The first time I received a variation on this particular scam was almost a year ago and it was to the throwaway email address I used with Equifax. I remember laughing at the poor grammar and misspellings in it. Email scams like this one have proven to me no company can be trusted with my real email address.
This is the latest example I received…
From – Sun Apr 7 19:47:39 2019 Return-Path: <email@example.com>
Received: from <redacted>.hostgator.com by <redacted>.hostgator.com with LMTP id IB8yNJqLqlwirgYAUifmtw for <<redacted>@fsicom.net>; Sun, 07 Apr 2019 18:45:30 -0500
Delivery-date: Sun, 07 Apr 2019 18:45:30 -0500
Received: from host-149-154-239-132.dynamic.voo.be ([220.127.116.11]:6976) by <redacted>.hostgator.com with esmtp (Exim 4.91) (envelope-from <firstname.lastname@example.org>) id 1hDHTd-001qAl-DL for email@example.com; Sun, 07 Apr 2019 18:45:30 -0500
Date: 8 Apr 2019 02:06:20 +0100
X-Priority: 3 Message-ID: <firstname.lastname@example.org>
MIME-Version: 1.0 Content-Type: text/plain; charset=”cp-850″
X-Spam-Status: Yes, score=24.6
X-Spam-Report: Spam detection software, running on the system “<redacted>.hostgator.com”, has identified this incoming email as possible spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see root\@localhost for details.
Content preview: Hello! I hacked your device, because I sent you this message from your account. If you have already changed your password, my malware will be intercepts it every time. You may not know me, and you are
Content analysis details: (24.6 points, 10.0 required)
Subject: [SPAM] Your account has been hacked! You need to unlock.
Hello! I hacked your device, because I sent you this message from your account. If you have already changed your password, my malware will be intercepts it every time. You may not know me, and you are most likely wondering why you are receiving this email, right? In fact, I posted a malicious program on adults (pornography) of some websites, and you know that you visited these websites to enjoy (you know what I mean). While you were watching video clips, my trojan started working as a RDP (remote desktop) with a keylogger that gave me access to your screen as well as a webcam. Immediately after this, my program gathered all your contacts from messenger, social networks, and also by e-mail. What I’ve done? I made a double screen video. The first part shows the video you watched (you have good taste, yes … but strange for me and other normal people), and the second part shows the recording of your webcam. What should you do? Well, I think $749 (USD dollars) is a fair price for our little secret. You will make a bitcoin payment (if you don’t know, look for “how to buy bitcoins” on Google). BTC Address: 1NcghPivgy9n5YkU4ferwBf9wmkNJHzUhm (This is CASE sensitive, please copy and paste it) Remarks: You have 2 days (48 hours) to pay. (I have a special code, and at the moment I know that you have read this email). If I don’t get bitcoins, I will send your video to all your contacts, including family members, colleagues, etc. However, if I am paid, I will immediately destroy the video, and my trojan will be destruct someself. If you want to get proof, answer “Yes!” and resend this letter to youself. And I will definitely send your video to your any 12 contacts. This is a non-negotiable offer, so please do not waste my personal and other people’s time by replying to this email. Bye!
Now, there is much to learn from this email. For example, I know they didn’t hack an email account for two reasons. First, email@example.com is not an email account. It is an alias forwarded to an email account. It is a throwaway acting as a honeypot to detect a compromise of my information. Second, the server the scammer used to send the email is host-149-154-239-132.dynamic.voo.be which is not a server hosting any of my domains or email accounts.
But the most important thing to learn from this is my information entrusted to AT&T/Directv has been compromised because the only place firstname.lastname@example.org has been given as an email address is directv.com. Had I given them my real email address instead of a throwaway, I wouldn’t have any clue as to who had leaked my information.
So, it was time to give AT&T/Directv another throwaway address, change the password and remove the credit cards on file with them and notify the credit card company the card has probably been compromised. When I changed the email address, I received this confirmation email from AT&T that made me laugh.
Looks like you updated the contact email associated with your AT&T user ID email@example.com
We’re serious about your security. So if you didn’t make any changes to your account and think you got this message by mistake, call us at 877.285.1205.
Thanks for choosing us,
Ironic since I had to change it because AT&T/Directv weren’t serious enough about security to prevent my email address from falling into the hands of a scammer.
Oh, and they only sent it to the new email address, not to the old email address. That is completely useless if I hadn’t been the one to change the email address on my account.