000webhost 站台, 2015年3月,資料外洩...

tinyding

昨天收到一封信 ... 這已經是同一個站台(000webhost)的外洩事件, 第二封跟我要錢的信( 第一封大約在 2019年9月26日左右. 真巧! 每年來一次? ... ) , 價錢還加了一些 ...



以下是信件內容 ... 若是有看到 "xxxx" 字眼的標記, 代表我已經更改過了 ... :

1. 
   
2. I know key-password-xxxx is one of your password on day of hack..
   
3. Lets get directly to the point.
   
4. Not one person has paid me to check about you.
   
5. 
   
6. 
   
7. You do not know me and you're probably thinking why you are getting this email?
   
8. 
   
9. in fact, i actually placed a malware on the adult vids (adult porn) website and you know what, you visited this site to experience fun (you know what i mean).
   
10. 
    
11. 
    
12. When you were viewing videos, your browser started out operating as a RDP having a key logger which provided me with accessibility to your display and web cam.
    
13. 
    
14. immediately after that, my malware obtained every one of your contacts from your Messenger, FB, as well as email account.
    
15. 
    
16. after that i created a double-screen video. 1st part shows the video you were viewing (you have a nice taste omg), and 2nd part displays the recording of your cam, and its you.
    
17. 
    
18. Best solution would be to pay me $1049.
    
19. 
    
20. 
    
21. We are going to refer to it as a donation. in this situation, i most certainly will without delay remove your video.
    
22. 
    
23. 
    
24. 
    
25. My -BTC -address: BitCoin-key-xxxxxxxxxxxxxxxxxxxxxx
    
26. [case SeNSiTiVe, copy & paste it]
    
27. 
    
28. 
    
29. You could go on your life like this never happened and you will not ever hear back again from me.
    
30. 
    
31. 
    
32. You'll make the payment via Bitcoin (if you do not know this, search 'how to buy bitcoin' in Google).
    
33. if you are planning on going to the law, surely, this e-mail can not be traced back to me, because it's hacked too.
    
34. 
    
35. 
    
36. I have taken care of my actions. i am not looking to ask you for a lot, i simply want to be paid.
    
37. 
    
38. 
    
39. if i do not receive the bitcoin;, i definitely will send out your video recording to all of your contacts including friends and family, co-workers, and so on.
    
40. 
    
41. Nevertheless, if i do get paid, i will destroy the recording immediately.
    
42. 
    
43. 
    
44. If you need proof, reply with Yeah then i will send out your video recording to your 8 friends.
    
45. 
    
46. 
    
47. it's a nonnegotiable offer and thus please don't waste mine time & yours by replying to this message.
    

複製代碼

以下所截取的部份資料, 是 Bitwarden站台提供給付費會員所查到的 ... :

1. 
   
2. 000webhost
   
3. In approximately March 2015, the free web hosting provider 000webhost suffered a major data breach that exposed almost 15 million customer records. The data was sold and traded before 000webhost was alerted in October. The breach included names, email addresses and plain text passwords.
   
4. 
   
5. 遭洩漏的資料:
   
6. 
   
7. Email addresses
   
8. IP addresses
   
9. Names
   
10. Passwords
    
11. 
    
12. 
    
13. ======
    
14. 網站
    
15. 000webhost.com
    
16. 受影響的使用者
    
17. 14,936,670
    
18. 已發生外洩
    
19. 2015年3月1日
    
20. 已回報外洩
    
21. 2015年10月27日
    
22. 
    
23. 
    

複製代碼

要查你的電子郵件信箱是否是在一些已公開站台的外洩報告名單中 ... 請查詢底下的站台 ... :
https://haveibeenpwned.com


最後, 在網路上大家還是要注意一下資訊安全!

tinyding

第一封信如下, 同樣若是有看到 "xxxx" 字眼的標記, 代表我已經更改過了 ... :

1. 
   
2. Hi!
   
3. 
   
4. I am a hacker who has access to your operating system.
   
5. This means that I have full access to your account: At the time of hacking your account(xxxx@mail.com) had this password: key-password-xxxx
   
6. 
   
7. You can say: this is my, but old password!
   
8. Or: I can change my password at any time!
   
9. 
   
10. Of course! You will be right,
    
11. but the fact is that when you change the password, my malicious code every time saved a new one!
    
12. 
    
13. I've been watching you for a few months now.
    
14. But the fact is that you were infected with malware through an adult site that you visited.
    
15. 
    
16. If you are not familiar with this, I will explain.
    
17. Trojan Virus gives me full access and control over a computer or other device.
    
18. This means that I can see everything on your screen, turn on the camera and microphone, but you do not know about it.
    
19. 
    
20. I also have access to all your contacts and all your correspondence from e-mail and messangers.
    
21. 
    
22. Why your antivirus did not detect my malware?
    
23. Answer: My malware uses the driver, I update its signatures every 5 hours so that your antivirus is silent.
    
24. 
    
25. I made a video showing how you satisfy yourself in the left half of the screen, and in the right half you see the video that you watched.
    
26. With one click of the mouse, I can send this video to all your emails and contacts on social networks. I can also post access to all your e-mail correspondence and messengers that you use.
    
27. 
    
28. If you want to prevent this, transfer the amount of $758 to my bitcoin address (if you do not know how to do this, write to Google: "Buy Bitcoin").
    
29. 
    
30. My bitcoin address (BTC Wallet) is: BitCoin-key-xxxxxxxxxxxxxxxxxxxxxx
    
31. 
    
32. After receiving the payment, I will delete the video and you will never hear me again.
    
33. I give you 48 hours to pay.
    
34. I have a notice reading this letter, and the timer will work when you see this letter.
    
35. 
    
36. Filing a complaint somewhere does not make sense because this email cannot be tracked like my bitcoin address.
    
37. I do not make any mistakes.
    
38. 
    
39. If I find that you have shared this message with someone else, the video will be immediately distributed.
    
40. Bye!
    

複製代碼

寄件者竟然是我自己! 但前面有標示了"紅色問號", 如圖所示 :




底下截錄了一段"紅色問號"所代表的可能狀況之一 ... :

====
檢查 Gmail 郵件是否通過驗證

如果寄件者名稱旁邊顯示問號，表示該郵件未通過驗證。也就是說，Gmail 無法確認寄件者的真實身分。在這種情況下，當你回覆郵件或下載當中的附件時，請務必謹慎小心。

==========

Sirius

看來像是勤索者以000webhost的外洩事件，試著恐嚇外洩者付款給他。

如果碰到像我這種gmail信箱裡的通訊錄沒幾個人，通訊的電話號碼也只留黑名單的號碼（如果通訊錄被洩漏，有人想打推銷或詐騙電話給他們也無妨），若真要寄什麼毛片就隨他去。最好在通訊錄中加幾個像NSA的信箱，他們若收到信也許還可以順便查查是誰幹的好事。

很早以前就有廣告寄信軟體可以假冒寄件者寄信，包含收件人本身，即自己寄給自己。

使用網路服務，有時真要擔心服務提供者對安全性不用心，我以前曾收到steam（網路遊戲商）的登入通知，問題是我不曾在steam申請帳號，也就是我是“被”註冊的，別人用我的信箱在steam註冊個帳號。我第一回向steam客服反映這件，並要求客服通知IT安全部門重新審查註冊的程序，並刪除此帳號，對方竟只回覆說是別人用我信箱註冊，沒做任何處理。幾個月之後，再次收到登入通知，這回把通知中的內容，即登入的IP在美國，再次通知客服，並再次說明我不曾在steam註冊過任何帳號。這第二回回覆是，他們處理好這帳號，以後我絕不會再收到這種通知。大概再過了半年，我又收到類似的登入通知。這回我不再通知客服，直接取得這帳號，並把帳號刪了。刪帳號要等一個月後才正式生效。

另一個讓我覺得相當可笑的網站是蝦皮，懶得講了，客服沒鳥用。

tinyding

Sirius 發表於 20-9-28 17:04
看來像是勤索者以000webhost的外洩事件，試著恐嚇外洩者付款給他。

如果碰到像我這種gmail信箱裡的通訊錄 ...

我收到的這兩封信, 內容提及的"密碼"都是一樣的 ... 但那"密碼"我早在收到第一封信後沒多久, 我就己經去站台(000webhost)更換過了 ...


這兩封信的寄件者, 在信箱中, Gmail 都是標示為"紅色問號", 所以, 應該都不是原始寄件者的電子郵件信箱號碼 ... 若是哪天我收到"自己寄給自己"的勒索信件, 但 Gmail 並沒有標示為"紅色問號", 那我就要懷疑我的某個系統(筆電或手機)已經被入侵了! ...




現在有一些站台有提供 2FA 登入驗證功能, 更好一些則是提供 FIDO U2F ... 所以, 往後單靠密碼可能還進不了站台 ...

Sirius

郵件中會記錄原始發信的IP，Gmail若發現這發信的IP不是正當的郵件服務器就大概可以斷定是假冒的信件，就會特別標示出來。他們寄這種信若不是利用代理服務器，不然就是用被他們拿下的跳板機器，所以很難追查實際的發信人。不過夜路走多了早晚會遇到鬼，前一陣子就看到個新聞報導某個黑客集團犯案多年後終於落網，而原本他們一直沒被發現，直到這兩年才露了馬腳。這些人空有好本事卻不走正路，也不知及早金盆洗手，被抓也是遲早的事。

我也覺得以後若只單靠密碼，安全性會不足，在2000年左右使用8個英數字元組成的密碼安全性還算可以，隨著硬體計算能力越強大，被暴力破解的機率已很高。一般人大概也很難習慣使用12字元以上的密碼吧，所以也難免要採用其他種安全機制了。

tinyding

Sirius 發表於 20-9-29 19:47
郵件中會記錄原始發信的IP，Gmail若發現這發信的IP不是正當的郵件服務器就大概可以斷定是假冒的信件，就會 ...

經過幾個跳板之後, 可能就不太容易追查了 ...

剩下 BitCoin 的 Key ... 但這個是不是同樣的沒有線索? ...

身處於網路世界, 還是要多多小心 ... 防火牆、防毒軟體、資料備份等, 該做的事還是要做, 防患於未然 ...

期許自己在做了那麼多努力之後, 有一天碰到"災難"來臨之際, 能讓損失變得少一些 ...

Sirius

的確，他們會用多重跳板讓追查難度增高，查到的機器其實也是被害者。

我對BitCoin沒太多研究，印象中那個Key並無實際身分識別的作用，只是像銀行帳號的編號而已。除非他自己神經大條在某處網頁上誇耀自己的豐功偉業，並把Key公佈在上面而暴露自己行蹤。像這種犯案後還高調炫耀而被捕的案例還真看過。

我自己也是習慣儘量避免使用沒必要的網路服務，手機不亂裝APP，通訊軟體也只用Telegram，儘可能減少給人有機可趁的機會。資料備份是免不了的。在Windows上有使用防火牆，防毒軟體則是有數年沒用了，以前是因為嫌防毒軟體越來越肥大，機器跑的有點吃力，後來習慣了就乾脆不再裝了，養成良好的習慣可能比用什麼防毒軟體更有用，不用來路不明的軟體，瀏覽陌生網頁時若覺得有問題（瀏覽器有裝Web of Trust元件與NoScript），寧可不看……。另一方面則是因為多數時間用Linux，較不擔心Windows的病毒。