LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Non-*NIX Forums > General
User Name
Password
General This forum is for non-technical general discussion which can include both Linux and non-Linux topics. Have fun!

Notices


Reply
  Search this Thread
Old 10-31-2018, 10:03 AM   #1
trafikpolisen
Member
 
Registered: Jun 2008
Posts: 83

Rep: Reputation: 1
Questions about ransom e-mail


Hi!

Two days ago I received an e-mail that basically said that a hacker had cracked both my e-mail and my "device". A password I frequently used to use was in plain text in the e-mail. The sender then informed me that he had uploaded malware code to my system through my e-mail, saved all my contacts, as well as "installed malware on my device" and intercepted my traffic to certain "dirty web sites" I supposedly have visited. He has also made screenshots of this and apparently used my systems camera (which I don't have one) and now threatens to send this material to everyone I know if I don't pay a 900$ ransom.

Now, I obviously have no reason to pay anything. The password presented is not the e-mail password, but one I used to use frequently on several sites and services in the past. The worst thing is that I until today used that password for my Google login. I have an idea on the background to this as several months or maybe even up to 2 years ago, I got an e-mail from a computer forum I used to visit, that their user database had been compromised and that users were recommended to change their password on both their site and on all sites and services where the same password might have been used. Unfortunately I never remembered to do that.
Anyway, the e-mail is written rather poorly to the point that I suspect that whoever has written it doesn't have English as their native language.

The e-mail account I got the e-mail on is one I only use for "historical" reasons and is one I have long thought about removing.

My question now is what I should think about and what precautions to take. Could my computer (and other devices..?) be infected (I don't use Windows btw)? I have obviously changed the password on Google and some sites where I can remember I have used the old password.
I now need your advice
 
Old 10-31-2018, 10:30 AM   #2
MensaWater
LQ Guru
 
Registered: May 2005
Location: Atlanta Georgia USA
Distribution: Redhat (RHEL), CentOS, Fedora, CoreOS, Debian, FreeBSD, HP-UX, Solaris, SCO
Posts: 7,517
Blog Entries: 15

Rep: Reputation: 1470Reputation: 1470Reputation: 1470Reputation: 1470Reputation: 1470Reputation: 1470Reputation: 1470Reputation: 1470Reputation: 1470Reputation: 1470
It sounds like a scam to scare you into paying. Usually if they've hacked your system they lock it and make you pay the ransom to unlock it.

You should change your password on all sites not just the ones that had this password. Ideally you should use a different password on every site so if in fact one gets cracked they don't automatically have your password for all sites.

You should also make sure the only email accounts associated with sites you have accounts in are accounts OTHER than the one you've been thinking of removing. Verify they haven't requested password reset emails to that account. Some sites make you add a new email account and they send notice to the old one. Watch the old one and delete those as they come. Once the new account is associated with the site delete the old one from the site.

You could look into things like virus scans and root kit hunters to verify your system isn't infected.

Last edited by MensaWater; 10-31-2018 at 10:31 AM.
 
Old 10-31-2018, 11:18 AM   #3
sevendogsbsd
Member
 
Registered: Sep 2017
Location: Texas
Distribution: Not a distro: FreeBSD
Posts: 407

Rep: Reputation: Disabled
Agree with MensaWater - sounds like the perp is trying to trick you into giving $ because they were able to get a hold of an old password. Social engineering is what this is...
 
Old 10-31-2018, 11:39 AM   #4
trafikpolisen
Member
 
Registered: Jun 2008
Posts: 83

Original Poster
Rep: Reputation: 1
Here is the message in it's entirety:
Click image for larger version

Name:	scam.png
Views:	25
Size:	102.7 KB
ID:	28889
 
Old 10-31-2018, 11:47 AM   #5
scasey
Senior Member
 
Registered: Feb 2013
Location: Tucson, AZ, USA
Distribution: CentOS 7.5
Posts: 2,006

Rep: Reputation: 626Reputation: 626Reputation: 626Reputation: 626Reputation: 626Reputation: 626
Definitely a scam. I report these to the delivering ISP, as with any unsolicited commercial email.

Yes, it is disconcerting that a once legit password is referenced, but, as has been said, just don't use that password anywhere again, and be sure that all passwords are different.
 
Old 10-31-2018, 12:09 PM   #6
trafikpolisen
Member
 
Registered: Jun 2008
Posts: 83

Original Poster
Rep: Reputation: 1
Thank you for your replies! My biggest concerns are that my Google account or my computer would be compromised. Though I am running Linux I guess a malware infection by said scammer wouldn't be impossible..
I have changed e-mail and password on the sites I can remember...

Last edited by trafikpolisen; 10-31-2018 at 12:12 PM.
 
Old 10-31-2018, 12:12 PM   #7
sevendogsbsd
Member
 
Registered: Sep 2017
Location: Texas
Distribution: Not a distro: FreeBSD
Posts: 407

Rep: Reputation: Disabled
If you can log into your google account, change the password immediately and implement 2 factor auth using google authenticator app. As for your Linux computer, best you can do is as MensaWater suggested: run rkhunter and possibly an antivirus scanner to ensure it's oK.
 
Old 10-31-2018, 12:50 PM   #8
trafikpolisen
Member
 
Registered: Jun 2008
Posts: 83

Original Poster
Rep: Reputation: 1
I think I've now done what I can. I've changed my Google password again and enabled 2-step auth. And I've changed the password on the sites and services I can think about and will change the rest as soon as they come to mind.

I have scanned my computer with rkhunter, which complained about the following:
/usr/bin/lwp-request [ Warning ]

Checking /dev for suspicious file types [ Warning ]
Checking for hidden files and directories [ Warning ]

I have scanned with clamav, which passed.

The positive side of all this is that I've now done a much needed overhaul of my security. I think of myself as a fairly security-aware person, but one tends to get lazy

I Googled the breach on the website I mentioned earlier and that was apparently over three years ago and according to that website the passwords was stored as hash sums. But that is the only obvious thing I can think about.

Btw, off topic and unrelated to this; is it possible to change user name/alias on this forum?

Last edited by trafikpolisen; 10-31-2018 at 02:05 PM.
 
Old 10-31-2018, 04:36 PM   #9
scasey
Senior Member
 
Registered: Feb 2013
Location: Tucson, AZ, USA
Distribution: CentOS 7.5
Posts: 2,006

Rep: Reputation: 626Reputation: 626Reputation: 626Reputation: 626Reputation: 626Reputation: 626
Quote:
Originally Posted by trafikpolisen View Post
Btw, off topic and unrelated to this; is it possible to change user name/alias on this forum?
See the FAQ https://www.linuxquestions.org/quest...usernamechange
 
Old 10-31-2018, 04:46 PM   #10
Mike25
Member
 
Registered: Feb 2003
Location: ON, Canada
Distribution: Fedora & RH3
Posts: 46
Blog Entries: 2

Rep: Reputation: 10
They are scams using passwords gotten from a system breach at some popular website several years ago. I spent hours studying it because several months ago I got a few of those emails.

I found this site very useful:
https://haveibeenpwned.com/

The passwords found are at least 5 years old. Some say possibly even 10 years, but if you have any old accounts with that password, it should be changed. They won't be trying to get in anyway because what they did was mass mailing of those warnings and some people do actually pay them. That's all they want.
 
Old 11-01-2018, 07:49 PM   #11
cantab
Member
 
Registered: Oct 2009
Location: England
Distribution: KDE Neon, Ubuntu, Debian.
Posts: 515

Rep: Reputation: 104Reputation: 104
I got a couple of similar scams. One I think identical to yours, and another that had the sender address spoofed as my own in a further attempt to make it look like I'd been hacked.

For all sites I'd used the compromised password on, I changed the passwords to new unique ones I store in KeepassXC. Which took a good couple of hours - that should teach us not to reuse passwords!
 
Old 11-02-2018, 04:29 AM   #12
trafikpolisen
Member
 
Registered: Jun 2008
Posts: 83

Original Poster
Rep: Reputation: 1
Thanks for all the helpful answers and insights! As mentioned, this has really highlighted the problem with reusing passwords. Wasn't easy to figure out new good passwords for every site and service though.. It's hard to memorize completely random passwords.
 
Old 11-02-2018, 06:51 AM   #13
l0f4r0
Member
 
Registered: Jul 2018
Location: Paris
Distribution: MacOS, Slackware
Posts: 315

Rep: Reputation: 94
Quote:
Originally Posted by trafikpolisen View Post
It's hard to memorize completely random passwords.
You shouldn't have to (otherwise it would not be good passwords because it would mean that they are not complicated enough...or you have awesome skills ahahah).
They are password managers for that task, you can have a look at:There are others of course but I'm really satisifed with KeepassXC (I used KeepassX before - see https://www.keepassx.org/ - but it's not actively maintained anymore)...
 
Old 11-02-2018, 10:34 AM   #14
MensaWater
LQ Guru
 
Registered: May 2005
Location: Atlanta Georgia USA
Distribution: Redhat (RHEL), CentOS, Fedora, CoreOS, Debian, FreeBSD, HP-UX, Solaris, SCO
Posts: 7,517
Blog Entries: 15

Rep: Reputation: 1470Reputation: 1470Reputation: 1470Reputation: 1470Reputation: 1470Reputation: 1470Reputation: 1470Reputation: 1470Reputation: 1470Reputation: 1470
Or you could use something like Iron Key encrypted flash drives so you have your passwords all the time. They work on both Linux and Windows. My company provides them to admins.

For personal stuff I've created a bit blocker encrypted thumb drive which has gvim installed and I use gvim encryption for the actual password file (i.e. 2 different layers of encryption). In the event it is out of my possession for any length of my time I immediately use a backup to begin changing all my passwords. Theoretically breaking both levels of encryption shouldn't occur but nothing is impossible. It does however, tend to delay things giving me time to change the passwords. I've only had to do that once when Canadian border security got hold of my encrypted file. I don't know if they even realized it was there on the laptop they scanned but didn't wait to find out - I changed passwords just on the possibility. Nowadays I do not keep this encrypted file on my laptop and don't carry thumb drives across borders.
 
Old 11-02-2018, 10:49 AM   #15
Habitual
LQ Veteran
 
Registered: Jan 2011
Location: Yawnstown, Ohio
Distribution: Mojave
Posts: 9,345
Blog Entries: 36

Rep: Reputation: Disabled
https://www.freep.com/story/money/pe...cam/887722002/

Iron Key or Google Titan can help.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
LXer: DB Ransom Attacks Spread to CouchDB and Hadoop LXer Syndicated Linux News 0 01-24-2017 05:03 AM
LXer: Don't Pay the MongoDB Ransom LXer Syndicated Linux News 0 01-12-2017 02:33 PM
LXer: MongoDB Data Being Held For Ransom LXer Syndicated Linux News 0 01-04-2017 09:12 PM
[SOLVED] where is Opera e-mail hosted? and other questions about e-mail security Brant Linux - Security 17 11-02-2013 03:43 PM
ransom software release model - pay up or keep Windows! Bert Linux - General 16 05-30-2010 04:44 PM

LinuxQuestions.org > Forums > Non-*NIX Forums > General

All times are GMT -5. The time now is 01:33 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration