Jump to content
Jockyspider

Is this a spam email or not

Recommended Posts

OK - Request a checkout in the Mac Malware Removal Help & Support   sub-forum.

NOTE:  This thread was originally posted in Newest Malware Threats which is a Windows malware file submission sub-forum and was moved here to General Chat. Thus a presumption of Windows was made.

Share this post


Link to post
Share on other sites

Hello @Sebbyb1:

As an adjunct to Dave's always excellent advice, if you have Malwarebytes for Mac v3.8.17.2526 already installed and updated with database v4.0.402, then run a manual Threat Scan and include the results in the new topic Dave has suggested you create.

If Malwarebytes for Mac has never been installed on the Mac, please consider making it part of your Mac's defensive arsenal.  The first/initial download/install automatically activates a 14-day free premium trail by default for your evaluation.

Reference: Download and install Malwarebytes for Mac

You may always amend your new topic with the above mentioned scan results.

Thank you.

Share this post


Link to post
Share on other sites

Hello @Sebbyb1:

Your next helper would like to know that.  Please reply to your new topic with the same information as was suggested above.

Good luck to you!

Share this post


Link to post
Share on other sites

Hello @Sebbyb1:

Dave has been, is now, and shall always be an industry expert in malware.  This forum, and others like this one, have seen this scare tactic you received and similar before.  I truly do admire your concern and your willingness to seek the help of experts in this field.  I agree with Dave.  If Dave gives you advice, take it to the bank.

I wish all computer owners & users were as evolved as you.

Cheers

Share this post


Link to post
Share on other sites

Ok I get worried really easily that why, I just don't want someone to get my personal data like my files and that, it's that what is freaking me out the most. I do appreciate everyone's help really do

Share this post


Link to post
Share on other sites

Hi everyone,

I came acoss this post as i received the exact same email as Sebbyb. I got 2 emails, one yesterday and one today both from "saveyourself" accounts. The subject of one even called me a pervert!! The content of the emails were exactly the same as what Sebby originally posted. I searched my email address and it has been pwned on 4 sites. I read thay myspace was comprimised some years ago and the passwords were all transferred to lower case. The password of mine that they knew was correct except for the capitilisation so i think that might be it. Im no longer worried about having beem hacked but i must say these emails are quite convincing. I also received 2 with slightly different wording. Blocked and deleted and changed all my passwords. I only really use my phone (samsung G9) so less worried about being hacked, is there a way to check this on a phone? 

Anyway @Sebbyb1 i mainly just wanted to share my experience so hopefully it puts your mind at rest as we both got the same scam. Otherwise we will see if there's indecent videos of us on the internet when we don't pay in 3 days ;-)

Share this post


Link to post
Share on other sites

Yes, it can be convincing on some of them. Just remember, never use the same password on other sites. Even though login via Facebook or Google looks tempting DO NOT do it. Always create your own personal account and a unique password for every site. Use a password manager as needed to help. If you're using the same password and a stie get's hacked, they now have access to any other site you may be using.

Use Password Management software

Bitwarden
KeePass Password Safe

 

Share this post


Link to post
Share on other sites

Hi all. 

I knew it was a scam E-mail, I already got some similar ones with old passwords I don't use anymore.

But the sentence "if you want to find out more - Google: "Drive-by exploit" stimulated my curiosity.
So I did the google search exactly as suggested, or maybe "what is a Drive-by exploit".

I like to learn this kind of stuff. I was on my android phone in the bus, too relaxed.
So I opened quite randomly the first 2-3 google links without thinking too much.

Also this one (I think, 99% sure, I didn't make any screenshot):
 !!  I make the link unclickable !!          https: slashslash  howtoremove.guide slash   remove-drive-by-exploit-email    
Even if I know I have (had?) no malware.

Well, the Chrome page opened but showed suddenly something like "loss of network connection".
I looked at the android status bar.  The 4G symbol disappeared for some seconds. Then came back.
This in a place where there is always 100% high signal.

Question: may I have got a malware like that? 
Or this ON/OFF/ON is just a coincidence?
It would be ironic and a bit sci-fi if I get a malware by a drive-by download after connecting to a web page the guy spamming me hopes I open following his suggestions.

However,  I turned then my mobile phone off, removed the sim card and I spent some time to factory reset / reinstall all the usual stuff.
And then i put the same simcard back, I can not be too paranoid.

I am still waiting all the day for the results of hybrid-analysis on the web page.
Tons of submissions pending, I don't understand it.
However virustotal and the android static analysis results are not all green.
https://www.hybrid-analysis.com/sample/69b61e0b4b800586e84bc373eb3b181f092ae694d0c3dcdf39b88c422fcffc7d

Any thoughts?

Share this post


Link to post
Share on other sites

You submitted a URL on howtoremove.guide  for analysis.  The site is not a malicious site that will cause malware to be installed on your PC just by visiting it.  The site does have an agenda but not to "infect" the visitor.

https://howtoremove.guide/remove-drive-by-exploit-email/

The purpose of howtoremove.guide is not to provide information.  It is a shill site created to obtain affiliate revenue for the web site owner by referring visitors to SpyHunter software.  It is not an authoritative site and what it provides is incomplete and misinformation hoping you will be referred to use SpyHunter.

56 minutes ago, Beginner said:

But the sentence "if you want to find out more - Google: "Drive-by exploit" stimulated my curiosity.

So I did the google search exactly as suggested, or maybe "what is a Drive-by exploit".

This is Social Engineering to lend credulity to the email blackmail scam so you'd be more likely to pay the blackmail fee.

So there are Two Social Engineering processes to discus here.

  • Email blackmail scams use a password or some verbiage to make you have fear and trepidation to induce the victim to pay the blackmail fee to not release reported private data.
  • There are sites that are created to be the destination of common Google, Bing, Ask and other associated search topics to provide faulty or misinformation to goad someone to use or buy a product or for a service.

 

Edited by David H. Lipman
Edited for content, clarity, spelling and grammar

Share this post


Link to post
Share on other sites

Hey, I'm pretty new to this, and got here doing a search for the original email text. I wouldn't have posted but something has got my curiosity. 

On 7/23/2019 at 7:34 AM, AdvancedSetup said:

Even though login via Facebook or Google looks tempting DO NOT do it.

Is this particularly relevant if you have 2 factor or 2 step security enabled against those accounts? If the site gets broken into and you're signed in via Google, for example, and not using the Google password on any other services, is the 2FA going to be enough to secure yourself anyway, or is it still very important to create new accounts for each site you visit?

I'm just now coming to terms with the degree that I've had bad habits re: security over the last years. 

Cheers, 

Sheather

Share this post


Link to post
Share on other sites

Two Factor Authentication is not a panacea for security. Please see the following article

Is two-factor authentication (2FA) as secure as it seems?

What if you lost the phone?
How many sites could someone wanting to either be mean or evil, cause you a lot of trouble? With the phone in their hands they don't even need to be technically advanced to change the passwords to every site the phone will let them into, then with that phone they have the Two Factor Authentication in their hands. They can now also go change the registered email address to one you don't even know. Now they've not only changed all password, but email addresses. You don't have that phone anymore. How are you going to prove who you are and get access back to any of that data without a LOT of trouble.

No doubt, it's hard. No one manually logs into mail or websites on their phone even if they do on their PC. It's just to time consuming on a phone even for paranoid people. Why you really need to be cautious with how you use your phone.

 

Share this post


Link to post
Share on other sites

Okay, so I didn't know that the "log in with other account" can bypass 2FA for the account to log in, so that is interesting. Outside of that though, if I already have 2FA set up with the Facebook or Google account that I'm using to log in to these sites, then that account is secure outside of a physical security breach, right? 

If someone did get their hands on my phone, would they still need to be able to get in with passcode or fingerprint? I always thought that the standard passcode encryption would be strong enough that I'd not be vulnerable to the thief logging in to random accounts due to saved credentials. And if they got their hands on my phone and it was unlocked, then I'm kinda screwed either way aren't I? 

Or is the argument here that if you're using a password keeping application that there's 1 more layer to your security? If I'm using at least even very very basic security best practices, isn't it almost vanishingly unlikely that the change actually becomes relevant?

Share this post


Link to post
Share on other sites

If you've already done it then it is what it is. You could still change the password outside of that login and break the connection. But, no need to get paranoid about things either. As for your last statement not really sure what you mean by that. You either strive to try to achieve a certain level of security or you don't. Very basic has no real meaning. It can or would mean different things to different people.

Using Two Factor Authentication is much better than nothing. Just pointing out it's not perfect. Using auto logins does not mean you're going to have your account compromised but IF it does then you're going to potentially be susceptible to other accounts also getting compromised.

 

Share this post


Link to post
Share on other sites

You're right, and thank you for the information and articles in this thread. They have been really easy to follow and informative. I guess I got a bit rambling in the last post, wrote it while tired, which is generally a bad idea. I'll try to make sure I'm implementing some of the good practices mentioned and keep myself secure moving forward. 

Share this post


Link to post
Share on other sites
On 7/24/2019 at 10:06 PM, David H. Lipman said:

You submitted a URL on howtoremove.guide  for analysis.  The site is not a malicious site that will cause malware to be installed on your PC just by visiting it.  The site does have an agenda but not to "infect" the visitor.


https://howtoremove.guide/remove-drive-by-exploit-email/

The purpose of howtoremove.guide is not to provide information.  It is a shill site created to obtain affiliate revenue for the web site owner by referring visitors to SpyHunter software.  It is not an authoritative site and what it provides is incomplete and misinformation hoping you will be referred to use SpyHunter.

This is Social Engineering to lend credulity to the email blackmail scam so you'd be more likely to pay the blackmail fee.

So there are Two Social Engineering processes to discus here.

  • Email blackmail scams use a password or some verbiage to make you have fear and trepidation to induce the victim to pay the blackmail fee to not release reported private data.
  • There are sites that are created to be the destination of common Google, Bing, Ask and other associated search topics to provide faulty or misinformation to goad someone to use or buy a product or for a service.

 

So, I don't want to look paranoid.

But: yesterday I opened this forum page and another forum page (reddit) where I wrote the same stuff and the site:  

https://   howtoremove.guide   /remove- ******  drive-by-exploit-e    mail/   

opened in a tab by itself. No kidding, i don't know how this is even possible.

I finally have the results from hybrid-analysis and they look REAL BAD (in my humble opinion):

https://www.hybrid-analysis.com/sample/69b61e0b4b800586e84bc373eb3b181f092ae694d0c3dcdf39b88c422fcffc7d/5d3d59b4028838118b93867c

Malicious 100%

Risk Assessment
Network Behavior
Contacts 23 domains and 22 hosts. 
MITRE ATT&CK™ Techniques Detection
This report has 2 indicators that were mapped to 4 attack techniques and 4 tactics. 

The windows 64 bit analysis is still in the queue since 07/24/2019 06:46:46:

https://www.hybrid-analysis.com/sample/69b61e0b4b800586e84bc373eb3b181f092ae694d0c3dcdf39b88c422fcffc7d

How can I check if my PC compromised? And my android phone?

Share this post


Link to post
Share on other sites

You misinterpret the report.  There is nothing physically malicious in that report.  No exploit code found, no malicious content and no malware being dropped - Nothing!

As I stated it is nothing but a shill site for obtaining affiliate revenue for pointing site viewers to SpyHunter.

Image.thumb.jpg.af6ac070fdb3e6a014f548c33c83b794.jpg

https://www.virustotal.com/gui/url/8003c0f828d7d61c2ffd34ac448d4dc9e9fa28d15d60020e2a61019566b76c98/detection

EDIT:

From the index.html of that page obtained with WGET.

https://www.virustotal.com/gui/file/b3d26f8a92f3779405403db7e93c151b2871d169838b0bb100e1a133af877698/detection

 

 

Edited by David H. Lipman
Edited for content, clarity, spelling and grammar

Share this post


Link to post
Share on other sites
8 hours ago, David H. Lipman said:

You misinterpret the report.  There is nothing physically malicious in that report.  No exploit code found, no malicious content and no malware being dropped - Nothing!

As I stated it is nothing but a shill site for obtaining affiliate revenue for pointing site viewers to SpyHunter.

Image.thumb.jpg.af6ac070fdb3e6a014f548c33c83b794.jpg

https://www.virustotal.com/gui/url/8003c0f828d7d61c2ffd34ac448d4dc9e9fa28d15d60020e2a61019566b76c98/detection

EDIT:

From the index.html of that page obtained with WGET.

https://www.virustotal.com/gui/file/b3d26f8a92f3779405403db7e93c151b2871d169838b0bb100e1a133af877698/detection

 

 

Hi David, thank you fot the answer. I can have misinterpreted it as I am not an It expert...

May I ask you something?

Apart from the page opening by itself, which worries me a bit, can you (or someone else) explain to me 3 parts of the big report (here the full screenshots and below the parts)?

image.png.08380e6413e830829feaaa07f927d1df.png

 

1 - What this means:

image.thumb.png.220f1fbdb8fa42e3d231a860342ab3b9.png

2 :

image.png.d11309ef9089fa90e170da98a9a1e0c8.png

3 And these:

image.thumb.png.cfb9a4807ae8ff190810ade3def0ab5e.pngimage.thumb.png.bc659b9f62e66ffa0f0b5eb8492a6d80.png

Thank you and have a nice day.

 

 

 

Share this post


Link to post
Share on other sites

They mean nothing.

The final one is just that the site uses the Microsoft CryptoAPI to obtain a DER encoded X509 Certificate from the Comodo Security Solutions, Inc., Online Certificate Status Protocol ( OCSP ) server and the site communicates over SSL.

https://docs.microsoft.com/en-us/windows/win32/secauthn/secure-channel

GET   ocsp.comodoca4.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrJdiQ%2Ficg9B19asFe73bPYs%2BreAQUdXGnGUgZvJ2d6kFH35TESHeZ03kCEFslzmkHxCZVZtM5DJmpVK0%3D
User-Agent:  Microsoft-CryptoAPI/6.1

Share this post


Link to post
Share on other sites

I have gotten the same email yesturday but the wording is a bit different. These emails are definitely a scam right? Because I keep having panic attacks about it 😞 I'm just worried! 

Share this post


Link to post
Share on other sites

"Hi, I know one of your passwords is: *********

Your computer was infected with my private malware, your browser wasn't updated / patched, in such case it's enough to just visit some website where my iframe is placed to get automatically infected, if you want to find out more - Google: "Drive-by exploit".

My malware gave me full access to all your accounts (see password above), full control over your computer and it also was possible to spy on you over your webcam.

I collected all your private data and I RECORDED YOU (through your webcam) SATISFYING YOURSELF!

After that I removed my malware to not leave any traces and this email was sent from some hacked server.

I can publish the videos of you and all your private data on the whole web, including the darknet, where the very sick people are, social networks, over email of all contacts.

But you can stop me and only I can help you out in this situation.

Transfer exactly 800$ in bitcoin (BTC).

It's a very good offer, compared to all that horrible ***** that will happen if I publish everything!

You can easily buy bitcoin here: www.paxful.com , www.coingate.com , www.coinbase.com , or check for bitcoin ATM near you, or Google for other exchanger.
You can send the bitcoin directly to my wallet, or create your own wallet first here: www.login.blockchain.com/en/#/signup/ , then receive and send to mine.

My bitcoin wallet is: 1BXavFhbxCpno2dFpS4BU4NvEJjjqCN8Kd

Copy and paste my wallet, it's (cAsE-sEnSEtiVE)

I give you 3 days time to pay.

As I got access to this email account, I will know if this email has already been read.
If you get this email multiple times, it's to make sure that you read it, my mailer script is configured like this and after payment you can ignore it.
After receiving the payment, I will remove everything and you can life your live in peace like before.

Sorry, next time update your browser before browsing the web!"

 

That's the email I got
 

Share this post


Link to post
Share on other sites

Yes - scam.  See;  FYI: Email Ransom Scam still current for samples of similar email.

Delete the email and then change your email password to a new Strong Password just to make sure.

Additionally, you can enter your email address(es) in the following site and it will check to see if that email address was part of a known breach.  This is most likely how they know the password.  From a breach and not from your PC being compromised.

https://haveibeenpwned.com/

Please reference:
-----------------
US FBI PSA - Extortionists Increasingly Using Recipients' Personal Information To Intimidate Victims
US FTC Consumer Information - How to avoid a Bitcoin blackmail scam
MyOnlinesecurity - attempted-blackmail-scam-watching-porn
BleepingComputer - Beware of Extortion Scams Stating They Have Video of You on Adult Sites
Malwarebytes' Blog - Sextortion emails: They’re probably not watching you
Malwarebytes Forum sample thread - Got strange threating email.
 

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.