Beware scammers

[tjh290633]

In my first job in 1957, we had a site office which had been given the phone number of a nearby closed railway station. The site engineer got so tired of telling people they had the wrong number, that he bought the Sheffield ABC and just told them the next train time.

I took over from him, but the phone book must have been reissued, as I never had any such calls.

I must have a look in my spam box and see what I am missing.

TJH

[melonfool]

Ah, Vodafone.....my mate did some work for them, many years ago, as a contractor, worth a few hundred pounds. Invoiced, got paid.

About a month later £10k appeared in his bank from Vod, called them explained it wasn't his, sent it back. Same happened the next month, did the same, except he told them that if it happened again he would keep it (half joking). It happened again, he kept it, they never chased him for it and the payments stopped!

Obviously they are not great at admin.

Mel

[Infrasonic]

Ah, Vodafone.....my mate did some work for them, many years ago, as a contractor, worth a few hundred pounds. Invoiced, got paid.

About a month later £10k appeared in his bank from Vod, called them explained it wasn't his, sent it back. Same happened the next month, did the same, except he told them that if it happened again he would keep it (half joking). It happened again, he kept it, they never chased him for it and the payments stopped!

Obviously they are not great at admin.

Mel

You don't still have the BACS details do you?...

[superFoolish]

Yes, this scam is particularly nasty; I believe that there have been suicides because of similar scams.

One variant is where young men are encouraged to perform personal acts on camera. The video is then used to blackmail them.

Total scum.

[melonfool]

And young women.

http://www.dailymail.co.uk/tvshowbiz/ar ... isery.html

https://en.wikipedia.org/wiki/Suicide_of_Amanda_Todd


Mel

[UncleEbenezer]

I was once given a recycled phone number that had previously been some company fax number and the phone rang day and night, with just the high pitched screech when I picked it up.

Mel

My @work extension was once a recycled fax number. Not nice.

I was still relatively fortunate: my fax number was a somewhat-specialist one. My colleague up the corridor had what had previously been the institution's main fax number, with far more traffic. And to make it worse, her role was public-facing, so she expected more calls than me, and really had to take them! I can't remember how long that went on, but it wasn't nice.

[superFoolish]

I just thought I'd mention this, as this kind spam seems to be more common these days:

You receive an email that references a password that you have used somewhere, and the email claims that the sender has hacked your computer to steal your passwords, taken control of your computer, and then recorded your webcam whilst you were, ahem, 'watching' a video on an adult website. They claim that if you do not send them a payment via bitcoin, they will share the video with your contacts.

The bottom line is that this kind of spammer has NOT hacked your computer to steal your passwords, and they don't have any video of you; they have obtained the password from a publicly available list that was hacked from a website by someone else with more skill than them, and are hoping that you will send them money in panic.

Last week, I started receiving such spam, and I recognised the password from a very long time ago; I used to use that password on a few web sites (before I was as security conscious as I am now), so I can't pin down which site they got the password from.

As a matter of interest, I searched my email for the password, and came up with a couple of emails from sites that had sent the password to me in plain text, either when I first signed up, or as a requested password reminder. In both cases, the emails were more than a decade old, which matched my memory of when I stopped using that password. How things have changed for the better in that respect; only clowns send passwords via email these days.

I access every site that I have sign into to these days, with a unique email address and password. For 'important' sites (such as banking, or anything into which I might enter personal information), I use long passwords generated by KeePass and two factor authentication where possible.

For the first time in as long as I can remember, I stopped part way through signing-up to a web service last week, because the password had to be between 6 & 8 characters long, and only contain alphanumeric characters. If their password requirements are that poor, there is no way I am going to trust them with my information; I can just imagine that they store the passwords in a database in plain text, all 'protected' by the same level of password security that they tried to enforce on me.

[superFoolish]

Actually, I've just discovered the most likely culprit; it was a site that admitted to me that they had been hacked about a decade ago. They did not volunteer the breach, but they did admit it once they realised that I had used a unique email address to register with them.

The site is long-gone now!

That was the incident that led me to use the unique password / email address combination from that point onwards, rather than just a unique email address.

I guess the spammers who are using the video-threat technique are trawling old hack-lists.

[jfgw]

Since a webcam doesn't normally face the monitor, how would anyone receiving such a video know you were watching porn?

I have had a similar email (but not containing a password) claiming that they had a webcam video of me masturbating to porn. Since I don't have a webcam connected to my pc., it is highly unlikely that they had a webcam video of me doing anything.

Julian F. G. W.

[mc2fool]

This seems to be about the same scam as this recent topic: viewtopic.php?f=39&t=12853

[Howyoudoin]

Since a webcam doesn't normally face the monitor, how would anyone receiving such a video know you were watching porn?

I'm guessing that most people would be able to tell fairly quickly whether you were watching porn or filing your tax return.


HYD

[Slarti]

Since a webcam doesn't normally face the monitor, how would anyone receiving such a video know you were watching porn?

If they were good enough to hack your camera they could probably also hack the feed to your screen to see what you had on there.

But they're not and they haven't.


There are reports from ITSec people that the Bitcoin wallets have been receiving substantial sums of money, so there are obviously people out there with guilty consciences

Oh, ever since I've had laptops with built in camera and microphone, I have taken physical measures to disable those - masking tape and padding.

Slarti

[UncleEbenezer]

Since a webcam doesn't normally face the monitor, how would anyone receiving such a video know you were watching porn?

Well that at least would be the same as has been bog-standard in teleconferencing for many years. You get multiple views: one is the video (the webcam), another is what's on your screen, or one or more window or application within it.

Regarding the original question, I'll stick to my reply in the other thread.

There are reports from ITSec people that the Bitcoin wallets have been receiving substantial sums of money, so there are obviously people out there with guilty consciences

Your logic there appears to assume the Bitcoin wallets have no other source of income that might account for those receipts.

[Lootman]

For the first time in as long as I can remember, I stopped part way through signing-up to a web service last week, because the password had to be between 6 & 8 characters long, and only contain alphanumeric characters.

For me it would entirely depend on what the web service was. If it was merely to sign up for some newsletter or periodical access then I really don't care whether the password is secure or not, because there is not any downside risk to having that hacked or stolen. This site would be an example - what is the worst that could happen?

It is only with financial accounts where I feel any need to bother with special characters, mixing upper and lower case, not using real words and so on. Such passwords should be kept to a minimum for the simple reason that they cannot be easily recalled and, if I have to write them down, then that is just another form of risk.

[superFoolish]

For the first time in as long as I can remember, I stopped part way through signing-up to a web service last week, because the password had to be between 6 & 8 characters long, and only contain alphanumeric characters.

For me it would entirely depend on what the web service was. If it was merely to sign up for some newsletter or periodical access then I really don't care whether the password is secure or not, because there is not any downside risk to having that hacked or stolen. This site would be an example - what is the worst that could happen?

It is only with financial accounts where I feel any need to bother with special characters, mixing upper and lower case, not using real words and so on. Such passwords should be kept to a minimum for the simple reason that they cannot be easily recalled and, if I have to write them down, then that is just another form of risk.

I agree; but this was a 'loyalty' account set up for me by a hotel that I stayed at. Using my email address, they set up an online account for me, which very kindly included my name, address and mobile number, all 'protected' by a very low security password (that they emailed to me, plain text). Fortunately, I had provided a 'burner' email address, so I replaced all my personal information with fake info, and changed the email address to a fake email address. It was not possible to delete the account.

For 'low risk' web sites, I still use unique passwords, using a pattern based on the website name, so I can easily recall it.

[superFoolish]

Since a webcam doesn't normally face the monitor, how would anyone receiving such a video know you were watching porn?

Julian F. G. W.

If someone takes control of your computer (which they hadn't) they can screen-record at the same time as recording the webcam. It's pretty academic anyway; if one has been doing what they imply, whilst watching such a website, and they had really recorded the webcam, then the result could easily be faked by overlaying the webcam recording on any video that one might find on that kind of website. Actually, they could overlay it onto one that could make you look really bad (i.e. a criminal).

When I am not using my webcam, it points in the air. not that I have anything to hide, but I wouldn't want anyone being able to see anything in my home.

[Infrasonic]

I agree; but this was a 'loyalty' account set up for me by a hotel that I stayed at. Using my email address, they set up an online account for me, which very kindly included my name, address and mobile number, all 'protected' by a very low security password (that they emailed to me, plain text). Fortunately, I had provided a 'burner' email address, so I replaced all my personal information with fake info, and changed the email address to a fake email address. It was not possible to delete the account.

For 'low risk' web sites, I still use unique passwords, using a pattern based on the website name, so I can easily recall it

That's pretty much my MO too.

Currently sensitive logins (banks et al) are all in my head, but as the years advance that is an increasingly risky strategy so I think I'll shift to Keepass and hardware base 2nd factor using a U2F USB/NFC keys as it's at the useable stage now, even if not universal.

The webcam/microphone issue, built in hardware on/off switches are becoming more common now on laptops/tablets and phones, but it could do with going mainstream.

[hiriskpaul]

My daughter received one of those emails the other day on an address I set up for her as a child. She does not use the email address anymore and it came to me. We worked out that the password was used on the neopets web site. She has now logged in and changed it to some gobbledegook.

[Slarti]

There are reports from ITSec people that the Bitcoin wallets have been receiving substantial sums of money, so there are obviously people out there with guilty consciences

Your logic there appears to assume the Bitcoin wallets have no other source of income that might account for those receipts.

Well would you put out a Bitcoin wallet address on a spam blackmail email that you use for anything else?

Slarti

[melonfool]

I keep getting this email but the 'password' they use is no password of mine. I know the rest is untrue as well, but just saying - no idea where they got this 'password' cos I've never used it.

Mel