Attack Techniques: “I Already Hacked You” Scams

Posted byericlawPosted insecurity, webTags:, ,

Scammers often try to convince you that you’ve already been hacked and you must contact them or send them money to prevent something worse from happening. I write about these a bunch:

  1. a tech scammer shows a web page that says your PC has a virus and you need to call them or download their program to “fix” it.
  2. A notification spammer shows fake alerts pretending like they’re from your local security software.
  3. An invoice scammer claims they’ve withdrawn money from your account and you need to call them to cancel the transaction.

Another common “Bad thing already happened” scam is to send the user an email telling them that their devices were hacked some time ago and the attacker has recorded videos of the victim engaged in embarrassing activities.

The attacker usually includes some “phony evidence” to try to make their claims seem more credible. In some such scam emails, they’ll include a password previously associated with the email address, gleaned from a dump from an earlier data breach. For example, I got multiple scam emails citing my account’s password from the 2012 breach of LinkedIn:

In today’s attack, the bad guy simply forges the return address to my own email address, hoping I’ll believe this means that they already have access to my account:

Under the hood, Hotmail knows that this return address was forged:

Authentication-Results: spf=fail (sender IP is 195.225.99.200) smtp.mailfrom=hotmail.com; dkim=none (message not signed) header.d=none;dmarc=fail action=none header.from=hotmail.com; Received-SPF: Fail (protection.outlook.com: domain of hotmail.com does not designate 195.225.99.200 as permitted sender) receiver=protection.outlook.com; client-ip=195.225.99.200; helo=willishenryx.com; Received: from willishenryx.com (195.225.99.200) by BL6PEPF00022575.mail.protection.outlook.com (10.167.249.43)

The attacker typically promises the victim that they’ll delete the incriminating videos if the victim pays a ransom in cryptocurrency:

There are various tools that can be used to look up traffic to crypto-currency addresses, and while the address in today’s scam is idle, I’ve previously encountered scams where the attackers had been sent thousands of dollars by several victims. :(

Tragically, it seems entirely plausible that this scheme has killed panicked teens (similar sextortion schemes definitely have) who thought something bad had already happened without recognizing that it was all a lie.

Stay safe out there, and make sure your loved ones know that everyone on the Internet is a liar.

-Eric

Published by ericlaw

Impatient optimist. Dad. Author/speaker. Created Fiddler & SlickRun. PM @ Microsoft 2001-2012, and 2018-, working on Office, IE, and Edge. Now working on Microsoft Defender. My words are my own, I do not speak for any other entity.

One thought on “Attack Techniques: “I Already Hacked You” Scams

  1. I’ve been receiving those forged emails on my Microsoft account every now and then, and I have also noticed frequent failed sign-in attempts from random IPs and devices. Fortunately, I use MFA, although it’s frustrating how Microsoft accounts require a phone number or an alternate email address even if you have better MFA methods configured, which is something Google accounts do not impose on users, not to mention that local Windows accounts additionally require 3 security questions nowadays, which is insane!

    I was wondering where to check in Outlook.com to identify the forgery so thank you very much for this article! :)

    Reply

Leave a comment