Thursday, July 4, 2024

Cybersecurity: No, your email was (probably) NOT hacked, it's (probably) just spam

Over in the subreddit /r/cybersecurityhelp we get one of these daily. This is NOT an exact copy, but the sentiments are the same. 
Help! I got an email sent from my own email address and shows my password! It claims it had tracked me and if I don't send him Bitcoins he'll hack me and ruin me! 

This is unlikely to be real, and it's a case of psychological manipulation, by combining two simple tricks, to make you think he's more powerful than he actually is. 

In other words, it's a case of 2+2=5. 

Photo by Andrey Matveev on Unsplash

Sent from my own email address... No! 

While the email may indeed show "from" as your own email address, it was NOT sent by you. No one hacked your email and use that to send email to yourself. 

What really happened was the "from address" was changed to say YOUR email address instead of the sender's own email address. 

Do you still remember paper letters? That you write your own name and address in the upper left hand corner of the envelope? 

There's nothing stopping you from writing someone else's name and address, is there? Same thing with email. 

Yes, you can say "that's dumb". But you have to remember, email was invented in the 1960s, and the current standard, SMTP, was invented in the 1980s, and extended as ESMTP in 1995. Authentication (i.e. make sure the sender matches FROM) was not a part of the protocol until SMTP AUTH (included in ESMTP) became popular in the 1990s. Adoption of ESMTP is not universal, however. And most email servers do not require ESMTP. 

Please keep in mind that emails transit through the Internet from one SMTP server to another until they reach their respective destinations, accumulating delivery headers in the email itself. And thus, any email (including spam) can be backtraced. Most email clients hide the headers from the user as they are of no use to the end user... until you want to track the true origin of the email. But that is a completely different topic. 

So that email that say its from your own email address? It was (probably) NOT sent by you. Someone merely put your email address in the "From" field. 

What about my password? How did he know about that?

That's actually pretty simple: there are data leaks as different websites got hacked, and the data ended up on the Dark Web.  They contain all sorts of info, from simple email / password pairs to full profiles and possibly more, depending on where the data came from. 

Some security researchers and good samaritans collated all those leaks on the Dark Web and created a website called "haveIbeenpwned.com" where you can enter your email address and see if any data associated with that email was on the Dark Web, and associated with which leak. 

Back to the email... The sender simply got the data (the password in this case) from the Dark Web leak that's associated with your email. 

Add them together, and it's scary to the average citizen

So what do I do? 

Short answer is: nothing. It's just spam. Mark it as spam in your email client. Done. 

You can change all your passwords "just in case". You should do that every 3-6 months anyway. 

Here's the longer explanation: 

You initially panicked, believing the sender of that warning message is a powerful hacker (because he claimed he was), who not only hacked your email inbox to send you a message from it, he obviously knows your password too, demonstrably so. 

But as I've explained above, your email inbox was NOT hacked, and the password came from a public leak list. 

The spammer wanted to scare you into believing 2+2=5.  But the real answer is 4. 

The "warning" or "threat" is just spam email. Indeed, the spammer probably got a whole LIST of email / password pairs (hundreds? thousands) and probably sent the same message (albeit customized with the correct email address and password, in a simple procedure known as templated mail merge) to EVERYBODY on the list. Cost them almost nothing. Someone may be scared enough to send them Bitcoins for real. 

So again, mark it as spam in your email client. Done.  Change your passwords if you want to. 

Takeaway:  Don't believe what random email told you, esp. ones that wants you to pay them. 

No comments: