how I caught a hacker trying to (or may have) hacked into 1 of my colleagues old accounts.
-
hello:
this is how I caught a hacker who had maybe hacked into 1 of my old colleagues accounts, older1's to be procise.
so it started on when I had my old email adison.verlice@blindsoft.ent thanks to Google workspace.
now unfortunately, we had to get rid of that because Alex (the sites CFO and domain administrator) was not making his payment so n time to GWorkspace, or didn't pay at all because we had recently moved away from Google domains, because it was being transferred to square space. we really didn't reset it up because I think we didn't make it in time to, so I had an idea. I would use cloud flare routing, which sends emails to my personal imbox, and allows me to use my email as an alias.
with that I also had a catchall imbox for anyone (anyone) (yes, even you) who sends emails to my relay. for example, I think I have cloudron@blindsoft.net as my cloudron email (which I have dropped btw heh heh heh heh you cant send me summaries) and because of this, all emails unless dropped get sent to me.
now to give you an idea of how I have my personal email setup, I have 3 layers of security tied to my email account.
first off, you need the email and, well, password.
then you need my passkey or, as a backup, my TOTP.
finally, you need a second password which is needed to get into the imbox itself.
I secure shit like the NSA.
so an old email that was part of the Googleworkspace stack that I never relooked was alchappers@blindsoft.net. this, of course, was alex's sourta aliases. now what immediately struck me was when an email came in my spam folder, and touched the address which, of course, I intercepted right away. well, I didn't even have to do anything manually, it was all done for me.
but either way...
I get this email and what struck me immediately was the fact the name on the email wasn't "Alex Chapman", it was his password to most of his accounts.
now what immediately caught my eye (or ear because I'm blind) was the fact this hacker new his password to what he got into was his Google workspace account...at least at the time, as that was required to be changed around sometime ago before the hack, as part of our password policy, which required a 30day password change.
he also claimed he had...videos...of Alex (I'm not gonna get into details of what kind because it'd probably go against cloudrons TOS) and requested almost 1200 dollars for removal of any harmful software he put on, etc.
but the hacker made a critical mistake, and now I have his Bitcoin transactions on my computer.
you see, you all know Bitcoin, right?
well, thing is...it's not anonymous.
if I have your Bitcoin wallet, I can trace all of your transactions, from what you sent, to what you received on the blockchain.
if any of you (any of you) would like to view his transactions on the blockchain, here they are
currently, I think he has around a thousand dollars in BTC, so he's made a few bucks.
now scam or not, this does seam something bad. I'm gonna post some parts of the email to you, but I'm also gonna redact other parts, because it does contain some sensitive information, like his password that btw, he uses on most sites.
and yeah, that's chapter1 of how I intercepted a hackers message. -
so here is the full email.
it is not the entire raw email, because it does Cary some sensitive data, I did have to redact a lot, especially to try and make things as family friendly as possible.
""
Hello there!<br>
<br>
Unfortunately, there are some bad news for you.<br>
Around several months ago I have obtained access to your devices that you were using to browse internet.<br>
Subsequently, I have proceeded with tracking down internet activities of yours.<br>
<br>
Below, is the sequence of past events: <br>
In the past, I have bought access from hackers to numerous email accounts (today, that is a very straightforward task that can be done online).<br>
Clearly, I have effortlessly logged in to email account of yours (alchappers@blindsoft.net).<br>
<br>
Here is the proof I hacked this email. Your password at the time when I got access to your email: (redacted).
<br>
<br>
A week after that, I have managed to install Trojan virus to Operating Systems of all your devices that are used for email access.<br>
Actually, that was quite simple (because you were clicking the links in inbox emails).<br>
All smart things are quite straightforward. (>_')<br>
<br>
The software of mine allows me to access to all controllers in your devices, such as video camera, microphone and keyboard.<br>
I have managed to download all your personal data, as well as web browsing history and photos to my servers.<br>
I can access all messengers of yours, as well as emails, social networks, contacts list and even chat history.<br>
My virus unceasingly refreshes its signatures (since it is driver-based), and hereby stays invisible for your antivirus.<br>
<br>
So, by now you should already understand the reason why I remained unnoticed until this very moment...<br>
<br>
While collecting your information, I have found out that you are also a huge fan of (redacted).<br>
You truly enjoy checking out (redacted) and watching (redacted), while having a lot of (redacted).<br>
I have recorded several (redacted) of yours and montaged some videos, where you (redacted) while (redacted).<br>
<br>
If you still doubt my serious intentions, it only takes couple mouse clicks to share your videos with your friends, relatives and even colleagues.<br>
It is also not a problem for me to allow those vids for access of public as well.<br>
I truly believe, you would not want this to occur, understanding how special are the videos you love watching, (you are clearly aware of that) all that stuff can result in a real disaster for you.<br>
<br>
Let's resolve it like this:<br>
All you need is $1290 USD transfer to my account (bitcoin equivalent based on exchange rate during your transfer), and after the transaction is successful, I will proceed to delete all that stuff without delay.<br>
Afterwards, we can pretend that we have never met before. In addition, I assure you that all the harmful software will be deleted from all your devices. Be sure, I keep my promises.<br>
<br>
That is quite a fair deal with a low price, bearing in mind that I have spent a lot of effort to go through your profile and traffic for a long period.<br>
If you are unaware how to buy and send bitcoins - it can be easily fixed by searching all related information online.<br>
<br>
Below is bitcoin wallet of mine: 1c5V4U862UYzScN1a1RVS3DdQhbnK5dUR<br>
<br>
You are given not more than 48 hours after you have opened this email (2 days to be precise).<br>
<br>
Below is the list of actions that you should not attempt doing:<br>Do not attempt to reply my email (the email in your inbox was created by me together with return address).<br>
Do not attempt to call police or any other security services. Moreover, don't even think to share this with friends of yours. Once I find that out (make no doubt about it, I can do that effortlessly, bearing in mind that I have full control over all your systems) - the video of yours will become available to public immediately. <br>
Do not attempt to search for me - there is completely no point in that. All cryptocurrency transactions remain anonymous at all times.<br>
Do not attempt reinstalling the OS on devices of yours or get rid of them. It is meaningless too, because all your videos are already available at remote servers.<br>
<br>
Below is the list of things you don't need to be concerned about:<br>
That I will not receive the money you transferred.<br>- Don't you worry, I can still track it, after the transaction is successfully completed, because I still monitor all your activities (trojan virus of mine includes a remote-control option, just like TeamViewer).<br>
That I still will make your videos available to public after your money transfer is complete.<br>
- Believe me, it is meaningless for me to keep on making your life complicated. If I indeed wanted to make it happen, it would happen long time ago! <br>
Everything will be carried out based on fairness!<br>
<br>
Before I forget...moving forward try not to get involved in this kind of situations anymore!<br>
An advice from me - regularly change all the passwords to your accounts.<br>""
-
if he were still able to send emails from that domain (he's not), anyone who he would send emails to would see his password because that is his new email name. now how they actually managed to get access to his Google workspace after it was terminated is a mistory to me.
i still have no idea to this flying day.
also if it's driver based, the only way to fix that would be to plug it into a live CD and do a virus scan on the drivers, and even then, you'd have to be good at forensics to identify the malware, as you have to be able to know what it's doing (that is, if this information is true). I do find this to be a partial scam, but yet again, he did have alex's password.
o and not to mention this came from an organizational, an educational organizations, email. which, btw, is alegite organization that does medical operations.
also, you should not send money to this guy because if you do it could motivate him to scam. change your password, access your drives, and don't download weird or random shit off the internet. -
but I'm curious, because the highest transaction was that I believe someone sent him (unless he spent) 8000 dollars, and right now his value is sitting at around 2500 dollars. lol I bet he has this sitting in a Bitcoin exchange someware, because most people use Bitcoin exchanges. so if someone were to report this guy, he would've had to have gone through KYC (know your customer) laws. this includes social security number, actual identity, phone number, full name, address, birthday, some IRS information, yabba yabba yabba, bla bla bla, you get the jist. this means that if the government were to supina his shit, from whatever exchange he's using...he's fucked! fucked with a capital F. that is, unless he's storing it in a Bitcoin hardware wallet, or an offline Bitcoin application like 1's seen in the tails operating system.
-
o yeah and mind you, the only reason the (only) reason I caught this is because of a catchall imbox. if it not had been for this imbox, I may have not caught this.
not to mention, anyone who would receive this email to their own imbox would be just...scared, practically running for their lives!
so I think it's good that I caught that, before the victim did. -
o I should mention another detail, if you look at the email message closely, he said 48hours "after you opened this email).
if this is true, this must mean he either can see the email being opened (if it were sent to Alex) through the harmful software, or more likely, if you can see the HTML that was in the email, I think it's more likely he tryed to send an HTML beacon to this email. this is because HTML beacons can track you the minute you open the emails.
they are basically automatic images that open the second you take a look at your email, which can not only give away that you opened the email, but can also giveaway your IP from which you opened an email.
it's called an email tracker.
now when searching through the email, my web client reported no trackers, and even if I used an email client, I have my email client set to not open automatic tracker payloads in emails so they cant just bug my emails.
it is not abnormal to find a company, or a hacker, bug your email.
I think an example of this is canarytokens
it is not meant to be an email bug, but it is possible to have it load an email bug when the email is opened by the mail client.
apps like the normal mail client on windows are vulnerable to this because they do not prevent images like web beacons from loading automatically, they just open the image.
think of it as like an IP logger for your emails, because just by injecting some code, you can inject a web beacon and grab someones IP.
thunderbird is not vulnerable to this, because it blocks anything that tryes to load automatically and requires the user to load them, or just doesn't let them load at all.
k9 is vulnerable by default but can be configured easily to not open these images.
and just in case you wonder, no PGP does not prevent this.
PGP only encrypts the message body and does not get rid of the bug.
if you have a VPN you could also be covered. personally I use tor and if I need a VPN I would use mysteriumor some type of DVPN.
some web clients can prevent this, and proton mail blocks these by default on both web and application clients.
however, this didn't seam to be the case, so i'm guessing the hacker expected it to go to Alex (hahahaha it went to me) and if there was 1, cloud flares email routing service must've removed this. I will check the routing rules to see what I can find.
well, the logs lol. -
o thanks to whoever upvoted my post. my screen reader doesn't really tell me who but thanks.
-
o I didn't know you were a staffer here...
-
@adisonverlice2 said in how I caught a hacker trying to (or may have) hacked into 1 of my colleagues old accounts.:
were to report this guy, he would've had to have gone through KYC (know your customer) laws. this
just a quick update, actually 2 updates.
1, yes, he is using a Bitcoin exchanges, which was easy to find because he literally said exchange rates applied. now I don't know why hackers are using those things, because, going back to that post, they need KYC (know your customer) information to comply with KYC laws.
o, and according to our sponsor, the Blockchain, he has $2468 in his wallet.
it is tricky to get Bitcoin in an anonymous way.
monero is much more anonymous because it cant be traced back (unless you have stupid opsec) and you can get it anonymously.
but the problem is hackers want high amounts, they want what works.
they want to hit the jackpot.
so they use Bitcoin.
where as 1bitcoin is worth almost 60000 dollars, Montero is only worth around 170 dollars
they aren't concerned about anonymity (not all that much at least) they just want the higher payou.
again, I can tell you this because I myself am a hacker. and while i've never made transactions on the blockchain, I know how to trace transactions on the blockchain.
hackers like me know their craft.
that's why you need to look out -
if I were doing this, I would first off, put my Bitcoin in a secure cold storage wallet. then I would of course, start my hack, infect the machine, but before doing that, make a new BTC address for each victim. now I wouldn't make a main Bitcoin wallet, as, again, that could be traced back to me. I would stick with these Bitcoin wallets and start spending baby. now maybe if I had to, I would move it to a temporary Bitcoin wallet, but again, that could be a point of trace. I as a hacker would not like to make any noise of who I am.
of course, at that point, though, I would use Monero, because it's much more anonymous and cannot be easily traced. -
o I almost forgot.
it has been almost 72hours sense the email got sent out, and y'wonna know how much has happened?
drumroll, please...nothing.
absolutely nothing!
the hacker has not sent at least me anything.
now if I ever hear of him sending anything out to a hacker forum or me, I will fire up my tor browser and find out what's up.
i'm still a bit scared, mostly because they have alex's correct and still working btw, password. I have warned him of the hack.
now I odn't think it's from an email link, i'm pretty sure it's something else, considering he has been downloading weird shit lately.
now again, I don't know about this, considering the fact that he seamed to only had emailed alex's old email that I now have control of, that I now intercept all messages to.
now for security reasons, the email you see displayedo n my profile is dropped, so yo u can't send me any spam or tell me heh heh heh heh I just hacked your bank account. why?
because I get 2 much spam from that email already.
and even if you did manage to send an email to it, if it doesn't say "message not delivered", it'll likely just ot reach me.
if you want to send me a message, you can use the session private messenger and use the session ID in my profile in the "about me" page.
this will allow you to send me messages confidentially and encrypted so only I can see it.
also note that I do not except calls because it could show you my real IP address due to a p2p connection.
also it may be slow due to the fact that it goes through lokenet, which is similar to tor.
o, you could also send me a message in the cloudron PM thing, but that is not encrypted.
o and good luck trying to hack any of my accounts, because I have high security. I change my passwords, and I absolutely insure my accounts safety, including on this forum.lately i've been the target of several hacks, but that's a story for a different thread.
-
so uh,quick update...
alex's password, unfortunately, is still working.
if that is the case, I hope he still has 2FA on at least some of his account.
also, I decided to check haveibeenpwned and believe it or not, a password he had used was breached!!!!!!
i'm fucking upset that he will not change that password at all, even after confirming that it has been breached, almost 200 times btw.
something tells me that he either sent his password over an email address with that password, or that he sent it over an insecure page.
it makes me question weather he should have access to our stuff or not, i'm planning on revoking it.
if he's going to be that fuckin dumb about his security posture, I will not have someone like that on our team.
in fact, the passwords he uses, I find, are not secure, and even if not breached, can still be cracked just by talking to Alex, like a social engineering attack.
actually, I could get his password just by striking up a conversation with him about his favorite YouTuber, or favorite charactr, then generated a password list based off that alone.
at that point, SE is not even needed, because it's easy to do.
he's very opened about his favorite YouTuber, DaveMadson, who is apart of the logo bloopers community.this is why, as mentioned in FIDO2 support I think passkeys are the way to go. they would require actual stupidity or physical access to the device to get in, and they're more secure.
o and not to mention, if we still hado ur windows server, alex's enemies would've been able to get a hold of easily, even with all the security put in place.
now I don't think his security posture is good, and I don't wonna kick him off my team because he's the CFO and primary domain admin, but if it comes down to it, I may have to.
I hate doing something like this because we've worked together for several years. -
so another update, that password count, which btw was a family password (don't ever use the password for your family) was upgraded to breached 592 times! gotta love that...
-
previously, a year ago, it was breached around 100 to 200 times. now it's 500 times.
massive upgrade from last year... -
@adisonverlice2 the email that was sent to your colleague is extremely common, and is one of the more successful extortion schemes. The extortionist purchased a list of email addresses and passwords from dark web data breaches and simply sent an email to everyone in the breach. The breached password is included in the email to (rightfully) scare the end user into believing the story that follows afterward. The scheme is particularly successful with people who reuse their passwords and super obvious to those who use password managers. You can easily find out if the password or email you use has already appeared in a data breach by directing people to the website: https://haveibeenpwned.com and more importantly, registering your company domain and/or email addresses with their breach notification system.
I assure you, the only lesson anyone learns from these emails is to stop reusing their passwords. Your colleague has done nothing wrong. -
@umnz said in how I caught a hacker trying to (or may have) hacked into 1 of my colleagues old accounts.:
@adisonverlice2 the email that was sent to your colleague is extremely common, and is one of the more successful extortion schemes. The extortionist purchased a list of email addresses and passwords from dark web data breaches and simply sent an email to everyone in the breach. The breached password is included in the email to (rightfully) scare the end user into believing the story that follows afterward. The scheme is particularly successful with people who reuse their passwords and super obvious to those who use password managers. You can easily find out if the password or email you use has already appeared in a data breach by directing people to the website: https://haveibeenpwned.com and more importantly, registering your company domain and/or email addresses with their breach notification system.
I assure you, the only lesson anyone learns from these emails is to stop reusing their passwords. Your colleague has done nothing wrong.of course. weirdly, though, they only sent it to Alex. though they should contact me, if they want a good scare. also I didn't even know that was possible to register domains and stuff. let me see...
-
thank you.
I just added my domain to their domain search dashboard. -
also I should really put the Google version of my blindsoft.net account on the Google advanced protection program, just in case. they do a good job of locking down accounts. my personal account is on there.