There seems to be an alarming number of scam email attempts going around lately, and a few of them in particular have people extremely concerned. Scam emails are nothing new, but we have had people contact us regarding a specific type of email that has been doing the rounds since August last year. There are a few variations of this email, however it will generally follow these main points:
- Hello, I am a notorious hacker.
- I have infected your computer with malware, and I have used this to get embarrassing footage of you via your webcam.
- For proof, this is your password: *password here*
- For further proof, I have sent this email from your own email account which I have also hacked. Check the sender address.
- Deposit $xxx.xx amount of dollars into my Bitcoin wallet, or I will send the footage of you to everyone you know on social media and all the email addresses in your mailbox and ruin your life forever.
Without a doubt, the contents of the email are very disturbing when taken at face value. To the layperson it understandably sounds convincing. How could they know my password and send an email from my own account if what they were saying isn’t true?
How is an email sent from my own email address if they don’t really have access to the account?
This is due to a technique called ‘spoofing’, and it’s surprisingly easy to do. Spoofing is when somebody forges the from address of an email. This is one of the most common tactics used in phishing and spam emails. It’s very successful, and even if you know what to look out for, it may still catch you out on occasion.
You can confirm whether an email has been spoofed or not by checking the email’s “header”. If you’re not sure how to check the header of an email, MxToolBox have some great guides you can check out. You can then run the headers through their very useful ‘Email Header Analyzer’.
Here is a real life example header of a spoofed scam email. Please note that certain sections have been altered or removed for the privacy of the original recipient:
Received: from b1s3-1b-syd.hosting-services.net.au
by b1s3-1b-syd.hosting-services.net.au with LMTP id KJgNBTmM1FvU3TcAM3NUgg
for < email@example.com >;
Received: from out06.smtpout.orange.fr ([220.127.116.11]:46953 helo=out.smtpout.orange.fr) < (This is a French IP address)
by b1s3-1b-syd.hosting-services.net.au with esmtps (TLSv1:DHE-RSA-AES128-SHA:128)
(envelope-from < firstname.lastname@example.org >)
Received: from ([18.104.22.168]) < (This is a Vietnamese IP address)
I have made bold the parts of the email header which shows it to be spoofed. What we’re looking for here is the IP address (the numbers in brackets). Once you have the IP address the email was sent from, you can then check it using a geolocation IP tool to identify the origin. Our servers are all based in Australia, so if it’s an IP address from a foreign country then it wasn’t sent from your own mail server.
What we’re trying to illustrate in the example header is that the email was first sent by someone with a Vietnamese IP address, which was then sent from a mail service in France into the inbox. In conclusion, the email was originally sent from someone else’s email address and not from the account it claims to be from.
Now, on to the other convincing aspect of this type of scam email.
How do they know my password?
The password may look familiar because of the frequent data breaches that large companies experience on an ongoing basis. These breaches can sometimes result in the leak of millions of user’s passwords to the public.
When you receive a scam email and it includes a familiar password that you have used before or still use, it’s likely that the scammer has just grabbed it from a data leak of passwords.
One of the best websites for checking whether you have been part of a data leak over the years is ‘Have I Been Pwned’. All you need to do is enter your email address. The tool will then return a list of sites and services that your email address has been leaked from (and potentially other information such as your password).
If your email shows up and you have not recently updated your password, please ensure that you do so as soon as possible. Anytime your password, or a password that you have used before, is emailed to you, you should immediately update that password wherever you use it.
Hopefully you can rest a little easier, knowing that these scam emails are usually nothing but a cheap trick. If you’re still in any doubt however, we are always here to put your mind at ease and investigate further for you. Please feel free to give us a call on 0426 998 755. And whatever you do, never deposit your hard-earned money into a scammer’s bitcoin wallet!