Email from my own email address from a hacker saying I'm hacked

Email from my own email address from a hacker saying I'm hacked

Received an email from your own email address from a hacker saying you're hacked?

And is this hacker also demanding money?

Well, don't worry yet, because that email may be spoofed.

Read on to learn more about email spoofing and how you can find out if an email is spoofed.

What is email spoofing?

Email spoofing is creating email messages with a fake sender address so that it looks like the email messages come from someone or somewhere other than the real source.

Why use email spoofing?

Email spoofing is often used for phishing purposes but it's also used for blackmailing, avoiding spam blacklists, tarnishing someone's reputation, and committing identity theft.

My experience with email spoofing

Somebody I know received several similar spoofed emails, and three of them you can find below.

Note: I've corrected a few spelling and grammar mistakes but for the most part, the emails, are how my acquaintance received them.

Spoofed email #1

This account has been hacked! Change your password right now!

You may not know me and you are probably wondering why you are getting this email, right? I'm a hacker who cracked your devices a few months ago. I sent you an email from YOUR hacked account. I set up malware on an adult videos website and guess what, you visited this site to have fun (you know what I mean). While you were watching videos, your internet browser started out functioning as an RDP (remote control) having a keylogger which gave me access to your screen and webcam. After that, my software program obtained all of your contacts and files. You entered passwords on the websites you visited, and I intercepted it. Of course, you can change it, or already changed it. But it doesn't matter, my malware updated it every time. What did I do? I created a double-screen video. 1st part shows the video you were watching (you've got a good taste haha), and 2nd part shows the recording of your webcam. Do not try to find and destroy my virus! (All your data is already uploaded to a remote server) – Do not try to contact me – Various security services will not help you; formatting a disk or destroying a device will not help either since your data is already on a remote server. I guarantee you that I will not disturb you again after payment, as you are not my single victim. This is a hacker code of honor. Don't be mad at me, everyone has their own work. exactly what should you do? Well, in my opinion, $1000 (USD) is a fair price for our little secret. You'll make the payment by Bitcoin (if you do not know this, search “how to buy bitcoins” in Google). My Bitcoin wallet Address: 1AyRZviUxoBaCU1pJM5m7C1V2LdhPYiRcB (It is cAsE sensitive, so copy and paste it) Important: You have 48 hours in order to make the payment. (I have a facebook pixel in this mail, and at this moment I know that you have read through this email message). To track the reading of a message and the actions in it, I use the Facebook pixel. Thanks to them. (Everything that is used for the authorities can help us.) If I do not get the BitCoins, I will certainly send out your video recording to all of your contacts including relatives, co-workers, and so on. Having said that, if I receive the payment, I'll destroy the video immediately. If you need evidence, reply with “Yes!” and I will certainly send out your video recording to your 6 contacts. It is a non-negotiable offer, that being said don't waste my personal time and yours by responding to this message.

Spoofed email #2

Caution! Attack hackers to your account!

Hi, stranger! I hacked your device because I sent you this message from your account. If you have already changed your password, my malware will intercept it every time. You may not know me, and you are most likely wondering why you are receiving this email, right? In fact, I posted a malicious program on some adult websites, and you know that you visited these websites to enjoy (you know what I mean). While you were watching video clips, my trojan started working as an RDP (remote desktop) with a keylogger that gave me access to your screen as well as a webcam. Immediately after this, my program gathered all your contacts from messenger, social networks, and by email. What I've done? I made a double screen video. The first part shows the video you watched (you have good taste, yes, but strange for me and other normal people), and the second part shows the recording of your webcam. What should you do? Well, I think $627 (USD dollars) is a fair price for our little secret. You will make a bitcoin payment (if you don't know, search for “how to buy bitcoins” on Google). BTC Address: 1GjZSJnpU4AfTS8vmre6rx7eQgeMUq8VYr (This is CASE sensitive, please copy and paste it) Remarks: You have 2 days (48 hours) to pay. (I have a special code, and at the moment I know that you have read this email). If I don't get bitcoins, I will send your video to all your contacts, including family members, colleagues, etc. However, if I am paid, I will immediately destroy the video, and my trojan will be destroyed. If you want to get proof, answer “Yes!” and resend this letter to yourself. And I will definitely send your video to your any 17 contacts. This is a non-negotiable offer, so please do not waste my personal and other people's time by replying to this email. Bye!

Spoofed email #3

High danger. Your account was attacked.

Hi! As you may have noticed, I sent you an email from your account. This means that I have full access to your account: On the moment of crack info@example.com password: example1206. You may say: but this is my old password! Or: I will change my password at any time! Of course! You're right, but the fact is that when you change the password, my malicious code will every time save the new one! I've been watching you for a few months now. But the fact is that you were infected with malware through an adult site that you visited. If you are not familiar with this, I will explain. A Trojan Virus gives me full access and control over a computer or other device. This means that I can see everything on your screen, turn on the camera and microphone, but you do not know about it. I also have access to all your contacts and all your correspondence from email and messengers. Why your antivirus did not detect my malware? Answer: My malware uses the driver, I update its signatures every 4 hours so that your antivirus is silent. I made a video showing how you satisfy yourself in the left half of the screen, and in the right half, you see the video that you watched. With one click of the mouse, I can send this video to all your emails and contacts on social networks. I can also post access to all your email correspondence and messengers that you use. If you want to prevent this, transfer the amount of $744 to my bitcoin address (if you do not know how to do this, search on Google for: “buy bitcoins”). My bitcoin address (BTC Wallet) is: 1KeCBKUgQDyyMpaXhfpRi2qUvyrjcsT44o After receiving the payment, I will delete the video and you will never hear me again. I give you 48 hours to pay. I have a notice reading this letter, and the timer will work when you see this letter. Filing a complaint somewhere does not make sense because this email cannot be tracked like my bitcoin address. I do not make any mistakes. If I find that you have shared this message with someone else, the video will be immediately distributed. Bye!

How to find out if an email is spoofed

To find out if an email is spoofed, you will need to take a look at the header of the email.

Below you will find a few different explanations from different sources.

After the explanations, you can find the steps to view email headers on a few popular email service providers.

Here's an explanation from mit.edu:

If you look closely, the “From” email address is not legitimate, even though the name that appears before it may be. Look also at the email's full headers. You can use these headers to verify the original source of the message.

In a legitimate email, the return path (the email address the message was really sent from) will usually match the address that appears in the email's “From” field.

A fraudulent email will show a different address as the return path. In most spoofed emails, the “Reply-To” address in the email will also be different. (Source)

Here's an explanation with an example from proofpoint.com:

It is possible for the sender to tinker with the message header and spoof the sender's identity so the email looks like it is from someone other than Guy1. Let's break down how.

Say you have a friend that likes to play practical jokes on you. And you receive an email from them that says this:

mail from: guy1@domain1.com
rcpt to: guy2@domain2.com

From: BossMan <bossman@domain1.com>
Subject: Raise!
Date: January 10, 2019 3:30:48 PM PDT
To: guy1 <guy1@domain1.com>
Reply-To: BossMan <guy2@domain2.com>

Hi Guy1,

You're such an awesome employee I've decided to give you a raise!

Regards,
BossMan

Notice that the envelope fields are correct, but the “From” and “Reply-To” are false. When Guy1 receives this email, he may think it's from his boss. When he hits “Reply” all he'll see in the “To” field is the “BossMan” name, but it will go back to his friend who spoofed the email, Guy2. (Source)

Here's an explanation with an example from askdavetaylor.com:

Example:

Return-Path: <ESC1102074045742_1102067540733_15299@in.constantcontact.com>
Received: from k127.smtproutes.com (k127.smtproutes.com [208.70.91.127]
  by limbo3.aplonis.com (8.13.6.20060614/8.13.6) with ESMTP id m3UJ0HEL046908
  for taylor@spamtest.com; Wed, 30 Apr 2008 19:00:19 GMT
Received: from ccm01.constantcontact.com ([63.251.135.74])
  by k127.smtproutes.com ([192.168.1.127])
  with ESMTP via TCP; 30 Apr 2008 19:00:08 -0000
Received: from p1-ws008 (unknown [10.250.0.102])
  by ccm01.constantcontact.com (Postfix) with ESMTP id F2EDD510102
  for taylor@spamtest.com; Wed, 30 Apr 2008 13:45:30 -0400 (EDT)
Message-ID: <1102074045742.1102067540733.15299.8.13145606@scheduler>
Date: Wed, 30 Apr 2008 15:00:08 -0400 (EDT)
From: Cell Labs <wholesale@celllabsinc.com>
Reply-To: wholesale@celllabsinc.com
To: taylor@spamtest.com
Subject: Cell Labs Wants to Purchase Blackberry 6000/7000 Series Phones
Mime-Version: 1.0
Content-Type: multipart/alternative; 
  boundary=”—-=_Part_63682616_1802965059.1209582008096″
X-Mailer: Roving Constant Contact 0 (http://www.constantcontact.com)
X-Return-Path-Hint: ESC1102074045742_1102067540733_15299@in.roving.com
X-Roving-ID: 1102067540733.15299
X-Lumos-SenderID: 1102067540733
X-Roving-CampaignId: 1102074045742
X-Roving-StreamId: 1

Notice all the weird X- headers on the bottom, for example. More important, and this is a key characteristic of spoofed email, compare the “From” address to the “Message-ID” domain. The “From” is wholesale@celllabsinc.com, but rather than the domain of the Message-ID matching this address domain, it's not a valid domain at all, and the MessageID is “@scheduler”.

On a message that's spoofed and not really from you, this is the most common way you can tell that it's not legit. If I send a message, for example, from “spamtest.com”, then the Message-ID should be some sort of unique message identifier “@spamtest.com”. (Source)

Here's another explanation with an example from askdavetaylor.com:

In the first example from askdavetaylor.com, the “From” and “Reply-To” match. That's another thing to examine: if you get a message “From” your friend, but the “Reply-To” is a different address, the second address might well be the sender and the “From” is just a spoofed value. Be suspicious.

Example:

Received: from pool-72-67-203-40.lsanca.dsl-w.verizon.net [72.67.203.40] by mail01.ozline.net with ESMTP
  (SMTPD-8.22) id AC0D0DC4; Thu, 10 Apr 2008 22:25:17 -0400
Message-ID: <000a01c89b7b$05eea358$d988ba94@xwhhef>
From: “hezekiah nancy” <taylor@spamtest.com>
To: <holliecantuauhqg@avatarfl.com>
Subject: X-IMail-SPAM-Statistical Medications Coupon for holliecantuauhqg
Date: Fri, 11 Apr 2008 00:37:58 +0000
MIME-Version: 1.0
Content-Type: multipart/alternative
  boundary=”—-=_NextPart_000_0007_01C89B7B.05E96FE6″
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2900.3138

What you should notice here is the inconsistency between the nonsensical Message-ID domain (“xwhhef”) and, more importantly, the jarring mismatch between the email address (which implies “taylor” should be part of the name) and the actual user name shown (“hezekiah nancy”, generated by a spam tool that randomly pairs names out of a dictionary).

If the address was nancy@spamtest.com or even nhezek@ or anything even vaguely related to the given name, maybe it would seem legit, but these sort of inconsistencies are the mark of spoofed email.

How to view email headers on:

How to view email headers on Gmail

1. Open the email message.

2. Click on the 3-dots icon (more actions) located at the top right of the email.

3. Click on Show original.

View email header on Gmail

How to view email headers on Outlook.com (Outlook, Hotmail, Live, etc.)

1. Open the email message.

2. Click on the 3-dots icon (more actions) located at the top right of the email.

3. Click on View message source.

View email header on Outlook.com

How to view email headers on Yahoo

1. Open the email message.

2. Click on the 3-dots icon (more actions) located at the top right of the email.

3. Click on View raw message.

View email header on Yahoo

How to view email headers on AOL Mail

1. Open the email message.

2. Click on more located above the email.

3. Click on View Message Source.

View email header on AOL Mail

How to view email headers on Zoho Mail

1. Open the email message.

2. Click on the more actions icon icon (more actions) located at the top right of the email.

3. Click on Show original.

View email header on Zoho Mail

How to view email headers on ProtonMail

1. Open the email message.

2. Click on the more actions icon button (more actions) located at the top right of the email.

3. Click on View headers.

View email header on ProtonMail

How to stop email spoofing?

There's generally nothing you can do to stop email spoofing. The only thing you can do is to check the email headers.


Maybe you're also interested in:

Important computer and internet security tips

How to stay safe online (internet safety tips)


References:

Wikipedia: Email spoofing

TechTarget: Email spoofing

HuffingtonPost: Email Spoofing: Explained (and how to protect yourself)

Barracuda.com: Email spoofing

MIT: What is email spoofing all about?

Proofpoint: How does email spoofing work and why is it so easy?

AskDaveTaylor: How can you tell if an email is spoofed or legit?