How did they do it? (Hacked)
Moderator: Moderators for English X Forum
Re: How did they do it? (Hacked)
Other than what has been said:
1) Never click a link from email.
2) Never believe what the email says either, always find your own way to site and log in.
3) Enable 2 factor authentication (and use a password manager if you don't log in from new devices often - is there not a trust this device option?)
4) Check your email against "Haveibeenpwned" though I doubt you've used the same password twice if it's really obscure.
first thing I thought was - did they actually access the account? I've had emails about "someone tried to log in..." before. Usually someone with similar or somewhat email (or possibly people trying passwords revealed via haveibeenpwned for various sites that were compromised on the biggest platforms - facebook, netflix, twitter, instagram, google etc) but never actually made it in. Even had a few password reset attempts a few years back; some were even legit.
This year i've also received emails from a US professor with coursework from students attached - with requests to mark it by the weekend. I said I would do my best, but warned it may not be up to much as I'm unfamiliar with the subject matter So could (if not successful) have been someone a bit muddled?
1) Never click a link from email.
2) Never believe what the email says either, always find your own way to site and log in.
3) Enable 2 factor authentication (and use a password manager if you don't log in from new devices often - is there not a trust this device option?)
4) Check your email against "Haveibeenpwned" though I doubt you've used the same password twice if it's really obscure.
first thing I thought was - did they actually access the account? I've had emails about "someone tried to log in..." before. Usually someone with similar or somewhat email (or possibly people trying passwords revealed via haveibeenpwned for various sites that were compromised on the biggest platforms - facebook, netflix, twitter, instagram, google etc) but never actually made it in. Even had a few password reset attempts a few years back; some were even legit.
This year i've also received emails from a US professor with coursework from students attached - with requests to mark it by the weekend. I said I would do my best, but warned it may not be up to much as I'm unfamiliar with the subject matter So could (if not successful) have been someone a bit muddled?
Re: How did they do it? (Hacked)
Changing your password doesn't work with netflix and neither does logging out of all devices as far as I know. Basically on devices like my roku, firetablet, etc... even after passwords are changed they are still ok using the old one for a very long time. On my roku if it asks for passwords I hit the home button and go into the app again and it works with no password request.
I think making a new account might work even though you'd lose your netflix data.
I think making a new account might work even though you'd lose your netflix data.
Re: How did they do it? (Hacked)
Ah, there was a delay, but it did force logout all devices, and now none will go back in with the original password. - It did unnerve me when one of my smart boxes went straight back in under the old password as if nothing had happened, but that sorted after a minute or two.burger1 wrote: ↑Wed, 29. Apr 20, 00:57Changing your password doesn't work with netflix and neither does logging out of all devices as far as I know. Basically on devices like my roku, firetablet, etc... even after passwords are changed they are still ok using the old one for a very long time. On my roku if it asks for passwords I hit the home button and go into the app again and it works with no password request.
I think making a new account might work even though you'd lose your netflix data.
Thing is, with the spotlight put on Netflix, I'm wondering what I actually watch on it. - Locke and Key has finished (I think that was Netflix) and I originally only activated it for Star Trek Discovery. - With Sky Q 'everything' and Amazon Prime, Netflix does come across as the weakest content-wise, *and* more expensive than Prime...
“Man, my poor head is battered,” Ed said.
“That explains its unusual shape,” Styanar said, grinning openly now. “Although it does little to illuminate just why your jowls are so flaccid or why you have quite so many chins.”
“I…” Had she just called him fat? “I am just a different species, that’s all.”
“Well nature sure does have a sense of humour then,” Styanar said. “Shall we go inside? It’d not be a good idea for me to be spotted by others.”
“That explains its unusual shape,” Styanar said, grinning openly now. “Although it does little to illuminate just why your jowls are so flaccid or why you have quite so many chins.”
“I…” Had she just called him fat? “I am just a different species, that’s all.”
“Well nature sure does have a sense of humour then,” Styanar said. “Shall we go inside? It’d not be a good idea for me to be spotted by others.”
Re: How did they do it? (Hacked)
Does the email thing count when you're using Outlook 365 as part of the office package? - I do check all links, but Office also uses something called 'safelinks' to make sure there's nothing nefarious going on. I have a system whereby any official email goes to different folders, and I have had it in the past where phishing emails come in (to my Yahoo account, never my Outlook one) which go straight to the Inbox rather than the designated folder. I guess there's an eternal battle going on between criminals and official websites, and I imagine websites can only react to new 'things' after they've first happened. Is phishing really that clever that an identical link can take you other than the legal website (with the secure icon symbol in the browser.) Damn, if it has, I'm in a stew! LOLChips wrote: ↑Wed, 29. Apr 20, 00:04Other than what has been said:
1) Never click a link from email.
2) Never believe what the email says either, always find your own way to site and log in.
3) Enable 2 factor authentication (and use a password manager if you don't log in from new devices often - is there not a trust this device option?)
4) Check your email against though I doubt you've used the same password twice if it's really obscure.
first thing I thought was - did they actually access the account? I've had emails about "someone tried to log in..." before. Usually someone with similar or somewhat email (or possibly people trying passwords revealed via haveibeenpwned for various sites that were compromised on the biggest platforms - facebook, netflix, twitter, instagram, google etc) but never actually made it in. Even had a few password reset attempts a few years back; some were even legit.
This year i've also received emails from a US professor with coursework from students attached - with requests to mark it by the weekend. I said I would do my best, but warned it may not be up to much as I'm unfamiliar with the subject matter So could (if not successful) have been someone a bit muddled?
Both my main email accounts show as 'good news' on the "Haveibeenpwned" website.
“Man, my poor head is battered,” Ed said.
“That explains its unusual shape,” Styanar said, grinning openly now. “Although it does little to illuminate just why your jowls are so flaccid or why you have quite so many chins.”
“I…” Had she just called him fat? “I am just a different species, that’s all.”
“Well nature sure does have a sense of humour then,” Styanar said. “Shall we go inside? It’d not be a good idea for me to be spotted by others.”
“That explains its unusual shape,” Styanar said, grinning openly now. “Although it does little to illuminate just why your jowls are so flaccid or why you have quite so many chins.”
“I…” Had she just called him fat? “I am just a different species, that’s all.”
“Well nature sure does have a sense of humour then,” Styanar said. “Shall we go inside? It’d not be a good idea for me to be spotted by others.”
Re: How did they do it? (Hacked)
If any website is storing passwords in an encrypted format that can be *decrypted* then something is already very wrong. You should always store a one-way encrypted hash of the password, then encrypt whatever the user types in using the same method and compare the results.
Re: How did they do it? (Hacked)
True but encryptions are broken all the time. Even RSA has been cracked. It may take a long time to decrypt but it does happen. That's the truth of the internet, there is no such thing as perfect security. There are highly effective measures that can deter hackers, such as multi-factor authentication, but they can still be broken or circumvented.pjknibbs wrote: ↑Wed, 29. Apr 20, 08:53If any website is storing passwords in an encrypted format that can be *decrypted* then something is already very wrong. You should always store a one-way encrypted hash of the password, then encrypt whatever the user types in using the same method and compare the results.
The Future is Progressive!
rebellionpac.com
Fight white supremacy, fight corporate influence, fight for the rights of all peoples!
rebellionpac.com
Fight white supremacy, fight corporate influence, fight for the rights of all peoples!
Re: How did they do it? (Hacked)
Hashes are, by their nature, harder to break than two-way encryption, because they don't need to be reversible even by the person who created them. The list of hash algorithms that have weaknesses (and note that a weakness doesn't necessarily mean that it's easy to actually break in practice) is known and doesn't change often. Any large company worth its salt (pun intended: the data should be salted too) shouldn't have too much trouble in avoiding those.
Re: How did they do it? (Hacked)
So do you know what safelinks does? A quick check seems to say it's basically checking against a known blacklist of Microsoft and a corporate blacklist (company related if you're part of an organisation).
Most disconcerting would be the old phrase... the weakest link in any security is the user. If people outsource the trust to safelinks it means if its able to be beaten, then they are beaten.
So if my 10s of Googling is correct, a new (non blacklisted at time of writing) url would pass with flying colours. However, I'd be surprised if safelink was *that* basic, but you should definitely find out if you don't already know!
An article pointed out that if anything, the presentation of links by safelink makes it even harder to determine if a link is bogus, so you're entirely reliant upon it warning you.
But the main thing is - this may be utterly irrelevant from the problem you had as who knows It may have been from a year ago, two years ago etc. I got an email the other day saying they knew my password and told it to me; they demanded money. It's a password not used in about 18 years...
Re: How did they do it? (Hacked)
In summary: unless you're savvier than Sam Saveloy, Sausage King of the Virtual World, it's best to avoid the Internet.
*Buys idiots guide to Semaphore*
*Notes neighbour reading it over my shoulder*
Shrieks "I've been hacked!"
===
I'll never follow links from emails again. I'll click on bookmarks, or create new ones as needed. I'll change my passwords more often than I change my socks... Actually, no, it's best to change passwords at least twice a year, yes? -And I'll wear a false moustache whenever I use my webcam.
You've got this, Gavrushka.
*Buys idiots guide to Semaphore*
*Notes neighbour reading it over my shoulder*
Shrieks "I've been hacked!"
===
I'll never follow links from emails again. I'll click on bookmarks, or create new ones as needed. I'll change my passwords more often than I change my socks... Actually, no, it's best to change passwords at least twice a year, yes? -And I'll wear a false moustache whenever I use my webcam.
You've got this, Gavrushka.
“Man, my poor head is battered,” Ed said.
“That explains its unusual shape,” Styanar said, grinning openly now. “Although it does little to illuminate just why your jowls are so flaccid or why you have quite so many chins.”
“I…” Had she just called him fat? “I am just a different species, that’s all.”
“Well nature sure does have a sense of humour then,” Styanar said. “Shall we go inside? It’d not be a good idea for me to be spotted by others.”
“That explains its unusual shape,” Styanar said, grinning openly now. “Although it does little to illuminate just why your jowls are so flaccid or why you have quite so many chins.”
“I…” Had she just called him fat? “I am just a different species, that’s all.”
“Well nature sure does have a sense of humour then,” Styanar said. “Shall we go inside? It’d not be a good idea for me to be spotted by others.”
-
- Posts: 8903
- Joined: Sun, 14. Oct 07, 17:47
Re: How did they do it? (Hacked)
Likewise my lodger. She received an email that demonstrated that the sender knew part of her password. It also claimed that he(?) had installed a keylogger, had at times taken used her webcam, and that the various porn sites she looked at demonstrated that she had good taste. Unless x thousand in bitcoin was transferred wherever a lot of her personal details / communications / porn habits would be relayed to her various contact lists.
It was, in effect, a reasonable sophisticated social engineering attempt.
I talked her through it. She was adamant that she hadn't looked at the claimed porn sites. This was enough for me to say "there's a lot of bluff in this and that undermines the rest of the threat. Change all your passwords on everything and either ignore it or tell them where to get off, and report it to the police".
But if she'd been vulnerable in some way, and without access to somebody reasonably tech savvy, and had looked at whatever porn sites... it might have felt very threatening indeed.
I can't breathe.
- George Floyd, 25th May 2020
- George Floyd, 25th May 2020
- red assassin
- Posts: 4613
- Joined: Sun, 15. Feb 04, 15:11
Re: How did they do it? (Hacked)
Those emails started appearing a few years ago after a particularly big password leak. Pretty easy to just trawl the internet for big password leaks, crack whatever passwords you can if they're salted, and then email everybody whose password you have a threatening message about hacking them. (Amusingly, not too long after that, somebody started sending the same template out but without bothering with the including the actual password!) Lots of people reuse passwords a lot, so it doesn't really matter what service you originally get the email from.
The key advice is pretty simple:
1) Use a password manager. Let it generate passwords for everything except maybe your email account. Have really strong, different passwords for your password manager and your email. (A string of a few random words is often easier to type and remember than a string of a dozen random characters.)
2) Use two-factor authentication wherever available. Yubikeys are great for the services that accept them. Standard authenticator apps on your phone are good. Text messages are better than nothing, but not ideal.
3) Don't click links in emails. While most phishing can be detected via the usual checks on use of your name, whether the email service can verify the sender, etc, identifying a really good targeted phish is hard even for professionals. Navigate directly to the site in question and you'll be a lot safer.
Once you're following that advice, you probably don't need to worry about changing individual passwords unless you have evidence that one has actually been compromised.
Signing up for haveibeenpwned notifications is also pretty useful as a warning for when you should probably change your password somewhere and/or keep an eye out for targeted phishing on the basis of it.
Also, some email accounts offer a feature that allows you to make distinct email addresses: e.g. on GMail, you can add "+whatever" to your email address, as in "johnsmith+amazon@gmail.com" if your account is "johnsmith@gmail.com". This allows you to associate an email you're receiving with where the sender got your email address from, which can often be quite illuminating.
The key advice is pretty simple:
1) Use a password manager. Let it generate passwords for everything except maybe your email account. Have really strong, different passwords for your password manager and your email. (A string of a few random words is often easier to type and remember than a string of a dozen random characters.)
2) Use two-factor authentication wherever available. Yubikeys are great for the services that accept them. Standard authenticator apps on your phone are good. Text messages are better than nothing, but not ideal.
3) Don't click links in emails. While most phishing can be detected via the usual checks on use of your name, whether the email service can verify the sender, etc, identifying a really good targeted phish is hard even for professionals. Navigate directly to the site in question and you'll be a lot safer.
Once you're following that advice, you probably don't need to worry about changing individual passwords unless you have evidence that one has actually been compromised.
Signing up for haveibeenpwned notifications is also pretty useful as a warning for when you should probably change your password somewhere and/or keep an eye out for targeted phishing on the basis of it.
Also, some email accounts offer a feature that allows you to make distinct email addresses: e.g. on GMail, you can add "+whatever" to your email address, as in "johnsmith+amazon@gmail.com" if your account is "johnsmith@gmail.com". This allows you to associate an email you're receiving with where the sender got your email address from, which can often be quite illuminating.
A still more glorious dawn awaits, not a sunrise, but a galaxy rise, a morning filled with 400 billion suns - the rising of the Milky Way
Re: How did they do it? (Hacked)
That is quite brilliant. I hadn't considered that. I need to find out if that's offered with MS accounts.red assassin wrote: ↑Wed, 29. Apr 20, 16:02Also, some email accounts offer a feature that allows you to make distinct email addresses: e.g. on GMail, you can add "+whatever" to your email address, as in "johnsmith+amazon@gmail.com" if your account is "johnsmith@gmail.com". This allows you to associate an email you're receiving with where the sender got your email address from, which can often be quite illuminating.
The Future is Progressive!
rebellionpac.com
Fight white supremacy, fight corporate influence, fight for the rights of all peoples!
rebellionpac.com
Fight white supremacy, fight corporate influence, fight for the rights of all peoples!
Re: How did they do it? (Hacked)
Yeah, this is why the passwords you see in these e-mails are generally old ones. In a lot of cases people have been using the same passwords forever so they get caught out. Of course, there may be other clues that the mail is a fake--in my case it tells me they've been recording me doing naughty things through my webcam, but I don't have one on my home computer and never have had one!red assassin wrote: ↑Wed, 29. Apr 20, 16:02Those emails started appearing a few years ago after a particularly big password leak. Pretty easy to just trawl the internet for big password leaks, crack whatever passwords you can if they're salted, and then email everybody whose password you have a threatening message about hacking them.
- red assassin
- Posts: 4613
- Joined: Sun, 15. Feb 04, 15:11
Re: How did they do it? (Hacked)
Outlook.com accepts the same + syntax as GMail. Easy enough to test, anyway!
A still more glorious dawn awaits, not a sunrise, but a galaxy rise, a morning filled with 400 billion suns - the rising of the Milky Way
Re: How did they do it? (Hacked)
Well, i'll be damned. It does indeed work. I love it. I have some account changes to make. Learn something new every day! ty sir!red assassin wrote: ↑Wed, 29. Apr 20, 16:22Outlook.com accepts the same + syntax as GMail. Easy enough to test, anyway!
The Future is Progressive!
rebellionpac.com
Fight white supremacy, fight corporate influence, fight for the rights of all peoples!
rebellionpac.com
Fight white supremacy, fight corporate influence, fight for the rights of all peoples!
Re: How did they do it? (Hacked)
Odd, I just tested sending an e-mail to my work e-mail address (which is an Office 365 one) with that + thing on it, and it didn't work--got rejected due to the e-mail not existing. Guessing they only enable this feature for actual @outlook.com e-mail addresses.red assassin wrote: ↑Wed, 29. Apr 20, 16:22Outlook.com accepts the same + syntax as GMail. Easy enough to test, anyway!
Re: How did they do it? (Hacked)
That's simply awesome. I need to send you many, many dollars. Thank you!red assassin wrote: ↑Wed, 29. Apr 20, 16:22Outlook.com accepts the same + syntax as GMail. Easy enough to test, anyway!
“Man, my poor head is battered,” Ed said.
“That explains its unusual shape,” Styanar said, grinning openly now. “Although it does little to illuminate just why your jowls are so flaccid or why you have quite so many chins.”
“I…” Had she just called him fat? “I am just a different species, that’s all.”
“Well nature sure does have a sense of humour then,” Styanar said. “Shall we go inside? It’d not be a good idea for me to be spotted by others.”
“That explains its unusual shape,” Styanar said, grinning openly now. “Although it does little to illuminate just why your jowls are so flaccid or why you have quite so many chins.”
“I…” Had she just called him fat? “I am just a different species, that’s all.”
“Well nature sure does have a sense of humour then,” Styanar said. “Shall we go inside? It’d not be a good idea for me to be spotted by others.”
Re: How did they do it? (Hacked)
I would bet that the enterprise accounts don't have that enabled. I could see that as something the admins would not want enabled (if it's an option), especially if they have a spam/AV filter before the emails hit the mail server. But it def works for personal accounts.pjknibbs wrote: ↑Wed, 29. Apr 20, 16:53Odd, I just tested sending an e-mail to my work e-mail address (which is an Office 365 one) with that + thing on it, and it didn't work--got rejected due to the e-mail not existing. Guessing they only enable this feature for actual @outlook.com e-mail addresses.red assassin wrote: ↑Wed, 29. Apr 20, 16:22Outlook.com accepts the same + syntax as GMail. Easy enough to test, anyway!
The Future is Progressive!
rebellionpac.com
Fight white supremacy, fight corporate influence, fight for the rights of all peoples!
rebellionpac.com
Fight white supremacy, fight corporate influence, fight for the rights of all peoples!
Re: How did they do it? (Hacked)
I think it's more basic than you give them credit for 100k leaked email/passwords? Send out those emails with part password (rest starred out). Then take some guesses and leave the targets to self identify (common porn site, most laptops have webcams built in etc).RegisterMe wrote: ↑Wed, 29. Apr 20, 14:18I talked her through it. She was adamant that she hadn't looked at the claimed porn sites. This was enough for me to say "there's a lot of bluff in this and that undermines the rest of the threat. Change all your passwords on everything and either ignore it or tell them where to get off, and report it to the police".
But if she'd been vulnerable in some way, and without access to somebody reasonably tech savvy, and had looked at whatever porn sites... it might have felt very threatening indeed.
It was, in effect, a reasonable sophisticated social engineering attempt.
Now you just need a percentage to fall for it as they've kept it secret or think it's something to be humiliated over. Personally, I worked on the principle if you refuse to be embarrassed then hard to get blackmailed. No shame here
- red assassin
- Posts: 4613
- Joined: Sun, 15. Feb 04, 15:11
Re: How did they do it? (Hacked)
Be aware that this is a fairly well-known trick and spammers may strip the +whatever off, replace it with something else, etc etc, so it's not reliable by any means, but it is often useful. (At least for telling you who to blame for losing your details!)
A still more glorious dawn awaits, not a sunrise, but a galaxy rise, a morning filled with 400 billion suns - the rising of the Milky Way