--- title: "What to do about those “You’ve been hacked! Pay me Bitcoin” email spams" type: "post" post_id: "17074" slug: "what-to-do-about-those-youve-been-hacked-pay-me-bitcoin-email-spams" canonical: "https://easydns.com/blog/2018/10/19/what-to-do-about-those-youve-been-hacked-pay-me-bitcoin-email-spams/" markdown_url: "https://easydns.com/blog/2018/10/19/what-to-do-about-those-youve-been-hacked-pay-me-bitcoin-email-spams.md" json_url: "https://easydns.com/blog/2018/10/19/what-to-do-about-those-youve-been-hacked-pay-me-bitcoin-email-spams.json" txt_url: "https://easydns.com/blog/2018/10/19/what-to-do-about-those-youve-been-hacked-pay-me-bitcoin-email-spams.txt" published: "2018-10-19T14:51:47+00:00" modified: "2024-11-13T15:49:03+00:00" author: "Mark E. Jeftovic" categories: - "Tips and Tricks" tags: - "canary emails" - "darknet" - "easybackup" - "email spam" - "fake ransomware" - "ransomware" site_name: "easyDNS" publisher: "" language: "en-US" generator: "easyPress Markdown" generator_version: "1.0.3" --- ![What to do about those "You've been hacked! Pay me Bitcoin" email spams](https://easydns.com/wp-content/uploads/2018/10/shutterstock_280363592-e1539959403250.jpg) We originally reported on this [back in #AxisOfEasy 58](https://easydns.com/blog/2018/07/16/axisofeasy-this-is-how-google-will-collapse/), it’s the phenomenon of getting an email spam wherein the mailer claims to have hacked or compromised your computer, and will (pick one). - encrypt or corrupt your computers, files or data - spread embarrassing or compromising information about you to your contacts - release an unflattering video ostensibly taken via your computer camera Since about a week ago there has been a noticeably large spike in the volume of these spams. I’m personally getting around a half-dozen per day, and clients are getting them and emailing us asking what to do about it. Most of these emails send you one of your passwords that you may have really used previously (or God forbid, are *still* using somewhere) as “proof” of their claim to have utterly owned your computer. ![What to do about those "You've been hacked! Pay me Bitcoin" email spams](https://easydns.com/wp-content/uploads/2018/10/Screen-Shot-2018-10-18-at-8.44.18-PM-e1539909953424.png)(fake ransomware spam sent to an address of my old band’s email robot. The old password “markmark” I would have never chosen. My guess is the bass player set that up).How They Do It -------------- So how do these guys know your password, or one of your old passwords, if the claim that they’ve hacked your computer is just a bluff? Some vendors store passwords in clear text. It’s a major security #fail to do so, but a lot of companies do it anyway. Alternatively, there’s a lot of old, decrepit sites that *used* to do it, but are still online and vulnerable. Those vendors and old websites get hacked, and then those login creds get distributed, aggregated and otherwise passed around. There is a thriving market for these on the darkweb. (The chatter within a security list I’m on posits that most of these are being [culled from a LinkedIn breach](http://fortune.com/2016/05/18/linkedin-data-breach-email-password/), also noting that many of the recipients are unaware that there even *was* a LinkedIn breach…although I’m getting lots to addresses that don’t even have LinkedIn accounts.) easyDNS maintains our own database of around a couple billion credentials as do other security types, and we periodically check our member accounts against it and force password resets on anything that hits. You can also sign up at a place like [HaveIBeenPwned](https://haveibeenpwned.com) and they will email you when your email comes up in a new breach (it’s free). How To Tell If It’s a Real Ransomware Attack -------------------------------------------- If it’s just an email in your mail and providing an old password, it’s spam and almost certainly a bluff. Don’t fall for it. Some people are. I randomly [picked a Bitcoin address](https://www.blockchain.com/btc/address/1MN7A7QqQaAVoxV4zdjdrnEHXmjhzcQ4Bq) from these emails and can see that it’s had 25 transactions totally over 1.6 BTC, currently over $13,000 CAD. ![Bitcoin Address](https://easydns.com/wp-content/uploads/2018/10/Screen-Shot-2018-10-18-at-9.36.45-PM-e1539913227935.png) In a real ransomware attack you typically don’t learn about it via a message in your email. You realize something is up when you can’t access anything on your computer and you’re locked out with a ransomware demand screen: ![Ransomware](https://easydns.com/wp-content/uploads/2018/10/stf-cryptodevil-ransomware-virus-crypto-devil-ransom-message-note-window-e1539913680522.png) Protecting Yourself from Both Fake and Real Attacks --------------------------------------------------- In the case of the ***fake*** email spam bluff, if they show you a password you still use anywhere, obviously, go change it, everywhere. You should be[ using password managers](https://easydns.com/blog/2015/12/09/you-may-only-be-as-secure-as-your-weakest-vendor/) or some other system that enables you to use complex, unique passwords across every website. By [using email canaries](http://domainhelp.com/domain-insights-archive/track-your-vendors-and-eliminate-spam-with-canary-domains/): the practice of setting up either a dedicated domain name with a unique email address for every vendor (i.e. hairclub4men@markjr.org), or else unix “+” notation (i.e. markjr+hairclub4men@jeftovic.org) – then you can tell *which* vendor was compromised from the email used to send you the spam, and now you also know that they’ve been storing their customer passwords in cleartext. (The problem with the latter method is not all online forms allow “+” notation in email addresses, and not all mail servers handle it properly. easyDNS mail servers and email forwarders handle them as expected.) In the case of a ***real*** ransomware file-locked situation it all comes down to whether or not you have backups, and have those backups been locked as well? If you have no viable backups, you’re pretty well stuck paying the ransom. Once you decrypt your files, chalk it up to the cost of learning your lesson and then right away *go get some backups happening.* **[easy*Backup*](https://easydns.com/easybackup/)** specifically screens for all major malware and ransomware variants and syncs with all major malware detection. It’s an incremental backup system so if you get infected you can rewind back to your most recent clean backup, which can itself be encrypted (with *your* keys, not the attackers), and restore your files. Further Reading --------------- - Learn more about [**easy*Backup***: 256-bit encryption with five tiers of security protection](https://easydns.com/easybackup/) - [You may only be secure as your weakest vendor](https://easydns.com/blog/2015/12/09/you-may-only-be-as-secure-as-your-weakest-vendor/) - [Track Your Vendors and Eliminate Spam with Canary Domains](http://domainhelp.com/domain-insights-archive/track-your-vendors-and-eliminate-spam-with-canary-domains/)