First of the ncix leaked info scam letters going out?

[qedyyc]

I think I had a last.fm account on an old blackberry... but none of my e-mails seem to have an account there... would it be possible I got the account automatically setup under my bbid and that shared my e-mail? 

[Big Reg]

2 minutes ago, DaMonkey said:

As you said, doesnt prove its last.FM, probably not just one breached site, as said before yahoo mail, steam and NCIX all hacked, just that lot would keep them busy for a while...  but I dont have NCIX account, so one of the others gets my vote from the UK side of the pond...

 

 

They're probably working from many databases at the same time, so some people will have differing views on the ultimate source of the leaked data, and correctly so if this is the case. I can say for certain though, that after going through every single signup User Password that I keep records of (since about 2004), the only time I've used that password is on last.fm , so I'm convinced that's where my own data was leaked. I doubt they used any address data to correlate between sources, as I almost without fail use false address and personal data.

[DaMonkey]

I find these scams quite interesting, clever really, hell if only 1000 people respond with $700 thats a good days scamming lol. 

 

I have to say for my money Big Red's conclusion that last.fm was the source of his data breach details I have to agree that thats where my bet goes for mine as well at the moment.

 

I work for a telecoms company in the Uk and we were all alerted to this particular scam back last month, so was surprised when it finally hit my inbox lol.

 

Not much on the web about it, but here's another link from 9th August 2018 :   https://www.ghacks.net/2018/08/09/the-your-password-email-extortion-scam/

[wonderwomanoftheweb]

I just received a frantic call from a hosting client who received this email.  We're in the US and host with SiteGround.

[Kx01]

Received the same email this morning also, with an old, valid password.

 

I do have a lastfm account (never even heard of NCIX) so updated lastfm. I doubt the email they used was the same I used for my lastfm account though, so...

[suzukiro]

I also received the same email twice, about 12 hours apart. It had an old password.

 

I don't have a lastfm or NCIX account, but according to "Have I Been Pwned" my Adobe, LinkedIn and MySpace accounts were compromised, and my credentials were uploaded to Kayo.moe

 

 

[Kx01]

Thanks, also checked "Have I Been Pwned" and seems it could well have been my old myspace or adobe account...

[Steve B]

Got the exact same email 2 hours ago. Never heard of NCIX until I googled this and landed here. I did use last.fm several years ago. The password they got is one I’ve used for over 20 years in several places...but it is not the one I use for my email. I’m changing that password on every site I use it on now and will never go back to it. Quite honestly, it used to be my only password and I’ve used that in many places, so they could have found it in several places, but I definitely used it on last.fm. 

[vanished]

8 hours ago, leaderdog said:

Which means there is a legitimate issue, if you used the same password for other accounts.   It's just a matter of testing out a few sites like amazon, newegg or memoryexpress etc.

Yes, if you have the same password on multiple sites, it only takes one leaking to potentially compromise you on everything.  That is why you should have a unique password for everything.

5 hours ago, Big Reg said:

Question is though, if the password they said was my email password was incorrect, how did they manage to send me an email from my email address?

They didn't, they just made it look like that.  The ability to do fakes like this have existed for ages.

[SimplyChunk]

Any newbies that are coming into the forum while searching about this info there is a site you can check

 

https://haveibeenpwned.com/

 

It has some very powerful tools you can use to see if your data has ever been breached and what site it was taken from  

[peloton]

I received this email this morning. The password was one I had used on AA.com for my frequent flyer account.

I route mail for email address used from my server to a gmail account for spam checking purposes.

The email headers show it was received by gmail from my server but originated from 46.12.93.244.dsl.dyn.forthnet.gr.

My server logs show the login from 46.12.93.244 and the email being forwarded to gmail.

The password quoted in the email would not have allowed them into the account, so as another asked, how did they get into my server to send the email? They presumably had my genuine password as well. Which I've now changed of course. Is there a way to search my logs to find the password that was used to access my account?

My server runs Ubuntu 16.04.

[batwing]

I got one of these below is the header, and the message with my actual email changed to myemail@mydomain.com and the to alias changed to "what they think my password is" it looks like mine is maybe from Columbia. It looks like this came through an educational institution: nat219.udea.edu.co Should I report it to them or the the spam@quarantine3.antispamcloud.com or just drop it?  I have changed all my even slightly important passwords.

 

Thanks in advance for any suggestions.  

 

Here is the Header:

 

Return-Path: <myemail@mydomain.com>

Delivered-To: myemail@mydomain.com

Received: from host239.hostmonster.com

                by host239.hostmonster.com with LMTP id SGMIBkxaqlubBw4Auqx/PQ

                for <myemail@mydomain.com>; Tue, 25 Sep 2018 09:54:52 -0600

Return-path: <myemail@mydomain.com>

Envelope-to: <myemail@mydomain.com>

Delivery-date: Tue, 25 Sep 2018 09:54:52 -0600

Received: from mx57.antispamcloud.com ([5.79.86.41]:56198)

                by host239.hostmonster.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256)

                (Exim 4.91)

                (envelope-from <myemail@mydomain.com>)

                id 1g4pfn-003ue7-7f

                for <myemail@mydomain.com>; Tue, 25 Sep 2018 09:54:52 -0600

Received: from nat219.udea.edu.co ([200.24.16.219])

                by mx57.antispamcloud.com with esmtp (Exim 4.89)

                (envelope-from <myemail@mydomain.com>)

                id 1g4pfY-0007dl-Mx

                for myemail@mydomain.com; Tue, 25 Sep 2018 17:54:39 +0200

Message-ID: <003901d454be$0174c812$32306694@ebimsar>

From: <myemail@mydomain.com>

To: "what they said was my password but is not" <myemail@mydomain.com>

Subject: Your Account Was Hacked!

Date: 25 Sep 2018 04:36:54 -0600

MIME-Version: 1.0

Content-Type: text/plain;

                charset="cp-850"

Content-Transfer-Encoding: 8bit

X-Priority: 3

X-MSMail-Priority: Normal

X-Mailer: Microsoft Outlook Express 6.00.2800.1106

X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106

X-AntiSpamCloud-Class: unsure

X-AntiSpamCloud-Evidence: Combined (0.89)

X-Recommended-Action: accept

X-Filter-ID: PqwsvolAWURa0gwxuN3S5aX1D1WTqZz4ZUVZsEKIAZmQZhrrHO4tCCdd7Glc/hE6pvRRZEylwhEL

 N2uL77x91ht8RjDMrbvDZMujXEK/z9H3Y80OmAux3oN13+ztUznesHrwVleFTF/w5BSt0KmYt7sF

 cJF8y/tyDTmdMq/hc4el75K7T88OjrwHHZFlyt0TUl3ZsUaqJzQJEk50Qr8d8To4rO8GzJCAXYe9

 Czd24NRwOTS42dFegdWnvtEXEuFDxnmAPfdEYRyrtPBKt0YBMn2bO3ou1sxbAYy5BT/s37D8+Rgk

 Iypi4bYCq64oDSjf17NirEYyqwqMBGrw8ELiqMfE3/nsv4SWy4vEdseYpnaZ3JKVmi72ocgY5kMQ

 Sjs7F6PVe4aIcKJEhpPEio8CMVDCL8yx04HONyhmFUCSB12TiUgcOHPRX9zUtvxOnH5PBMmyNbDn

 7R5kilAhwr3KtF1Uf+XDKNZKCNNUAkIZ8oTYO/grmLRqZuaGHYDJYH0Hu5NPyHyxCrg0valk0Gzo

 JvAFMvX7q8M4x6bP/gjzw0NTFk7UGSJ35admc0BNj7UbxP3vLqvwALZ2xRAwemY5y9kH6AlUv2MN

 GM8n8i1IElDqwxdoNvInllbCCcJoFhzJK2PTDRW8dw9tMAinRxAWJ0oo7Q1Pv+RLtSBUd4ma0H97

 vzaeoLabZKI1m9T3X1/vR9ag2Jd/8RWwdfhiKq3NZnleuMvzATRrMEf4akZiRQaFfo37dGdWXJ1N

 HFpk8h5N3J+bLzQsdk+37JoKwFNeqT1LW3b515IIGd2J1SHf2OYxkFRfhRbmfZgIJqZdXyQOOyav

 OBRWmCybHduLW0lL3kea24eoRoBN5a7gwiKMScTZB+gJVL9jDRjPJ/ItSBJQhBwuWnMIMF7g6trN

 XHZlVQ==

X-Report-Abuse-To: spam@quarantine3.antispamcloud.com

 

Here is the message:

 

Hello!

I'm a member of an international hacker group.

 

As you could probably have guessed, your account

Hello!

I'm a member of an international hacker group.

 

As you could probably have guessed, your account myemail@mydomain.com was hacked, I sent message you from it.

 

Now I have access to you accounts! You still do not believe it?

So, this is your password: what they said was my password but is not , right?

 

Within a period from July 5, 2018 to September 21, 2018, you were infected by the virus we've created, through an adult website you've visited.

So far, we have access to your messages, social media accounts, and messengers.

Moreover, we've gotten full damps of these data.

 

We are aware of your little and big secrets...yeah, you do have them. We saw and recorded your doings on porn websites. Your tastes are so weird, you know..

 

But the key thing is that sometimes we recorded you with your webcam, syncing the recordings with what you watched!

I think you are not interested show this video to your friends, relatives, and your intimate one...

 

Transfer $700 to our Bitcoin wallet: 1DzM9y4fRgWqpZZCsvf5Rx4HupbE5Q5r4y

I guarantee that after that, we'll erase all your "data"

 

A timer will start once you read this message. You have 48 hours to pay the above-mentioned amount.

 

Your data will be erased once the money are transferred.

If they are not, all your messages and videos recorded will be automatically sent to all your contacts found on your devices at the moment of infection.

 

You should always think about your security. We hope this case will teach you to keep secrets.

Take care of yourself.

 

[Isotopeblue]

Received same message twice. Once with email/password pair from livejournal.com, and once from swinglifestyle.com.  So really they don't know the half of my secrets. :-) Fortunately, I use a different password for every site. 

 

Clearly they've hoovered up a lot of data and want to scare some folks before the word gets around that it's nonsense.  They didn't even bother to change passwords and lock me out of these unused accounts.   

[batwing]

2 minutes ago, Isotopeblue said:

Received same message twice. Once with email/password pair from livejournal.com, and once from swinglifestyle.com.  So really they don't know the half of my secrets. :-) Fortunately, I use a different password for every site. 

 

Clearly they've hoovered up a lot of data and want to scare some folks before the word gets around that it's nonsense.  They didn't even bother to change passwords and lock me out of these unused accounts.   

Yeah it is clear to me that that they had some info, but it really was not quite right.  But I think a lot of people would fall for this. Sounds like you have fun life...:)  Your webcam would be way more interesting than mine.. I am sure. Sounds like fun.  Take care man.

[Isotopeblue]

You can also use https://monitor.firefox.com/ instead of using "Have I Been Pwned" directly.  Firefox is working with HIBP, and Monitor sends a prefix of an SHA-1 hash of your email to HIBP.  So HIBP never gets the email address directly, in case you have concerns with that. 

[Psykoflo]

Received this email too, with a password I use but not for the email. I've changed all my passwords that were using this one.

So far, since yesterday, this Bitcoin address have received 5 transactions, 0.35 bitcoins (almost 2000€ / $2300) https://www.blockchain.com/btc/address/1DzM9y4fRgWqpZZCsvf5Rx4HupbE5Q5r4y. Let's hope that it they won't get more money from weak people...

[Recif]

Hi,

 

Received same mail today! I'm from France and I don't use the ncix.com webstie.

The password is an very old one. To find on which site it has been hacked here are the ones I used with the password displayed in the mail:

 

dji.com

ebay.de

getmailbird.com

globe-flight.de

googleusercontent.com

healthydrones.com

hobbyking.com

innovatrics.com

irobot.com

live.com

mailwizz.com

milanoo.com

netflix.com

purnimadigital.com

strato.com

sunprices.com

tomtom.com
vivastreet.com

 

If we can cross data, perhap's we can find the website who has been hacked. Excepted if there is several websites...

 

[Knot Even Close]

Whats crazy is so far it has been fairly lucrative...

Address	1DzM9y4fRgWqpZZCsvf5Rx4HupbE5Q5r4y
Hash 160	8e7a0b1eb5bc29299caa15a59b3b71daf554f137

Transactions
No. Transactions	5
Total Received	0.35639952 BTC
Final Balance	0.35639952 BTC = $2321.95

  

[aezakmi]

I sent message you from it.

Now I have access to you accounts!

man these indian scammers are so easy to detect

I got a similar spam message yesterday and it also said this:

all your messages and videos recorded will be automatically sent to all your contacts found on your devices

 

good luck finding any of that on my 'devices' lmao

unless they can hack a fucking paper address book I can hardly believe this

 

never used NCIX if it was a service so I'm thinking they're just sending this stuff to every possible address

[Velcade]

21 hours ago, Texconsin said:

Come to think of it, it could be the guy next door using Nordvpn!

Sponsored by NordVPN: When you want to exploit your neighbor but you don't want them knowing your nextdoor, NordVPN.

[ARikozuM]

 

Quote

Moreover, we've gotten full damps of these data.

Wait, is this for NCIX the tech store or NCIX the porn website?

[Adorable Cat]

the email sounds like something from r/masterhacker on reddit

[Ofer]

21 hours ago, qedyyc said:

Among many reasons, the biggest flag here is they don't provide anyway to confirm who sent the payment... I am assuming the wallet is not unique per transaction... so how can they confirm who sent the payment to "delete the data". 

Very good point.   
I got that same letter today from Lebanon IP, was able to get to a person name Samara.  Password was correct but very old used for purchase sites I dont even use any more.
My IT guy told me it is an old trick and in their firm they cover all computers cameras with adhesive tape.

[Ross Siggers]

"All your secret are belong to us"

[Car712]

On 9/25/2018 at 9:56 AM, leaderdog said:

We saw and recorded your doings on porn websites. Your tastes are so weird, you know..

 

On 9/25/2018 at 9:56 AM, leaderdog said:

But the key thing is that sometimes we recorded you with your webcam

This is really stupid, if someone dosent have a webcam, or covers it up (pretty sure this would be almost everyone buying something from a tech shop) then obviously it would be recognized as a scam immediately (if you couldn't already tell)