‘This account has been hacked!’ email scam blackmails you for Bitcoin

Sean Doyle

Sean Doyle is an engineer from Los Angeles, California. Sean's primary focuses include Cyber Security, Web Spam, and Online Marketing.

25 Responses

  1. Chris says:

    This happened to my parents’ Verizon account recently. There were multiple emails, and the ‘hacker’ had written their previous passwords in the subject line, so that was concerning. Also, they changed the passwords on the router, wifi and email and the ‘hacker’ STILL got another one of these messages through. Ordinarily we wouldn’t be concerned, but they lost their pc to ransomware about two years ago.

  2. terry says:

    Im being bombarded by these mostly daily at least 6 at a time and they are now using a From : with various names made up from nonsence,the subject: line was always the e mail address i use followed by “has been hacked”,the new take on this is now to add the words security alert infront of the original subject line,when i looked at the headers they were saying i had sent them myself originally but now they seem to be just made up nonsence as to who sent them,its quite astonishing that the claimed password they say ive used is also complete rubbish its just nothing ive used and neither was the hotmail.com e mail address attached to it,so i believe my non hotmail e mail address has been leaked..

  3. Anonymous says:

    if you pull the header information IP traceroute you will see that the sender (in my case) is not your isp, even though it is spoofed. The password they gave me in the email is for the US retailer Target and a password I have not used in years. I keep all my passwords in classes, so that when someone says they are compromised that i know where this is from. I am honestly suprised it took this long for someone to try to use it.

  4. Allen says:

    I also received this email on the 22nd November. Been advised by technical support it is a scam.The above transcript is the same except for bitcoin number & amount to pay.

  5. Anonymous says:

    Spoof!

  6. Laura says:

    I did recieve this email. The same day that the hacker suggested, I could not get on to my phone. Is that the same for everyone else?

  7. Shay says:

    I recieved the same email and it honestly petrified me. Thank goodness I found this thread. I would advise everyone to change the passwords they stated in the email.
    I think it’s just a spam email using a spoof.

  8. Anonymous says:

    Still looking for info on how the sender could spoof the SMTP server that it was received from. If anyone is curious, I utilize InmotionHosting and the source definitely shows it passing through their smtp host. Maybe something is infected internally at inmotionhosting? I have already notified the originating IPs web host (in Columbia) but am still trying to find out from inmotion if i have access smtp logs or email account access logs. I also notice the x-mailer info, etc is a bit strange.

    Received: from [SENDER IP] (port=26143)
    by biz***.inmotionhosting.com with esmtp (Exim 4.91)
    (envelope-from )
    id private
    for myemail@mydomain.com;
    Message-ID:
    From:
    To:
    Subject: myemail@mydomain.com – this account has been hacked! Change all your passwords!
    Date:
    MIME-Version: 1.0
    Content-Type: text/plain;
    charset=”ibm852″
    Content-Transfer-Encoding: 8bit
    X-Priority: 3
    X-MSMail-Priority: Normal
    X-Mailer: Microsoft Windows Live Mail 15.4.3508.1109
    X-MimeOLE: Produced By Microsoft MimeOLE V15.4.3508.1109

  9. Anonymous says:

    Still looking for info on how the sender could spoof the SMTP server that it was received from. If anyone is curious, I utilize InmotionHosting and the source definitely shows it passing through their smtp host. Maybe something is infected internally at inmotionhosting? I have already notified the originating IPs web host (in Columbia) but am still trying to find out from inmotion if i have access smtp logs or email account access logs. I also notice the x-mailer info, etc is a bit strange.

    Received: from [190.127.196.235] (port=26143)
    by biz***.inmotionhosting.com with esmtp (Exim 4.91)
    (envelope-from )
    id private
    for myemail@mydomain.com;
    Message-ID:
    From:
    To:
    Subject: myemail@mydomain.com – this account has been hacked! Change all your passwords!
    Date: 18 Nov 2018 14:32:12 -0600
    MIME-Version: 1.0
    Content-Type: text/plain;
    charset=”ibm852″
    Content-Transfer-Encoding: 8bit
    X-Priority: 3
    X-MSMail-Priority: Normal
    X-Mailer: Microsoft Windows Live Mail 15.4.3508.1109
    X-MimeOLE: Produced By Microsoft MimeOLE V15.4.3508.1109

  10. Anonymous says:

    Yes, it was strange because I did look at the headers and they are somehow spoofing the headers to match my server even if it is not in my sent box? That part had me a bit confused. I did change my email pw just in case. But had additional concern that if they did actually get into my account they could have downloaded some of my notes to self and get across to other accounts from there even though they’re disguised. Definitely not too worried about it as I have no adult websites in there which was the first red flag… it is the possibly spoofed headers that have me scratching my head a bit and wondering what has or has not really happened here.

    • Anonymous says:

      Still looking for info on how the sender could spoof the SMTP server that it was received from. If anyone is curious, I utilize InmotionHosting and the source definitely shows it passing through their smtp host. Maybe something is infected internally at inmotionhosting? I have already notified the originating IPs web host (in Columbia) but am still trying to find out from inmotion if i have access smtp logs or email account access logs. I also notice the x-mailer info, etc is a bit strange.

      Received: from [SENDER IP] (port=26143)
      by biz***.inmotionhosting.com with esmtp (Exim 4.91)
      (envelope-from )
      id private
      for myemail@mydomain.com;
      Message-ID:
      From:
      To:
      Subject: myemail@mydomain.com – this account has been hacked! Change all your passwords!
      Date:
      MIME-Version: 1.0
      Content-Type: text/plain;
      charset=”ibm852″
      Content-Transfer-Encoding: 8bit
      X-Priority: 3
      X-MSMail-Priority: Normal
      X-Mailer: Microsoft Windows Live Mail 15.4.3508.1109
      X-MimeOLE: Produced By Microsoft MimeOLE V15.4.3508.1109

      • Sean Doyle says:

        They use a simple email spoofing service like anonymailer. There’s nothing to it.

        You are referring to “failed messages” in your comment. Those are sometimes generated by spam filters. They are generated when the spammer/scammer spoofs your email address and send a third-party recipient a message. An outbound filtering service will then essentially notify you that a message sent from your account (spoofed account) was flagged as spam. It can also be triggered when the IP used to send the message is blacklisted.

        • Anonymous says:

          No I don’t think it has anything to do with returned emails. The headers actually look like they genuinely sent through the same SMTP as my account would. On spoofed email, I’d expect the reply to, etc to all be spoofed but the actual server looks fairly legitimate. I opened up a ticket with my web host for the exim logs to see if they can find anything. All update if the host finds anything. Also, sorry for posting the same details three time up there. Something got jammed up and I didn’t think anything had posted.

          • Sean Doyle says:

            Hello,

            I can tell you with absolute certainty that your email was spoofed. No one was logged into your account. The type of messages you are referencing have been sent to most people and their ‘server’ information was also shown; even after they changed their passwords. This happens when you use a spoofing service like anonymailer. If you want to physically see this, send yourself an email using anonymailer with the same information in the email you received.

            Also please be aware that it is a high volume scam. They are throwing a needle into a haystack and hoping to make an impact somewhere. They will not take their time to individually log into everyone’s account. That takes much longer, is a risk, and is not worth it when you might be able to only trick 1 out of 10,000 people. Also note, many email services will block or question suspicious requests for access so it would be too big of an issue and risk for a scammer just to target someone that probably won’t believe what they’re reading or even open the message they receive.

            Hope this is able to clear some things up.

            • Gabi says:

              Hello Sean, does it mean that I do not need to change my password? Thank you!

              • Sean Doyle says:

                Hello,

                It means that your information (such as your email address) was leaked somewhere online following a breach. In previous versions of these scams they would provide you with your email accounts password in order to frighten you. You most definitely should change your password.

    • Anonymous says:

      my web host is in los angeles. I’m wondering if this was an infection on their network

  11. Anonymous says:

    It’s a spoof email. It will NOT be in your sent box. Just ignore it. Don’t even open it. Just delete it. IT’S ALL FAKE. JUST CHANGE YOUR PASSWORDS on all your accounts. Not just emails. Everything. Including your credit card sites, even supermarkets. EVERYTHING.

  12. Mark says:

    Its all baloney, my website-admins confirmed taht they did not really hack the account, they have means to make it look that way. Dont pay money, dont get nervous, nothing will happen. Ignore it.

  13. Anonymous says:

    I received the same email and my website-admins told me that even the supposedly hacking the email-account is not true, they have means to make it look like it. Dont pay the money, dont worry, its all baloney.

  14. Gabi says:

    Anonymous Nov 19, 9:36 am –> does it mean that I do not need to change my password? Thank you!

  15. Anonymous says:

    Anonymous: this is because they just send this mail from another server and spoof the origin. Just look at the headers and you’ll see it’s not sent from your server.

  16. Anonymous says:

    i did too… what i’m confused about is how did they send from my account and why isn’t the email they sent in my sent box. Did they really send from my account or did they just spoof like they did. Do I really need to change my password? It’s strange.

  17. Lionel says:

    I received this same email and am concerned. what do you advise??

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.