I received the following email today, addressed to the plain text LiveJournal password I've had for over a decade. If you have or had a LiveJournal account, consider changing your password, and the password of any site which shared a password.
Received: from [126.96.36.199] (unknown [188.8.131.52])
by my.smtp.host (Postfix) with ESMTP id 1336F87C71
for <my-livejournal-address@my-host>; Wed, 10 Oct 2018 18:03:34 +0000 (UTC)
Date: Wed, 10 Oct 2018 19:03:38 +0000
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:184.108.40.206) Gecko/20100608 Thunderbird/3.1
To: "my-livejournal-password" <my-livejournal-address@my-host>
Subject: Security Warning
Content-Type: text/plain; charset=CP-850; format=flowed
I'm a member of an international hacker group.
As you could probably have guessed, your account my-livejournal-address@my-host was hacked, because I sent message you from your account.
Now I have access to all your accounts!
For example, your password for my-livejournal-address@my-host: my-livejournal-password
Within a period from July 30, 2018 to October 9, 2018, you were infected by the virus we've created, through an adult website you've visited.
So far, we have access to your messages, social media accounts, and messengers.
Moreover, we've gotten full damps of these data.
We are aware of your little and big secrets...yeah, you do have them. We saw and recorded your doings on porn websites. Your tastes are so weird, you know..
But the key thing is that sometimes we recorded you with your webcam, syncing the recordings with what you watched!
I think you are not interested show this video to your friends, relatives, and your intimate one...
Transfer $800 to our Bitcoin wallet: 1GdegtNpYcvoCPsMmyiSkZARDdAmYuXGXU
If you don't know about Bitcoin please input in Google "buy BTC". It's really easy.
I guarantee that after that, we'll erase all your "data" :)
A timer will start once you read this message. You have 48 hours to pay the above-mentioned amount.
Your data will be erased once the money are transferred.
If they are not, all your messages and videos recorded will be automatically sent to all your contacts found on your devices at the moment of infection.
You should always think about your security.
We hope this case will teach you to keep secrets.
Take care of yourself.
A couple notes:
- LiveJournal is the only site I've used this password on. Dreamwidth also has a copy of the password, so that it can crosspost.
- I suspect that this extortion attempt is based on access to a LiveJournal user database or dump (rather than intercepted from a Dreamwidth crosspost request) because it was sent to an email address I only use with LiveJournal, and which I don't think Dreamwidth knows, nor (I think) is it publicly available on the LJ site.
- The sender didn't change my password on LiveJournal and doesn't appear to have performed any vandalism, so I suspect they didn't log in with the compromised password.
- A good indication that sending bitcoin would be a bad idea: the email gives no way to tell the recipient whose "data" to delete.
- Other than the password itself, none of the claims in the email are true. Googling the bitcoin address leads to a report that this scam is going around (it's a variant of one that's about a year old) and a couple dozen reports on bitcoinabuse.com.
- So far, that address has received two transactions, with a total value of about eight dollars… maybe not as lucrative as the scammer had hoped.
So it sounds like LiveJournal's password database was compromised… at some point in the last decade or so. Probably in the last few months, though. If you've got an LJ account, it would be a good idea to change it (and update your DW crosspost settings). If you used the same password on other sites, change those passwords as well (to something different).
I got another email with the username and password of a second LiveJournal account that I created years ago and mostly forgot about. This makes me fairly certain that the scammers are either operating with an exfiltrated LJ user password database or they had an implant in the site many years ago but have only made use of it now. Whoever answered the support ticket I filed to alert about the security incident was fairly dismissive, though. Hopefully someone at LJ will take the breach seriously and at least notify affected users.
The new email content is a little different, and its bitcoin address 1AzdzwWHaJXytimxenzi45JVtY4FsXwLZZ has not yet received any payments
and it's got several abuse reports
. The address on the first email I got has received about 1.12 bitcoin; I guess $7200 is enough of a spam payout to keep a scammer motivated to keep cracking passwords.
Another address, with two messages on October 22nd: 1JTtwbvmM7ymByxPYCByVYCwasjH49J3Vj has received over 4.7 bitcoin
which is over $30,000 at current exchange rates. It's received nearly 300 abuse reports
On October 22nd, the first address, along with 8 others, transferred 1.656 bitcoin (about $10,000) to an intermediate address which transferred it on to an account which now has exactly 5 bitcoin ($3200)
and another which seems to be part of a further web of intermediate accounts. The second address I got a threat from only got 0.376 bitcoin ($2400) with no transactions since the 22nd, and hasn't yet cashed out. Assuming these accounts are all part of the same spam push, over $60k from people who are savvy enough to figure out how to buy and send bitcoin but aren't savvy enough to realize this is a hoax seems like a pretty good return.
This entry was originally posted at https://flwyd.dreamwidth.org/384008.html – comment over there.