| | | Effective PR

This criminal has access to my personal data - and I don't know who has been hacked.

Nigel Morris-Co...

We all get the scams telling us that a criminal has our data. Many of us get scams saying that the criminals have details of access to pornographic websites and, even, footage taken from cameras on our desktop or laptop machines. Usually, we are told that we are being blackmailed and ordered to pay a sum, via bitcoin, to a specified wallet, 1Lughwk11SAsz54wZJ3bpGbNqGfVanMWzk. This wallet should, obviously, be disabled with immediate effect.

What is clear is that they are simple mass mail-outs in the usual style of e-mail fraud.

The example I received today is different. I know it is different because it contains information that can only have been obtained as a result of a data leak at a third party's web site. It is definitely not from here. The criminal has quoted one of my e-mail addresses and a password which matches a formula I use when required to register at a third party's website. That password is not recorded here (the formula allows me to recreate it on the fly when I need it and I don't need to remember passwords used in this way).

However, the formula produces a variation in the passwords which is both a check-character and, by applying a reverse formula, tells me which website it relates to. Interestingly, the example used by the criminal omits the check-character without which I cannot use the reverse formula and, therefore, cannot identify what website has been compromised.

There is no doubt in my mind that the criminal has obtained this information as a result of a data breach at a website I have used at some time in the past five or so years since I adopted the formula.

The criminal is demanding USD700 to the following bitcoin wallet:


The material they say they have does not and cannot exist. First, it has never been originated and secondly there is no webcam connected to any of my computers. Furthermore, the only PC that I have used in that period has multiple levels of security and runs multiple daily scans. In fact, the mail itself contains a virus.

The fact is that the criminal is almost certainly not the one who obtained the information: it is likely that it is in one of the many databases of leaked information that are available for a few dollars, if you know where to look. However, someone, somewhere, has obtained that data.


Now I have access to you accounts!

For example, your password for [genuine e-mail address] is [accurate data]

Within a period from July 7, 2018 to September 23, 2018, you were infected by the virus we've created, through an adult website you've visited.

So far, we have access to your messages, social media accounts, and messengers.

Moreover, we've gotten full damps of these data.

We are aware of your little and big secrets...yeah, you do have them. We saw and recorded your doings on porn websites. Your tastes are so weird, you know..

But the key thing is that sometimes we recorded you with your webcam, syncing the recordings with what you watched!

I think you are not interested show this video to your friends, relatives, and your intimate one...

Transfer $700 to our Bitcoin wallet: 1Lughwk11SAsz54wZJ3bpGbNqGfVanMWzk

If you don't know about Bitcoin please input in Google "buy BTC". It's really easy.

I guarantee that after that, we'll erase all your "data" :D

A timer will start once you read this message. You have 48 hours to pay the above-mentioned amount.

Your data will be erased once the money are transferred.

If they are not, all your messages and videos recorded will be automatically sent to all your contacts found on your devices at the moment of infection.

You should always think about your security. We hope this case will teach you to keep secrets.

Take care of yourself.


As with so many frauds, the originator is via Microsoft Outlook. The claim to have sent from that specific e-mail account is false: indeed, the e-mail account password, for access and for sending, does not follow the formula. The fraudulent mail has, in fact, been generated at a server with an address in Vietnam.

The sender has control of the server from which he operates: the outgoing mail time is "Date: 29 Sep 2018 01:25:58 +0600" However, the delivery time is "Fri, 28 Sep 2018 14:04:02 +0100" (i.e. British Summer Time). The outgoing time stamp does not help with identifying the time zone from which it was sent.

However, the spam originated from which is identified by Spamhaus as a known distributor of spam.

That server is registered to Viet Nam Hanoi Vietnam Posts And Telecommunications Group of No 57, Huynh Thuc Khang Street, Lang Ha ward, Dong Da district, Ha Noi

See http://whois.domaintools.com/1...

The original mail was not downloaded from the mail server and has been deleted for reasons of security.

I know there are places to report bitcoin, etc., wallets named in fraud attempts but they are difficult to locate. If any reader is aware of the correct reporting place(s) please feel free to report the above wallet.

The address concerned is recorded at https://haveibeenpwned.com/ as having been found on four breached sites (adobe, myspace, plus two databases that do not specify their source). Neither of the two named sites have any current data nor any financial or personal data other than registration information.

I suspect that the original breach was at Adobe: when I used the credentials as in the mail, I was directed to an instruction to change my password. It did not say that the password I used was incorrect. It is several years since I last logged onto the Adobe website and it is likely that it predates the use of the formula in its current form, which would explain the missing check character. The MySpace account is so old, it does not use the formula. This account is not, therefore, the account from which the information was obtained.

The header information is below


Return-Path: <[genuine e-mail address spoofed]>

Received: from [our mail server]

by [our mail host] with LMTP id SNZjBcImrlv0EwIAFYi9Gw

; Fri, 28 Sep 2018 14:04:02 +0100

Received: [our mail server]

by [the mail server for that domain] with LMTP id sEnKBMImrlvWBwAA+1ODFA

; Fri, 28 Sep 2018 14:04:02 +0100

Delivery-date: Fri, 28 Sep 2018 14:04:02 +0100

Received: from [] (helo=static.vnpt.vn)

by [our mail server] with esmtp (Exim)

(envelope-from <[genuine address]>)

id 1g5sR7-000U9X-Qc

for [genuine address]; Fri, 28 Sep 2018 14:04:02 +0100

From: <[genuine address]>

To: "[name]" <[genuine address]>

Date: 29 Sep 2018 01:25:58 +0600

Message-ID: <005001d45766$054050f5$e7bd3abd$@[domain]>

MIME-Version: 1.0

Content-Type: text/plain;


Content-Transfer-Encoding: 8bit

X-Mailer: Microsoft Office Outlook 11

Thread-Index: Acgm9r7x751yrhexgm9r7x751yrhex==

X-MimeOLE: Produced By Microsoft MimeOLE V6.1.7601.17514

X-Virus: yes; detected as Sanesecurity.Junk.57689.UNOFFICIAL

X-Spam-Score: 20.0

X-Spam-Report: Flagged internally by mail system

X-Actual-Recipient: [genuine address]

X-Original-To: [genuine address]

Subject: Your Account Was Hacked! (Contains malware Sanesecurity.Junk.57689.UNOFFICIAL)


---------------- Advertising ----------------

World Nomads
Travel Insurance