So you know how those sextortion email scams work, right? They claim they've hacked your computer or account and stolen embarrassing photos or videos of you that they will release if you don't pay a crypto ransom? Well, sometimes they aren't exactly lying about breaking into your account.
Lawrence Baldwin at MyNetWatchman.com just shared this screenshot of some email headers for a message that spammers are appending to the victim's email inbox AFTER they have already hacked and downloaded all of their messages and files.
Baldwin thinks the hackers are using credential stuffing to gain access to victim inboxes, and then using the IMAP "Append" command to just stuff the phishing or ransom message/payload directly into the mailbox. Complete end around to spam/malware filtering.
Of course, we've spent the past couple of years teaching people that these sextortion scams are just empty threats. But in this case, they're really not.
https://infosec.exchange/@briankrebs/113625010728405416
@briankrebs I don't know about the email stuffing part of this, but I had a slew of spam like this quoting passwords over the last couple of days. The mail arrived in the usual way but quoted a […]
@briankrebs Thank you.
@briankrebs
Had a case like that before too. Compromised email account then blackmailing via email. My guess was also password brute force.
@briankrebs
Were they ever not really not?
Every stereotype has a grain of truth (that might not actually be true) and therefore it was always reasonable that the "origin story" was really […]
@briankrebs the password is in the clear in the screenshot. Too late now, and likely has been cycled in all (most?) places, but still wanted to point it out
@briankrebs MyNetWatchman[.]com has an expired cert. It does redirect to MyNetWatchman[.]tech with a valid cert, but if you know Baldwin, you might want to let them know.
────
