First of the ncix leaked info scam letters going out?

[MandoPanda]

On 9/26/2018 at 12:14 AM, Plstudio said:

advice? 

Use 2-factor authentication.

[Bigbootyjudy]

This reminds me of that Black mirror episode where they made him rob either a store or a bank otherwise they would release the "footage"

[Sett]

I got exactly the same email* last week, and it also hit the news in my country in the mean time. They might have bought the NCIX data, but there was definitely no virus involved and no webcam, so feel free to ignore and delete it just like any other such nonsense - but it cannot hurt to change the password on your important accounts from time to time

*It was a different version with no mention of NCIX (I've never used it, I'm from EU), instead it claimed the have hacked my regular email service with header showing my adress as both sender and receiver (like that's difficult to forge...).
Mine was also written in German, so I used that opportunity to check on the progress of Google Translator's machine learning - Boy was I pleasantly surprised. It spit out better english than your version of the mail =)

 

[Sett]

On 25. 9. 2018 at 6:55 PM, BuckGup said:

Report the bitcoin address to the authorities. If they aren't cleaning their bitcoins you can technically track them

You can track the bitcoins, that's the point of blockchain.
You can't track their owner, that's the point of Bitcoin.
Unless they are stupid enough to exchange them for $ in an ATM or something.

[HackedYeah]

I received exactly the same email from myself this morning, seems like although it was sent from my own email address, the server displayed a warning sign saying the sender cannot be verified as was from my actual email domain. I don't see any weird login activities over the past few days neither. So it feels more like, the hackers are using some tricks to fool the email domain server without actually logged in to my email account.

 

Can anyone help explain how this is possible from a technical perspective? I study computer science but not very familiar with this topic. Very curious!!! 

[N0TIC]

1 minute ago, HackedYeah said:

I received exactly the same email from myself this morning, seems like although it was sent from my own email address, the server displayed a warning sign saying the sender cannot be verified as was from my actual email domain. I don't see any weird login activities over the past few days neither. So it feels more like, the hackers are using some tricks to fool the email domain server without actually logged in to my email account.

 

Can anyone help explain how this is possible from a technical perspective? I study computer science but not very familiar with this topic. Very curious!!! 

 

They basically forge the headers in th email. Use your email client to open the raw email and you can see how easily one can just type in whatever ip addresses and domains. The email server which accepts the email generally inspects the ip and domains that the “connected client” is claiming it’s from but this inspection isnt perfect. The remaining of the header before the “connected client” can’t easily be checked for validity. This is how spamming works. Essentially the client lies about where the email came from by using a bunch of fake routes. One mechanism people have been using to try to prevent this are to include a DKIM signature within the header which insures that all routes are valid, but not every isp uses them so servers are usually setup to just warn the user when a hash doesn’t match or if the email is missing a hash. 

[HackedYeah]

29 minutes ago, N0TIC said:

 

They basically forge the headers in th email. Use your email client to open the raw email and you can see how easily one can just type in whatever ip addresses and domains. The email server which accepts the email generally inspects the ip and domains that the “connected client” is claiming it’s from but this inspection isnt perfect. The remaining of the header before the “connected client” can’t easily be checked for validity. This is how spamming works. Essentially the client lies about where the email came from by using a bunch of fake routes. One mechanism people have been using to try to prevent this are to include a DKIM signature within the header which insures that all routes are valid, but not every isp uses them so servers are usually setup to just warn the user when a hash doesn’t match or if the email is missing a hash. 

Thanks man! How can I track the actual person who sent this from the origin scripts? I can see his X-Google-Smtp-Source, ARC-Seal, ARC-Message-Signature and his actual ip, are these info useful to hunt them down? Besides, the sender ip was:

177.67.95.130

Brazil

Maranhao

Grajau

 

Hope this is not real tho per your explanations cause I used to love the Brazilian people!! 

[Tristerin]

11 hours ago, Magus said:

I wouldn't care if they had my "secrets" anyway. These kinds of threats really assume a person still has the capacity to feel shame. How I pity the fools...

 

Seriously if someone in my family wants to watch me joe to midgets than so be it - want to ask me about it?  Ill gladly teach you my Google-Fu in the form or pr0n searches.  Its an art form, not necessarily a style. lol

[N0TIC]

2 minutes ago, HackedYeah said:

Thanks man! How can I track the actual person who sent this from the origin scripts? I can see his X-Google-Smtp-Source, ARC-Seal, ARC-Message-Signature and his actual ip, are these info useful to hunt them down? 

 

 

Back when I ran an email server I’d basically trust nothing but the headers that connected to my server and the smtp server logs. If you don’t have access to the smtp server logs then you can be reasonably sure the ip is valid. Look up the ip and if your server isn’t hardened enough you may find the ip from a dsl or cable connection, or an open relay somewhere. I use to get tons of spam from misconfigured Apache web servers in various third world nations like Iran. These servers generally had misconfigured relaying rules that accepted whatever you threw at them.

Rarely, did I get a misconfigured spf but it happened sometimes, so check for an bad spf record on the relay server. 

You can try to contact the owner of the server that relayed the email but it’s likely that they will ignore you; this is what I ran into when running email servers for 5ish years. You contact the owner and the owner wouldnt reply, so all you can do is blacklist their email and put it on one of the widely known spam lists like spamcop.

[HackedYeah]

2 minutes ago, N0TIC said:

Back when I ran an email server I’d basically trust nothing but the headers that connected to my server and the smtp server logs. If you don’t have access to the smtp server logs then you can be reasonably sure the ip is valid. Look up the ip and if your server isn’t hardened enough you may find the ip from a dsl or cable connection, or an open relay somewhere. I use to get tons of spam from misconfigured Apache web servers in various third world nations like Iran. These servers generally had misconfigured relaying rules that accepted whatever you threw at them.

Rarely, did I get a misconfigured spf but it happened sometimes, so check for an bad spf record on the relay server. 

You can try to contact the owner of the server that relayed the email but it’s likely that they will ignore you; this is what I ran into when running email servers for 5ish years. You contact the owner and the owner wouldnt reply, so all you can do is blacklist their email and put it on one of the widely known spam lists like spamcop.

Wow! Sounds very cool to have such experience! So what's the relevant subject of such topics called? I wanna register a few courses on that next year!  

[N0TIC]

2 minutes ago, HackedYeah said:

Wow! Sounds very cool to have such experience! So what's the relevant subject of such topics called? I wanna register a few courses on that next year!  

 

Unforunatly the the best knowledge you can get would be from setting up your own email server. You can look for something like “hardening email servers” or “system administration” but really the best way is to dig in. Go grab a cheap vm from a place like linnode or digital ocean and check out ispconfig for articles on how to get started. After a few years you’ll likely have a better skill set then you can get from a class room. 

[prysmcat]

Just got this one. It certainly got my attention, since it gave an old password that I haven't used in years (a decade?) and I had a brief moment of wondering if I'd missed updating it somewhere important. Probably I did miss some site I signed up for once and haven't been to in years, or they got ahold of some very old data. It was definitely not the password of the email address they mentioned. Or the password to anything else I've logged into in years. I've never dealt with NCIX or the majority of the other sites people have mentioned. Monster or LiveJournal might be possibilities. "Have I Been Pwned" only comes up with my old DailyMotion account, but apparently that's a different password. So, it's a mystery.

 

Other than the recognizable password thing, this would've been easy to ignore. I can understand how someone could panic, especially someone who sees computers as rather magical and unexplainable (like, say, my mom) and reacts without looking more closely at the flaws.

 

On the other hand, even if it were real, between scrounging up $700 I definitely haven't got, or having them send their "data" to everyone I know... go to it, no one who knows me would be surprised by anything. :-)

[LegalSlooth]

Long time lurker, just never got around to creating an account until I saw this thread. 

I received one of the scam emails as well. Once I checked the headers and viewed the raw log files on the server I just laughed. The email address they had was just an email I used when I didn't want to use my main one. The password was one I had used in the past but hadn't in a very long time. 

More than likely it was from a test Dropbox account for work. 

However, I checked a couple of my good emails on Firefox Monitor and found out that Exactis just had a massive security breach on June 1, 2018. This is a data company that basically collects all the BS about you for marketing purposes. It says:

Exactis

Breach date:June 1, 2018 Compromised accounts:131,577,763 Compromised data:Credit status information, Dates of birth, Education levels, Email addresses, Ethnicities, Family structure, Financial investments, Genders, Home ownership statuses, Income levels, IP addresses, Marital statuses, Names, Net worths, Occupations, Personal interests, Phone numbers, Physical addresses, Religions, Spoken languages

Although after reading some articles regarding this breach it was basically wide open for anyone to access (if they knew how) and includes 340 million people! Twice as many as Equifax. Most people don't even know they are in it. And that is a serious problem. They are skirting the law and something must be done to stop it. 

Here is the story on Wired - https://www.wired.com/story/exactis-database-leak-340-million-records/

There is also a class action lawsuit against them in Florida due to this breach - https://www.law.com/dailybusinessreview/2018/06/29/florida-class-action-claims-exactis-breach-affects-230-million-americans/?slreturn=20180830162709

 

Some other notable breaches are: (this is a VERY small list) See more here: https://haveibeenpwned.com/PwnedWebsites

Mortal Online: Breached:June 17, 2018 Compromised accounts:606,637 Compromised data:Email addresses, Names, Passwords, Physical addresses, Usernames

Ticketyfly: Breached:May 31, 2018 Compromised accounts:26,151,608 Compromised data:Email addresses, Names, Phone numbers, Physical addresses

ViewFines: Breached:May 7, 2018 Compromised accounts:777,649 Compromised data:Email addresses, Government issued IDs, Names, Passwords, Phone numbers

FunnyGames: Breached:April 28, 2018 Compromised accounts:764,357 Compromised data:Email addresses, IP addresses, Passwords, Usernames

Bell: Breached:May 15, 2017 Compromised accounts:2,231,256 Compromised data:Email addresses, Geographic locations, IP addresses, Job titles, Names, Passwords, Phone numbers, Spoken languages, Survey results, Usernames

Zomato.com -  Breached March 17, 2017 Compromised accounts: 16,472,873

Edmodo.com -  May 17, 2017 Breached Compromised accounts: 43,423,561

8Tracks: Breached:June 27, 2017 Compromised accounts:7,990,619 Compromised data:Email addresses, Passwords

MasterDeeds: Breached:March 14, 2017 Compromised accounts:2,257,930 Compromised data:Dates of birth, Deceased statuses, Email addresses, Employers, Ethnicities, Genders, Government issued IDs, Home ownership statuses, Job titles, Names, Nationalities, Phone numbers, Physical addresses

Disqus.com  Breached July 1, 2012.  Compromised accounts: 17,551,044

Dailymotion: Breached:October 20, 2016 Compromised accounts:85,176,234

Fashion Fantasy Game: Breached:December 1, 2016 Compromised accounts:2,357,872 Compromised data:Email addresses, Passwords

Adobe.com: Breached:October 4, 2013 Compromised accounts:152,445,165 (this one included password hints as well) STOP USING MAIDEN NAMES, PET NAMES

Cash Crate: Breached :November 17, 2016 Compromised accounts:6,844,490 Compromised data:Email addresses, Names, Passwords, Physical addresses

Leet: Breached:September 10, 2016 Compromised accounts:5,081,689 Compromised data:Email addresses, IP addresses, Passwords, Usernames, Website activity

NemoWeb: Breached:September 4, 2016 Compromised accounts:3,472,916 Compromised data:Email addresses, Names

i-Dressup: Breached:August 30, 2016 Compromised accounts:845,012 Compromised data:Email addresses, Email messages, IP addresses, Names

Wishbone: Breached:August 7, 2016 Compromised accounts:2,247,314 Compromised data:Auth tokens, Dates of birth, Email addresses, Genders, Names, Phone numbers, Usernames

Funimation: Breached:July 1, 2016 Compromised accounts:2,491,103 Compromised data:Dates of birth, Email addresses, Passwords, Usernames

Army Force Online: Breached :May 18, 2016 Compromised accounts:1,531,235 Compromised data:Avatars, Email addresses, Geographic locations, IP addresses, Names, Passwords, Usernames, Website activity

Modern Business Solutions: Breached October 8, 2016 Compromised accounts:58,843,488 Compromised data:Dates of birth, Email addresses, Genders, IP addresses, Job titles, Names, Phone numbers, Physical addresses

Black Hat World: Breached:June 23, 2014 Compromised accounts:777,387 - Compromised data - Dates of birth, Email addresses, Instant messenger identities, IP addresses, Passwords, Usernames, Website activity

Cracking Forum: Breached:July 1, 2016 Compromised accounts:660,305 Compromised data:Email addresses, IP addresses, Passwords, Usernames

LinkedIn: Breached: May 5, 2012 Compromised accounts:164,611,595 Compromised data:Email addresses, Passwords

MySpace: Breached: July 1, 2008 Compromised accounts:359,420,698

Breach date:April 10, 2014 Compromised accounts:2,628,148

Cafe Mom: All of the above included the following compromised data: Email addresses, Passwords, Usernames

Bitcoin Security Forum Gmail Dump- Breached:January 9, 2014 Compromised accounts:4,789,599 Compromised data:Email addresses, Passwords

DaniWeb: Breached:December 1, 2015 Compromised accounts:1,131,636 Compromised data:Email addresses, IP addresses, Passwords

MyFHA: Breached :February 18, 2015 Compromised accounts:972,629 Compromised data:Credit status information, Email addresses, Home loan information, Income levels, IP addresses, Names, Passwords, Personal descriptions, Physical addresses

Yahoo: Breached:July 11, 2012 Compromised accounts:453,427 Compromised data:Email addresses, Passwords

Lastfm: Breached March 22, 2012 Compromised accounts:37,217,682 Compromised data:Email addresses, Passwords, Usernames, Website activity

Evony: Breached:June 1, 2016 Compromised accounts:29,396,116 Compromised data:Email addresses, IP addresses, Passwords, Usernames

Kickstarter: Breached:February 16, 2014 Compromised accounts:5,176,463 Compromised data:Email addresses, Passwords

Job Street: Breached :March 7, 2012 Compromised accounts:3,883,455 Compromised data:Dates of birth, Email addresses, Genders, Geographic locations, Government issued IDs, Marital statuses, Names, Nationalities, Passwords, Phone numbers, Physical addresses, Usernames

Elance: Breached: January 1, 2009 Compromised accounts:1,291,178 Compromised data:Email addresses, Employers, Geographic locations, Passwords, Phone numbers, Usernames

 

 

Even though some maybe older, the large data files are still being sold on the dark web. Which could be why some people see old passwords. Plus, they may have more than one of your email addresses. So they can try logging into your other accounts with the same password. Another reason not to use duplicate passwords, ever. 

However, people are still selling MySpace database dumps. Now you can even buy 27 million Experian records! Which makes me wonder because the wording of what the data  includes is a lot like the Exactis data description. Perhaps, they are so stupid they don't realize there is a difference. I hate these deep web sites. There is so much fraud happening it is unbelievable. You can purchase an ounce of coke, bag of pills, some weed and as a bonus some rich businessman's AMEX card data along with his dob, ss#, dl#, and address all in the same shopping cart! It is pathetic and these people are getting away with it, for the most part. See my screenshot of the fraud listings being offered on a deep web site. 

 

Use extreme passwords everyone. Nothing less than 20 characters when it's allowed. This little article is quite helpful in understanding just how easy it is for these fools to get your password, if they tried. https://www.deepdotweb.com/2016/11/12/need-know-passwords/

Try the Norton Password generator and use 20+ characters. https://my.norton.com/extspa/idsafe?path=pwd-gen

 

I hope this helps some of you narrow down where your data was breached. 

Cheers

 

[DJM]

Received this email last night, probably a stupid question, but for people who got it weeks ago, did anything actually happen in the following 48 hours?

[bpcmd]

On 9/25/2018 at 11:27 AM, Plstudio said:

I changed the email passwords immediately after the initial breach 

 

the password they have or had is not one that is used for my email thankfully looks like the email / password combo was sourced from adobe cloud or Dropbox or some other online service.

 

still though. Spending the day updating...

Me too... it looks like an old "standard" password I may have used signing up for something else.

 

The differences are that there were instructions on my letter about how to purchase bitcoin, and my email addy is a comcast.net domain

[DildorTheDecent]

Looks like it was written by a 12 year old.

[prysmcat]

Persistent. I just got a second one, with different text but saying basically the same thing, using the same email address/outdated password combo. Oh, and asking for more money. Which, of course, would have happened even if I'd paid the original demand. 

[leaderdog]

I've received probably a dozen of them now.  In many different forms some claiming they put a rat virus on my computer.  I guess since school has started some of these people have nothing better to do but send out scam letters.  :)

[BlueChinchillaEatingDorito]

Ooooh they played the porn card. That oughta get people scared. 

[Canada EH]

You guys do realize that all they need is 0.1% to fall for the scam!

You guys do realize how many computer illiterate people are in this world!

You guys do realize people DO fall for the dumbest scams!

 

Like Nigerian Prince, oh too obvious you say ------> 0.1%

 

Owe Tax Money is a great one! Heck people even pay in gift cards! If the bad engrish and accents are not a clue, and you dont even bother to double check by independently getting contact info INDEPENDENTLY like in this example, googling the info, getting the secured symbol in the address line.

 

Then hey 0.1% of say a couple grand in USD or CDN/AUS $, is $10M to the third worlders!

 

 

Side note: Even the legal companies like Capitol One credit cards are the worst offenders! They are very aggressive!

 

[ICnine]

(I just posted this mail to a sub Reddit - just want to get the word out that the scam is continuing with a different author/source it seems).

 

I was a long time NCIX customer. On Feb 8, 2019, I received an email trying to blackmail me saying they installed a keylogger and had RDPed to my PC (two actions that are not really related however sound plausible enough to get a layman's attention). They made very vague references to visited porn sites and me "staring" a webcam video captured from my own PC (I have no web cameras connected and my laptop is in a dock with the lid closed). The author of the mail wanted a very specific amount (over $1300 USD) deposited to a Bitcoin account or the compromising webcam video along with the web history would be mailed to all the contacts they had collected off my PC. Phishing mails and the like are unfortunately very common now however this mail was different in that it was a direct threat to me and as a legitimizing piece of evidence, they included a password. That did grab my attention for sure! I use a password generator app and I know exactly where this particular PW came from...NCIX! So, someone is mining the stolen data and using the account email and login password to generate these blackmail attempts. As I mentioned earlier, the details they provide are all very vague with the only "real" data point being my one of my email accounts and a "real" password.

 

I never cached my credit card data in the point-of-sale module and any card info that NCIX might have retained is expired. This is what happens when there is such a messy end to a company. Hope the Canadian legal system will hold the previous named owners of NCIX libel for the customer data they failed to protect.

 

So, if you were a NCIX customer that had a profile/login on their site, be vigilant...

[Guest]

They’d have trouble sending such a large amount of my recordings over the internet, I hope they have a gigabit connection, they’ll need it.

[NineEyeRon]

I’m so glad I use 7 factor authentication