10 votes

Help: I just received a mail from my own email, can't know if phishing or I'm hacked

Posted by unknown user
Tags: security, ask.help

I just received a mail from my own e-mail address, hosted on Gandi on my own domain name. It said that the sender has hacked me, used malware, keyloggers and RDP to get my passwords and copy all my files to his own computer, and took videos of me while watching adult content using my webcam (I never noticed the light turning on for it). Claims they've been doing this for a few months. Gives a bitcoin address and wants $1000 (a sum I can't and won't give, don't even have a fraction of it) in 48 hrs, or else will share the videos with my contacts. It said something about a pixel the message included.

I viewed the message from K-9 mail on android (which didn't tell anything about pixels or whatnot), and when I went back on my computer to check the headers and stuff, the message was deleted.

Now, is this some sort of phishing or or have I really been pwned? I feel like it's just phishing, but the message deleting itself kinda gave me shills of fear. I promptly changed my password for the mail account.

8 comments

  1. [2]
    Comment deleted by author
    Link
    1. unknown user
      Link Parent
      Thank you and @Wes a lot for quick replies. I shoudl have known better but I panicked when I saw the message deleted itself (I use POP3, but it did not deliver the message so maybe it has sth to...

      Thank you and @Wes a lot for quick replies. I shoudl have known better but I panicked when I saw the message deleted itself (I use POP3, but it did not deliver the message so maybe it has sth to do with headers, I will try to investigate when I am back home).

      3 votes
  2. Wes
    Link
    Common scam. It's been going around for the last six months or so.

    Common scam. It's been going around for the last six months or so.

    12 votes
  3. [5]
    CrazyOtter
    Link
    Echoing what the others have said, it's a scam. If they had that kind of access then they would probably just try to empty your bank account. Interested to know where the email has gone (likely a...

    Echoing what the others have said, it's a scam.

    It said that the sender has hacked me, used malware, keyloggers and RDP to get my passwords and copy all my files to his own computer, and took videos of me while watching adult content using my webcam (I never noticed the light turning on for it).

    If they had that kind of access then they would probably just try to empty your bank account.

    Interested to know where the email has gone (likely a simple explanation), keep us updated!

    9 votes
    1. [4]
      unknown user
      Link Parent
      Procmail ate it, because the sender was dumb enough to include a X-Spam-Level header: procmail: [13464] Sat Feb 2 18:44:45 2019 procmail: Assigning "LOGABSTRACT=yes" procmail: Assigning...

      Interested to know where the email has gone (likely a simple explanation), keep us updated!

      Procmail ate it, because the sender was dumb enough to include a X-Spam-Level header:

      procmail: [13464] Sat Feb  2 18:44:45 2019
procmail: Assigning "LOGABSTRACT=yes"
procmail: Assigning "DROPPRIVS=yes"
procmail: Assuming identity of the recipient, VERBOSE=off
procmail: Match on "^X-Spam-Level: \*\*\*\*\*\*\*\*\*\*"
procmail: Assigning "LASTFOLDER=/dev/null"
procmail: Opening "/dev/null"
procmail: Notified comsat: "g@0:/dev/null"
From bine@sunray-fm.de  Sat Feb  2 18:44:45 2019
 Subject: This account has been hacked! Change your password right now!
  Folder: /dev/null

      I did not think of it because I don't run spamcheck on email since some time (don't really receive all that much spam luckily, and I have problems configuring spamassassin). I did use it in the past and have forgotten to disable it from procmailrc, so the filter matched and the mail was discarded:

      # Discard if spam-score ≥ 10 stars.
:0
* ^X-Spam-Level: \*\*\*\*\*\*\*\*\*\*
/dev/null

      When I dig that domain from the From line:

      ; <<>> DiG 9.11.5-P1-1-Debian <<>> sunray-fm.de
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6083
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;sunray-fm.de.			IN	A

;; ANSWER SECTION:
sunray-fm.de.		1800	IN	A	85.214.21.50

;; AUTHORITY SECTION:
sunray-fm.de.		86400	IN	NS	ns4.stratoserver.net.
sunray-fm.de.		86400	IN	NS	ns3.stratoserver.net.

;; Query time: 149 msec
;; SERVER: 1.1.1.1#53(1.1.1.1)
;; WHEN: Paz Şub 03 19:17:46 +03 2019
;; MSG SIZE  rcvd: 109

      Whois:

      Domain: sunray-fm.de
Nserver: ns3.stratoserver.net
Nserver: ns4.stratoserver.net
Status: connect
Changed: 2017-06-21T18:24:13+02:00

      Unfortunately I don't keep a verbose log for mpop (my pop3 client), so can't know more than this I guess. Maybe the outgoing server was checking for spam? Or maybe this was a trick pulled of to annoy the receiver?

      That Strato has abuse contacts, would contacting them be of any use?

      3 votes
      1. [3]
        Comment deleted by author
        Link Parent
        1. [2]
          unknown user
          Link Parent
          Thanks! I just sent an email. BTW thanks also for linking to DeepL, looks interesting!

          Thanks! I just sent an email.

          BTW thanks also for linking to DeepL, looks interesting!

          2 votes
          1. [2]
            Comment deleted by author
            Link Parent
            1. unknown user
              Link Parent
              Oh I should've updated, sorry. They told me to report to a different e-mail address, which I didn't get to yet b/c some some hassles last week. Will retry this week. I also received a couple...

              Oh I should've updated, sorry. They told me to report to a different e-mail address, which I didn't get to yet b/c some some hassles last week. Will retry this week.

              I also received a couple identical messages, from different domains, using different providers. I have retained the messages this time fixing my procmailrc (can share if interested).

      2. CrazyOtter
        Link Parent
        Huh well there you go, mystery solved. I would follow up with their abuse contacts.

        Huh well there you go, mystery solved. I would follow up with their abuse contacts.

  4. Soptik
    Link
    I started getting these emails shortly after Collection #1 (7 Jan 2019) was published. It contained 772,904,991 according to have i been pwned.

    I started getting these emails shortly after Collection #1 (7 Jan 2019) was published. It contained 772,904,991 according to have i been pwned.

    In January 2019, a large collection of credential stuffing lists (combinations of email addresses and passwords used to hijack accounts on other services) was discovered being distributed on a popular hacking forum. The data contained almost 2.7 billion records including 773 million unique email addresses alongside passwords those addresses had used on other breached services. Full details on the incident and how to search the breached passwords are provided in the blog post The 773 Million Record "Collection #1" Data Breach.

    6 votes