Keylogger - how to spot one?

stockhausen

stockhausen

stockhausen

Capodecina
Soldato
Joined
30 Jul 2006
Posts
12,130
About a year ago I built a Windows 10 system for someone.

Today she called me to say that she had received an emailed demand for $5,000 in bitcoins from someone who had guessed her (incredibly stupid) Gmail password. He said that he had a pornographic video of her and would send it to all of her contacts if she didn't pay up. There is no camera on her PC and she has never taken (or emailed) any pornographic videos.

She wanted to know what to do next. I told her not to reply to the email, to change ALL her passwords to something a wee bit harder to guess than h31105tu and to change all her credit cards.

She uses (paid for) Kaspersky but I don't know anything about how one identifies the presence of a keylogger - how would one go about this?
 
that is just the usual email that's been doing the rounds for a while to see if folk will bite. been quite a few threads made on here about it.
 
I'd put money on it not being a key logger. It is almost certainly just using leaked credentials that can be found easily online. I've seen many people receive this sort of email and most of the time they don't have full credentials, but enough to scare people. It's a scattergun approach just hoping someone falls for it. Ask her to send you the text in the email and Google it, that will very likely confirm my suspicions. Also, don't tell her to use one password, at least have a variation in it based on the service/site it's for, or use a password manager, and enable two factor authentication wherever possible.
 
There have been a lot of emails similar to this that mention a password in the email going around where information has been found a previous published hack. Such as linked in and the adobe ones.

If you don’t suspect there is a key logger, it may be worth getting your friend to put their email into Troy hunts have I been pawned service as it will show if the email address features in past hacks.
 
kindai said:
If you have reason to suspect [a keylogger], then wipe clean and start fresh.
Click to expand...
When I handed over the system I had also made an Acronis Image copy of the system for disaster recovery purposes so that would certainly be my preferred option. However, I don't really want to spend ages helping her reinstall everything tidily.

I will get the text of the email and Google it - good idea!
 
stockhausen said:
About a year ago I built a Windows 10 system for someone.

Today she called me to say that she had received an emailed demand for $5,000 in bitcoins from someone who had guessed her (incredibly stupid) Gmail password. He said that he had a pornographic video of her and would send it to all of her contacts if she didn't pay up. There is no camera on her PC and she has never taken (or emailed) any pornographic videos.

She wanted to know what to do next. I told her not to reply to the email, to change ALL her passwords to something a wee bit harder to guess than h31105tu and to change all her credit cards.

She uses (paid for) Kaspersky but I don't know anything about how one identifies the presence of a keylogger - how would one go about this?
Click to expand...
I highly doubt there was a keylogger if she used the same password for other sites and one of those sites were compromised and it's whole user database didn't have much in the way of encryption (or the encryption was easy to break) and these people are just chancers seeing if they can catch someone gullible enough to pay.

Also since she doesn't have a webcam, this is 100% someone who is just firing out these emails using some database of email addresses and passwords they got off the dark web and seeing if they catch someone who is gullible enough to pay up.
 
Shoeyuk said:
There have been a lot of emails similar to this that mention a password in the email going around where information has been found a previous published hack. Such as linked in and the adobe ones.

If you don’t suspect there is a key logger, it may be worth getting your friend to put their email into Troy hunts have I been pawned service as it will show if the email address features in past hacks.
Click to expand...

This. Also get her using a password manager to stop reuse of passwords.
 
No trace of any of the text identified by Google. However, the text of the email is pretty "iffy", with "unusual" English and has has been suggested above, the lack of a camera on her system suggests that it is just an "opportunistic" blackmail scam based on the possibility of someone ever having accessed a Porn website.

I have always been uncomfortable about recommending password managers and I do rather wonder what a Bank would say if your account were to be raided and they knew that you used one?

On balance I don't think she needs to worry but out of interest I would still like to know how to spot the presence of a keylogger.
 
I get at least 1 of those emails a day!!

They get the password from a site/forum you have used that got compromised. I used to use a year in my passwords so could tell it was from an old site I used to use...Password2017 for instance.

Whats funny is if you check on the bitcoin address...Nobody is falling for these scams anymore..
 
stockhausen said:
About a year ago I built a Windows 10 system for someone.

Today she called me to say that she had received an emailed demand for $5,000 in bitcoins from someone who had guessed her (incredibly stupid) Gmail password. He said that he had a pornographic video of her and would send it to all of her contacts if she didn't pay up. There is no camera on her PC and she has never taken (or emailed) any pornographic videos.

She wanted to know what to do next. I told her not to reply to the email, to change ALL her passwords to something a wee bit harder to guess than h31105tu and to change all her credit cards.

She uses (paid for) Kaspersky but I don't know anything about how one identifies the presence of a keylogger - how would one go about this?
Click to expand...

Tell her to change her gmail password, setup multi factor and forget about it. This scam e-mail has been doing the rounds for a couple of months now.
 
stockhausen said:
No trace of any of the text identified by Google. However, the text of the email is pretty "iffy", with "unusual" English and has has been suggested above, the lack of a camera on her system suggests that it is just an "opportunistic" blackmail scam based on the possibility of someone ever having accessed a Porn website.
I have always been uncomfortable about recommending password managers and I do rather wonder what a Bank would say if your account were to be raided and they knew that you used one?
On balance I don't think she needs to worry but out of interest I would still like to know how to spot the presence of a keylogger.
Click to expand...

How do you know her gmail password has been guessed?
Was the email threat she received from herself?
Use the gmail login for recent login and see the IP address that have been accessing her account, find the location.
 
Here's the one I got yesterday

some internet scumbag said:
Hello, my victim.

I know your password - 6877b4f66235ac7909799e74a9a7ee9e


This is my last warning.


I write you inasmuch as I put a trojan on the web page with pornography which you have visited.

My malware grabbed all your personal data and switched on your webcam which captured the process of your masturbation. Just after that the trojan saved your contact list.

I will remove the compromising video and data if you pay me 500 USD in bitcoin. This is wallet address for payment : 135qVXXBZb3v2tQcLJRA8UAndiUYNybh3J

(you can google on "how to buy bitcoin")


I give you 24 hours after you view my message to make the payment.

As soon as you view the message I'll know it right away.

It is not necessary to tell me that you have sent money to me. This address is connected to you, my system will delete everything automatically after transfer confirmation.

You can visit the police office but no one can't help you.

If you try to cheat me, I'll see it immediately!

I don't live in your country. So nobody can't track my location even for 9 months.

Don't forget about the disgrace and to ignore, Your life can be ruined.
Click to expand...

Looks like the password was encrypted as that is defo not mine.. But they do usually get an old password correct
 
Destination said:
How do you know her gmail password has been guessed?
Was the email threat she received from herself?
Use the gmail login for recent login and see the IP address that have been accessing her account, find the location.
Click to expand...
With all due respect to you and I am grateful for your suggestion, I am aware of all this. All I asked was whether anyone knew how to spot an installed keylogger.

mattyg said:
Here's the one I got yesterday
. . .
Looks like the password was encrypted as that is defo not mine.. But they do usually get an old password correct.
Click to expand...
Your demand is not exactly the same as she got but is pretty close. They did correctly identify the password which was incredibly (and stupidly) obvious and they demanded $5,000.

Case pretty much closed; thanks to all :)
 
I have identified the URL samochody.azurewebsites.net/wanedvv.html possibly in connection with this scam - does anyone else recognise it?

samochody.net returns "Redacted for privacy" from WHOIS.
azurewebsites.net appears to be registered by Microsoft.
 
You must log in or register to reply here.
Back
Top Bottom