptocurrency wallet: 1H2fPTBpvm5tyHqoxTpRy5pYo2qXMbs9to Just copy and paste the wallet number when transferring. If you do not know how to do this - ask Google.
My system automatically recognizes the translation. As soon as the specified amount is received, all your data will be destroyed from my server, and the rootkit will be automatically removed from your system. Do not worry, I really will delete everything, since I am 'working' with many people who have fallen into your position. You will only have to inform your provider about the vulnerabilities in the router so that other hackers will not use it.
Since opening this letter you have 48 hours. If funds not will be received, after the specified time has elapsed, the disk of your device will be formatted, and from my server will automatically send email and sms to all your contacts with compromising material.
I advise you to remain prudent and not engage in nonsense (all files on my server).
There is absolutely nothing to worry about
At firs glance, the email sounds convincing. After all, how could someone send that email from your own email address without gaining access to your account? Also, since a huge number of people consume adult content, chances are that a particular recipient of the email would have engaged in some sort of activities mentioned in the email. Moreover, some people have reported that their old password was also included in the email.
However, even though the email may sound convincing, there is literally nothing to worry about. Let's examine examine the content carefully.
Sent address can easily be faked
Even though the email looks like it was sent from your own address, the chances are, that it wasn't. There is an email header forgery technique known as "email spoofing", which allows a malicious sender to pretend that any particular email was sent from a different address.
The good news is that it is easy to find out whether any given email has been spoofed. The easiest way is to click "Reply" button. This action will populate the "To" field with the real address of the sender.
Some email clients will visually populate that field with the display name rather than the actual address. If this happens, hovering over such name with the mouse pointer will reveal the address.
If this action has still populated the "To" field with your own email address or if you simply want to go deeper into the details of a spoofed email, any email client will have an option with a title such as "view original" or "view sourse". This will open a full detailed representation of the actual email message, including all of its headers.
In this case, if none of the "Received" fields have your own email address mentioned, the email has definitely been sent from elsewhere. Otherwise, I've got some bad news: your email has genuinely been hacked.
The email body contains no personalised information
Have you noticed that the email body has only vague references about the recipient? Well, if I was a hacker who has access to someone's personal information, I would ensure that I use as much of it as possible, so the recipient can be convinced that its real. Therefore, the most probable reason of why the email doesn't contain any personal information is because the alleged hacker doesn't know any.
Also, there is absolutely no indication of which particular device has been hacked. Even if we don't go into any fine-grained details, at least, the type of device could be specified, such as PC or Android phone. But no, the vague word "device" was used instead.
What else would I do if I was a hacker who gained unrestricted access to your device and took some compromising pictures? I would definitely include those in the email body. As there are none in this particular email, chances are that the hacker hasn't got any.
Having said that, some users have reported that an attachment supposedly containing some images was included in their email. This is yet another trick that the hackers use.
DO NOT OPEN THIS ATTACHMENT!
If you do, the fake hack of your device may turn into a real one. Instead of opening an archive with media files, the action of clicking on the file will launch some script that will install a real malware on your device.
Usually, it's quite easy to tell whether any particular attachment is what it claims to be. Hovering over it with the mouse pointer will reveal the full file name, including its real extension.
Revealed password doen's mean your account is hacked
Those recipient of the above scam email who had their email password included in the message may think that their account has really been hacked. Otherwise, how would the sender know it?
Many of those who received this particular variation of the email have reported that the password was correct, but it was one of the old passwords rather than the current one. Some other users have reported that the password was theirs, but it was used elsewhere rather than on the email account. So, how could that be?
Well, these particular examples of correct but mismatching password provide a fairly clear indication that the sender doesn't really know your password. If your account has been hacked and they really know your password, why wouldn't they just provided it?
So, if your account hasn't been hacked, how do they know your old password? Well, chances are that this came from one of big personal data leaks that you hear about on the news from time to time.
With an easy to use online tool, you can check whether this is the case. You can enter your email or password to see if any of them have ever been compromised in those known data leaks.
However, with more and more organisations employing the best security practices, chances of having your password revealed in any data leaks becomes slim.
Hardly any organisation these days stores your password in plain text. What happens instead is that a one-way encryption algorithm is applied to your password. The password gets hashed and the hash value, which is the output of this algorithms, is what gets actually stored in the database.
As already mentioned, this process is strictly one-way. So, when you enter your password, it gets hashed and its the hash that gets compared to the one stored in the database. Therefore, even the owners of the system would not be able to know you your original password. This is why, when you click on a button to reset your password, you normally receive a link into your personal email inbox and you do it yourself. This is how you generate the hash that will be stored in the database.
When such system is in place, the hackers can't do anything with your account, even if somehow your password hash has been leaked, unless, of course, they have direct access to the back-end of the authentication system.
This point reveals another important security consideration. If you do happen to stumble upon any online service that sends you your original password when you have clicked on "forgot password" link, don't use this service. These people definitely aren't hashing your password.
As password hashing is a very standard security practice and these people aren't doing it, there is a chance that there are some other basic security practices that they aren't following. Therefore, not only your password will be revealed if the data leak happens, a chance of data leak happening is pretty high too.
As most of the phishing emails, this new email type is nothing but an empty threat, designed to exploit technological ignorance of the general public. With some basic knowledge of IT, you can prevent yourself from being a prey to such scams.
If you want to read more about protecting yourself from digital low-lifes, this website also contains the following articles:
Written by Fiodar Sazanavets
Posted on 9 Dec 2018