Think I got hacked

[Red Squirrel]

Got this email, the subject was one of the passwords I use online. I don't really use it for a lot of stuff anymore if anything and actually changed it everywhere a while back but the fact that they got it is concerning enough as is. Going to go around and change all my existing passwords just to be on the extra safe side.

The email stated that I went to a porn site called X videos. I don't actually recall this, and I don't really watch porn, but it's quite possible maybe from a Reddit link or something I found myself on said site at some point and then the malware got loaded on my machine. They said that by going to the site they were able to RDP through my machine via some malware that was on the site. They are basically extorting me to pay $5000 in bitcoint or else all my contacts will get a video of me watching said porn. I don't watch porn, if by chance I did watch a small clip I would be making a pretty boring face, and closing it, and moving on. I also don't have a web cam, but if they have a pic of me I imagine it's not hard to CGI it into a video. Basically they want to send a video of me watching porn showing my reaction to all my contacts.

The part that really concerns me though is that they were able to RDP to my machine. I don't know what else they may have done to my computer or my network while they were in there, or what information they may have gathered such as other passwords, credit card info etc.

My question is, how concerned should I be about this. The fact that they have enough info on me such as my password and email address and facebook account means they have enough on me to possibly cause a lot of damage. Could the claims about RDP be real even though I run Linux? Suppose an exploit through a browser could load some kind of java based RDP that is multi platform right?

Also the email has a tracker in it that starts the counter (I have 1 day) but I could not verify as it looks like it's all encoded in base64 so I can't actually see the source. I imagine they did that to bypass any security that would normally block external images from being loaded. I'm just more concerned about what else they might have loaded on my network at this point.

Anyone else have seen something like this? How worried should I be and what is the best course of action at this point, should I need to format/reinstall all the machines that are on this vlan?

 

[SKORPI0]

Got something similar on my hotmail e-mail 2 months ago. Ignored it.

Here''s the exact text, bitcoin link for payment no included. Of course it's a scam.... I also don't have a webcam, so how would they even have a video of me. Even if they did what they claim they can do, friends/family won't care.

I won't beat around the bush. I am aware 1qaz2wsx3 is your password. More importantly, I know your secret and I have evidence of it. You do not know me personally and no one hired me to check out you.

It is just your misfortune that I stumbled across your blunder. In fact, I actually installed a malware on the adult vids (sexually graphic) and you visited this site to have fun (you know what I mean). When you were busy watching videos, your browser started operating as a Rdp (Remote control desktop) with a key logger which provided me with access to your display and also webcam. Immediately after that, my software collected your complete contacts from your messenger, social networks, as well as mailbox.

I then put in more hours than I probably should have exploring into your life and created a double screen video. 1st part shows the video you were viewing and 2nd part displays the recording of your web camera (its you doing nasty things).

Honestly, I am ready to forget details about you and allow you to continue with your daily life. And I am about to present you 2 options that can accomplish this. These two choices with the idea to ignore this letter, or just pay me $3200. Let us explore these 2 options in more detail.

First Option is to ignore this email message. Let me tell you what will happen if you take this option. I will, no doubt send your video recording to your entire contacts including relatives, colleagues, and so forth. It doesn't help you avoid the humiliation your family will face when friends find out your dirty videos from me.

Option 2 is to pay me $3200. We’ll name this my “privacy charges”. Let me tell you what happens if you opt this choice. Your secret will remain your secret. I will delete the recording immediately. You keep your daily life that nothing like this ever happened.

At this point you must be thinking, “I will go to the cops”. Let me tell you, I've taken steps to make sure that this e-mail cannot be traced to me also it won't stay away from the evidence from destroying your lifetime. I am not looking to dig a hole in your pocket. I am just looking to be paid for the time I placed into investigating you. Let's assume you have decided to create all this disappear and pay me the confidentiality fee. You'll make the payment via Bitcoins (if you do not know this, type "how to buy bitcoins" on google)

 

[Red Squirrel]

Yeah that's the one. Did you notice anything weird going on with your machine? I'm more concerned about whether or not they really did manage to get in, and how, as I will want to fix that security issue.

 

[Ichinisan]

Guys who say they don't watch porn are lying.

 

[Thebobo]

I do all my risky surfing at work



j/k boss

 

[Thebobo]

Guys who say they don't watch porn are lying.

I'm watching porn rig,.

 

[SKORPI0]

Yeah that's the one. Did you notice anything weird going on with your machine? I'm more concerned about whether or not they really did manage to get in, and how, as I will want to fix that security issue.

Nothing weird, all I dd was a security/anti-virus/malware, worms, trojans, rootkits, dialers & spyware scan on my PC. The password mentioned above was not even in main login account. Just to be sure...I've changed it. BTW, who doesn't watch watch pron once in a while? Browser should warn you that you're visiting a non-certified/non-safe site, possible keylogger, etc.

 

[paperfist]

Your contacts will get a video of you watching porn? WTF...

Hope your OS password is different than the rest.

Pretty sure you can turn RDP off. Wish there was a way to turn the ‘internet’ off when not using your PC.

 

[Thebobo]

Your contacts will get a video of you watching porn? WTF...

Hope your OS password is different than the rest.

Pretty sure you can turn RDP off. Wish there was a way to turn the ‘internet’ off when not using your PC.

Interesting. Could turn it off in networks settings maybe if you had some sort of script or shortcut..

 

[CZroe]

Of course it’s a scam. If they had the video then they would have no reason not to show it to you.

There are very public databases of hacked passwords and emails that security researchers and criminals can mine. Eventually, they loose their usefulness to criminals and only remain useful for scare tactics like this.

“Well, we can’t break into anything with it so let’s see if we can use it to bluff our way to some cash.”

 

[Red Squirrel]

Of course it’s a scam. If they had the video then they would have no reason not to show it to you.

There are very public databases of hacked passwords and emails that security researchers and criminals can mine. Eventually, they loose their usefulness to criminals and only remain useful for scare tactics like this.

“Well, we can’t break into anything with it so let’s see if we can use it to bluff our way to some cash.”

That's what I'm starting to think that it just originates from one of the many sites that got hacked. Though I do wonder how they managed to get the clear text passwords out so fast, as most of the time it's hashed/encrypted so it can take years to decode all of that. Though this password IS multiple years old and has not been used anywhere since... so I guess it's plausible.

 

[corkyg]

... Wish there was a way to turn the ‘internet’ off when not using your PC.

Easy - just turn off your modem.

 

[sourceninja]

Disable RDP if it's not required.

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 1 /f

 

[Red Squirrel]

I'm sure a hacker/exploit would be able to just enable it no? Chances are this exploit would just load it's own java based RDP or something so that it works in Linux too. Regular RDP would not really work even if it's enabled as the port would need to also be forwarded, so it would need to use a form of RDP that connects out to a central server first. (kinda like how those gotoassist type programs work)

Though I did more research on this and it seems to be a BS email. I was just in panic mode when I first saw it, but forgot about the fact that so many password databases got hacked in the past few years so they probably got all the info from there. The password hash would be with the email so they can put the two together and given how old this password is it probably took that long for them to crack it.

 

[sourceninja]

I agree, but I still disable all un-needed remote access tools. This is part of a defense in depth strategy. I also restrict outbound ports. While it is possible that an attacker could still use https to exfiltrate, again the barrier to entry goes up. I really wish home routers would support IDS/IPS support to look for unexpected packets masquerading as http/https traffic. Unfortunately, that would probably reduce security as it would require adding a trusted certificate to your computer and basically doing a MITM attack on yourself to read that traffic. You could however put a agent on the machine that looks at this traffic and reports to the IDS. Then we don't need a MITM certificate and we get that protection.

Furthermore, if I was in a corp environment I'd look at tools such as group policy, app locker, and controlled folder access for windows to protect against unauthorized applications and ransomeware. I would also use FSRM to detect common extensions of ransomware files and other malware. I would use configuration management tools to enforce and ensure all systems are compliant and also ensure all logs go to a outside source (not on the domain if possible). For linux I'd also use configuration management tools and provide users with minimal sudo privileges based on need. Servers would all be managed by configuration management (or at best be ephemeral) and logins would only be allowed for break glass situations. I'd use apparmor/selinux to further restrict the ability to download and run executable applications without approval.

Security is a balance though, so not all my advice is good for your use cases. In the end you have to decided how much work and annoyance you are willing to put up with in to protect whatever you decide is worth protecting.

 

[paperfist]

Easy - just turn off your modem.

That would work great if there was only one user in the house.

 

[CZroe]

That would work great if there was only one user in the house.

Never seen a personal system that didn’t have toggles for WiFi or allow you to disable the NIC

 

[Red Squirrel]

One thing that's crossed my mind is to make my whole network air gapped then my internet browsing PC, and p2p and other stuff that actually NEEDS internet would be connected. Basically two separate networks that are physically separated. Not sure what would be the easiest way to do that though, like if I'm coding or whatever and I'm doing research online it's still nice to be able to copy and paste information or code or whatever. Would almost need to have two workstations too, one for internet and one for every day tasks, on the private network.

The biggest issue is how insecure browsers are and the fact that they allow a website to execute any code it wants on the machine. you can use noscript etc but there will always be ways to bypass that. It's essentially how Google and Facebook know so much about you they can look at your other tabs, your browsing history etc. Those same methods could easily be used to simply execute code too. There's ways to do it even through images now days. I suppose I'm somewhat safe being on Linux but even then it could still be done. You don't need to be using it as root either, a good hacker is going to know how to script something and BECOME root.

I definitely would not run RDP or VNC or anything of that sort with a port forward to the outside.

 

[paperfist]

Never seen a personal system that didn’t have toggles for WiFi or allow you to disable the NIC

Totally forgot about disabling the NIC.

One thing that's crossed my mind is to make my whole network air gapped then my internet browsing PC, and p2p and other stuff that actually NEEDS internet would be connected. Basically two separate networks that are physically separated. Not sure what would be the easiest way to do that though, like if I'm coding or whatever and I'm doing research online it's still nice to be able to copy and paste information or code or whatever. Would almost need to have two workstations too, one for internet and one for every day tasks, on the private network.

The biggest issue is how insecure browsers are and the fact that they allow a website to execute any code it wants on the machine. you can use noscript etc but there will always be ways to bypass that. It's essentially how Google and Facebook know so much about you they can look at your other tabs, your browsing history etc. Those same methods could easily be used to simply execute code too. There's ways to do it even through images now days. I suppose I'm somewhat safe being on Linux but even then it could still be done. You don't need to be using it as root either, a good hacker is going to know how to script something and BECOME root.

I definitely would not run RDP or VNC or anything of that sort with a port forward to the outside.

I doubt they are bullet proof, but have you thought about something like a SonicWall?

 

[Red Squirrel]

Totally forgot about disabling the NIC.



I doubt they are bullet proof, but have you thought about something like a SonicWall?

That won't protect you from attacks that are browser based. I already have pfsense and lot of stuff is split up in vlans based on risk. But if I was to browse a site by accident that has an exploit on it from the main vlan then it's still going to be able to do stuff to anything that vlan has access to.

I guess this would be a good case for running a browser in a VM that is restricted to what else it can access, though.

 

[corkyg]

...I guess this would be a good case for running a browser in a VM that is restricted to what else it can access, though.

That would be my choice in your situation.

 

[paperfist]

That won't protect you from attacks that are browser based. I already have pfsense and lot of stuff is split up in vlans based on risk. But if I was to browse a site by accident that has an exploit on it from the main vlan then it's still going to be able to do stuff to anything that vlan has access to.

I guess this would be a good case for running a browser in a VM that is restricted to what else it can access, though.

I guess I haven’t paid enough attention to browser attacks. My Norton is always telling me about web browser attacks that it blocked. I’m sure it’s not getting them all though.

 

[UsandThem]

I guess I haven’t paid enough attention to browser attacks. My Norton is always telling me about web browser attacks that it blocked. I’m sure it’s not getting them all though.

No antivirus will protect you from everything out there. However, if you're getting warnings on a regular basis like it sounds like you are, make sure you have Norton Safe Web browser extension enabled, as it will tell you if the site is safe before you even go there:

Additionally, if you're still not sure if the site is safe or not, have the URL inspected using these tools:

https://www.virustotal.com/#/home/upload
https://transparencyreport.google.com/safe-browsing/search

I use all three of those safety measures quite a bit while moderating here checking out suspicious links without jeopardizing my PCs.

 

[Red Squirrel]

Come to think of it, is there any good firefox extensions for blocking the types of attacks that would give access to scripts to modify the system? I'm not purposely going to bad sites or anything, don't want to give that impression, but it can still happen, especially when browsing random stuff like Reddit, or googling for stuff, sometimes you can land on a site that's been compromized or whatever, and then they will have scripts that try to load stuff into your machine etc. Any blanket way to block all that crap? I suppose running Linux makes me less of a target, but it's not 100%. While running a browser in a VM could help, it's not really practical to have to fire up a VM, wait for it to boot etc, every time I want to use my browser. Then when I download stuff I still need to setup network shares and all that crap just to transfer it to my machine, so kind of a pain.

Another thing I was thinking of is maybe running the browser in a Linux container, would that provide any kind of security?

While this particular email was probably a scam and not true in what it said, it did make me realize that something like that could very well easily happen if you accidentally land on the wrong site. Not just RDP, but they could pretty much run anything they want and infect your whole network with backdoors or randomware etc. Or heck even a non hostile site if some ad network gets hacked or something.

 

[UsandThem]

Come to think of it, is there any good firefox extensions for blocking the types of attacks that would give access to scripts to modify the system?

There are quite a few add-ons you can try. I use Adblock, which can be configured to stop malware. I doubt it is anywhere near as good as my Norton extensions/protection, but I figured why not?

Another few add-ons for Firefox that I have seen quite a few people use is uBlock, NoScript, and Malwarebytes:

https://addons.mozilla.org/en-US/firefox/addon/ublock-origin/?src=recommended_fallback

https://addons.mozilla.org/en-US/firefox/addon/noscript/?

https://addons.mozilla.org/en-US/firefox/addon/malwarebytes/

But honestly, the safest route for what you described is to copy and paste any link you aren't 100% sure of with the two links I listed in my first post. I use it almost daily here because of new users signing up and posting links that I am not familiar with. It's saved me a lot of headaches many times because it warns me of malware/viruses without me having to try the link out.