An unexpected hazard of using email

By November 2, 2018History, Language, Media, Society

I was an early user of desktop computers, and I think I bought my first Apple IIe in 1988. Throughout a series of ISPs and an apparently unending set of Apples I have had a relatively untroubled run with these devices. Indeed, I wonder how I ever managed to write and publish without them. It was certainly a much slower process in the days of typewriters.

Well, what follows is instructive. Read on. The English is not great. I have redacted my password and my email address, and done some editing for neatness.

Hello!

I’m a programmer who cracked your email account and device about half year ago. You entered a password on one of the insecure site you visited, and I catched it. Your password from *********************** on moment of crack: ***********

Of course you can will change your password, or already made it.
But it doesn’t matter, my rat software update it every time.

Please don’t try to contact me or find me, it is impossible, since I sent you an email from your email account.

Through your e-mail, I uploaded malicious code to your Operation System. I saved all of your contacts with friends, colleagues, relatives and a complete history of visits to the Internet resources. Also I installed a rat software on your device and long tome spying for you.

You are not my only victim, I usually lock devices and ask for a ransom. But I was struck by the sites of intimate content that you very often visit. I am in shock of your reach fantasies! Wow! I’ve never seen anything like this! I did not even know that SUCH content could be so exciting!

So, when you had fun on intime sites (you know what I mean!)
I made screenshot with using my program from your camera of yours device. After that, I jointed them to the content of the currently viewed site.

Will be funny when I send these photos to your contacts! And if your relatives see it? BUT I’m sure you don’t want it. I definitely would not want to … I will not do this if you pay me a little amount.
I think $813 is a nice price for it!

I accept only Bitcoins.
My BTC wallet: 1PL9ewB1y3iC7EyuePDoPxJjwC4CgAvWTo

If you have difficulty with this – Ask Google “how to make a payment on a bitcoin wallet”. It’s easy. After receiving the above amount, all your data will be immediately removed automatically. My virus will also will be destroy itself from your operating system.

My Trojan have auto alert, after this email is looked, I will be know it!

You have 2 days (48 hours) for make a payment. If this does not happen – all your contacts will get crazy shots with your dirty life!
And so that you do not obstruct me, your device will be locked (also after 48 hours). Do not take this frivolously! This is the last warning!
Various security services or antiviruses won’t help you for sure (I have already collected all your data).

Here are the recommendations of a professional: Antiviruses do not help against modern malicious code. Just do not enter your passwords on unsafe sites!

I hope you will be prudent.
Bye.

Well, that was a shock. I copied the message and sent it to three people who might have some sense of what to do. None of these messages reached the intended recipient, which showed that the hacker (as he foreshadowed) had set up a ‘rule’ (for example, ‘if my message is forwarded to someone, send that message to Trash’).  The hacker’s message is full of menace, and he/she wants money. No way.

In time (this happened a week ago) I was able to talk with my knowledgeables. One doubted that the hacker could do all he/she claimed, and gave what seemed like good reasons, but deferred to my technical guy, who was dismissive. ‘It’s a scam,’ he said. ‘But change your password!’ So I tried to do that, which meant that I had no  website for two days!  The new password didn’t work. Then I discovered that the ISP provider had left the old password in place.  Oh dear. So far no one has received any malicious material about me, or at least, no one has informed me that they have done so. One of my knowledgeables says that most people’s systems will see such malicious material as spam anyway, and Trash it.

I really don’t care that people may think that I have watched porn. Indeed, I have done, though it’s been a while — now at 81, with a partly-mended fractured spine, sex is not at the top of my personal agenda. And the best way to deal with threats like these is to take them head on, which I am doing here. I’m not sure that we have a ‘porn crisis’ — and I notice that someone is claiming that we have a ‘crisis crisis’! My very recent search of articles about porn suggests that it is the most visited genre on the Internet, that the proportion of women who visit these sites is growing rapidly, and that men are the principal users. None of this should be at all surprising. Sex is the dynamo of a lot of our commercial life, and it inhabits movies, books and the Internet. We are programmed to respond in all sorts of sexual ways to sexual cues, and even to seek them out.

So there you are. Out of the blue, a warning that there are idiots, and nasty idiots, out there. Suddenly, you don’t feel quite as safe as you did. What can be done about it? I am learning, and I trust that in a few days things will be back to normal. Again, one of my technical guys says that it is unlikely that anything will happen, because the hacker may well be monitoring a thousand or so people like me.  And there may be a game element in it all: I put up defensive walls, and hacker has a go at them. But if I don’t pay him anything, it’s a fruitless effort on his part.

Where did he get my email password? I don’t know. I can’t remember ever giving it to anyone. Yet plainly I must have done. So there’s a warning. Don’t do that. The technical advice is that it was most likely an innocuous purchase of some kind, and the hacker found it and stored it, waiting for an opportunity to use it. I certainly won’t do it again.

 

 

 

 

Join the discussion 19 Comments

  • Bryan Roberts says:

    If this guy’s computer expertise is as good as his English, you have nothing to worry about. I also doubt that the real (expert) hackers would spare you a passing thought – like stooping to pick up a nickel.

    • Don Aitkin says:

      I guess it depends how easily one scares. And it doesn’t cost anything for him to have a go at scaring.

    • Bryan Roberts says:

      I forgot to add, if you go through a university e-mail system, which you should be able to do, their IT people do not like their systems being hacked, and are probably capable of doing something about it. Mind you, they are also paranoid about password security. I have three, two of which I change regularly, and one that I use only for financial transactions, and that I also change.

  • Neville says:

    Don I’m sorry that you’ve had these extra problems with your email account. I’m a rank amateur online so I wouldn’t know how to advise you.
    I hope you have some good professional help that can rid you of this nasty mongrel.
    I always delete any emails that I find doubtful and my anti-virus software is very touchy about my emails at all times.
    I have known a top online guru who has been caught in a similar situation and he didn’t pay and some how fixed things eventually.
    Get the best advice and proceed from there seems to be the only answer. I hope you are successful.

  • Andy McNABB says:

    Don,

    I irregularly get a flashing message that my laptop has been hacked. Its quite hard to get out of, but eventually goes. Seems to be fairly harmless, but can be frightening.

    I think it is good practice to change your email passwords every (say) 4 months.

    And never pay a purchase with a direct entry of credit/ debit card details. Paypal is better because it puts a barrier between you and the seller. Keyloggers can be unknowingly installed on your computer.

    And if you use internet banking, change your login there every 2 months.

    Keeping track of passwords can be hazardous. I have a paper table of them, and write down the new passwords with the date of change. I keep the sheet in the freezer of my fridge, never digitally.

    And if you are worried that an intruder may find the sheet in the freezer while looking for an ice cream, then use offset coding (like the military does). Offset coding is counting along the alphabet a number of characters from a start character. For example, D12 equates to Q (12 characters further along from D). The alphabet has more combinations at 26 characters (and even more with CAPS and lower), compared with the numbers 0 to 9.

    I have a little Excel spreadsheet that works out any offset (eg B178). I work out new passwords offline, and keep the sheet on a little USB which I dismount when finished.

    Call me paranoid, but I have only be fully hacked once (many years ago). when my desktop was rendered completely useless, and had to be rebuilt, with the subsequent loss of some years of data.

    And backup your important data. Storage USBs are fairly cheap and reliable these days (but buy only by well known brands such as SanDisk – there are heaps of faulty USBs sold). I have one giant folder in windows explorer which holds everything I use frequently, and I back it up every second night while I sleep. The non- critical data is kept off my laptop.

    The ransomware attack seems to have died down recently.

  • Andy McNABB says:

    Don, a side question if I may. Would it be possible to have a button at the top of a thread “Go to latest comment”. I really enjoy your site, and thank you for it. It would help getting to the latest comment, rather than scrolling/ reading through a long thread to find the latest (which could be anywhere, and not necessarily at the end).

  • NH says:

    I got virtually the same message, and what made it somewhat credible was that they did have my email password. One thing that lessened my alarm was that I don’t have a camera on my monitor, so the part about watching me watching porn was nonsense.
    The request was also for $813 (supposedly a careful calculation of the value of the damage to be inflicted). There was a bitcoin account to be paid into, but no instructions on how to do it, unlike your case.
    There was also some kind advice for me to be more careful in the future.
    Even though all the elements are the same, and in the same order, mine was shorter, with different mistakes. Is there a template going around for this kind of activity?
    Telstra said this is pretty common, and the answer is to have a really complicated password. I suggested something but it was not good enough because it would only take a computer 8 months to crack it. I was given one which would take 400 years. It is definitely not memorable.

  • Don says:

    These suggestions are really helpful. And fascinating to learn that that there was an almost identical hack for a reader.

  • Chris Warren says:

    Don

    With the amount of computer power now available – hackers can brute-force alphanumeric passwords, so you may not have disclosed your email password. Just stick a few other characters in a new one – eg; +?% and make it at least 8 characters long.

    Example: Apple$+Are+G00d

  • Andy McNABB says:

    Most laptops have a camera on the top of the screen. I have put a little piece of cardboard (postage stamp size) over it (hinged) to stop any smart arse using it (its only good for Skype video).

    The bank account passwords are critical. Never answer an email from what appears to be your bank. Always call your bank and confirm the email. There have been a number of cases where bank accounts have been cleaned out, and the bank will, in just about every case, not assist you (“not our problem sir!”). There is always someone who is looking for “early retirement” !

    The current Royal Commission on banks is revealing the heavily stained underwear of the banks and other financial institutions. The banks are scrambling to restore their previous shit house (sorry Don) name.

    The lesson is: Be very wary of just about everything on the web. Once you are connected on the web, you are (potentially) connected to every other computer in world that is online.

    Don, so very good to hear you have regained better health.

    Andy

  • Doug Lavers says:

    I am not sure of the value of “regularly” changing key passwords which are only used on home computers.

    Presumably, no-one is looking over your shoulder to watch. [Different in a work environment].

    If your password is hacked, the damage will be done quickly, likely well before the next pw change. Having the latter happening regularly would not provide any real protection.

    Then there is the problem of keeping track of your passwords …………….. I do not fully trust password managers – something about having all your eggs in one basket.

  • Andy says:

    Doug, its not a matter (generally) of someone looking over your shoulder. It’s the web that is the problem. Hacking an email account will never be solved fully, but changing passwords (fairly) regularly may thwart a hacker who has got your password and waiting in the wings for a surprise attack. Remember, the hackers are trying possibly a hundred accounts (of all sorts, particularly bank account passwords) a day. And the hackers share information.

    And just because you have been hacked once does not ensure you will not be hacked again. But changing passwords will give some protection against further hacks.

    Should you loose your keys to your house/ car, and have a locksmith change the locks, would you allow the locksmith to set up the same setting ? Certainly not !

    I was a Property Manager some years ago, and when I took up the position, I was mortified that the previous Property Manager would give the keys to a prospective tenant to inspect the property/ ies. There is no need to tell you that a quick trip to the local hardware store to get duplicates cut was the potential result.

    Indeed, there was a gang doing just that. They would express interest in 3 or 4 properties, be given the keys to inspect, but then go straight to the hardware store to have duplicates cut. They would then depart town, and lay low for 12 months. Then return to the property/ ies with a moving van, and clean it out. The goods would be sold on the second and market.

    The police investigating would be perplexed as there was no sign of forced entry.

    Good money if you can get it !

    Where I live the second hand shop has closed down. Why ? Because the owner (who I knew) says there is so much stolen goods floating around, the business became untenable. He was visited by the the cops every second day with a list of stolen goods and wanting to inspect his stock.

    I agree password managers are unsafe – hackable. That’s why I keep my passwords (changes) off my laptop – in the freezer just behind the lamb chops. Its not absolutely guaranteed to be safe, but its better than leaving them on my laptop.

  • Peter Sommerville says:

    Frankly Don I doubt if your email password was in fact “cracked”. The spammer’s email is full of technical nonsense.
    It would be interesting to have a look at the header information in the original. His claim to have emailed you via your own account is easy to test.

    It is very easy for those who have a mind to do so to spoof your email. It has happened to me a couple of times.

  • Art says:

    I do a lot of financial work as well as some personal things on my PC so privacy becomes important.
    If you desire privacy, there are many products that can help.

    Firstly use a VPN that doesn’t keep records. (Most do) I have been happy with NordVPN.

    Next don’t use commercial search engines like Yahoo or Google. Instead use a private search engine such as:
    DuckDuckGo — Privacy, simplified.
    The Internet privacy company that empowers you to seamlessly take control of your personal information online, without any tradeoffs.
    [Search domain duckduckgo.com] https://duckduckgo.com

    Thirdly you can use encrypted email such as the free Protonmail
    Secure email: ProtonMail is free encrypted email.
    ProtonMail is the world’s largest secure email service, developed by CERN and MIT scientists. We are open source and protected by Swiss privacy law
    [Search domain protonmail.com] https://protonmail.com

    One method I use with an encrypted email is to send the password as part of an innocuous email or give merely a hint to someone I know well.

    Fourthly, there malware protection programs that will keep your passwords in a “wallet” so that they do not have to be typed in. Bitdefender is one of the top protection programs.

    Lastly, I use Windows 7 than Apple operating systems because Microsoft doesn’t control what you can download.

    Had I been rich when I retired 10 years ago, I would have loved to have funded various sociological studies of porn at PhD level For example type any physical deformity into a porn provider and it will come back with related sexual activity, stuff you may not want to see or know about BUT it provides a wonderful outlet for marginalised people with all sorts of problems that prevent what one might deem as “normal” sexual activity. I gave up talking about this along with ideas about possible applications of hapto-computing concepts after a few weeks because all I ever got was funny looks. Indeed, when I suggested to the then CEO of CSIRO about the potential millions of dollars that CSIRO could earn by developing hapto-computing applications for the porn industry, he seemed somewhat unpleased.

    However, I read that cat videos downloads were taking up more bandwidth than porn, probably a healthy sign.

  • Bryan Roberts says:

    Interesting to read different takes on the problem. As I travel fairly frequently, I do not want to have passwords on my laptop, but I do need to know what they are (and I can’t ask the lovely ladies on Singapore airlines to “please put this piece of paper in the freezer for me”. My solution, that may not work for everyone, is to have variants on the authors/titles of books, including alphanumeric characters and cap shifts. Example: D0n@itKin. I thought this up on the spot. From the web: ‘It would take a computer about 4 weeks to crack your password’. Do you think anybody in their right mind would bother?

    • BB says:

      I use KeePass which generates an 10 digit number for my emails. So you need 9,999,999,999 by say 10 seconds. So at bit more than 3000 years should pull it up.

  • BB says:

    I have had 3 emails similar to Don’s all addressed to the same email address, I have 10 addresses. A key to the source is “fortnightly lunch newsletter”. With this who was it sent to by name that is Don Aitkin or typically “me”. It seems this is a result of phishing never never respond to a link in an email you are not certain as to the source. If I am to believe my emails, PayPal loses my details every week or so!

    This is a spray to a large email base it will be true for some. They may pay!

Leave a Reply