یک نفر از آدرس خودم به من ایمیل زده که من را هک کرده و باید بیت‌کوین واریز کنم! چه کار کنم؟

مساله

ایمیلی با عنوان و متن زیر دریافت کرده‌ام که از طرف ایمیل خود من به خودم ارسال شده است.

1. چگونه چنین چیزی ممکن است؟
2. آیا رایانه من هک شده است؟ آیا ایمیل من هک شده است؟
3. آیا سیستم من به تروجان آلوده شده است؟
4. چه کاری باید انجام دهم؟

نمونه ها

نمونه یک
Subject: <email@example.com> is hacked
From: <email@example.com>
To: <email@example.com>

Hello!

My nickname in darknet is taddeo38.
I hacked this mailbox more than six months ago, 
through it I infected your operating system with a virus (trojan) created by me and have been monitoring you for a long time.

If you don't belive me please check 'from address' in your header, you will see that I sent you an email from your mailbox.

Even if you changed the password after that - it does not matter, my virus intercepted all the caching data on your computer
and automatically saved access for me.

I have access to all your accounts, social networks, email, browsing history.
Accordingly, I have the data of all your contacts, files from your computer, photos and videos.
 I was most struck by the intimate content sites that you occasionally visit. You have a very wild imagination, I tell you! During your pastime and entertainment there, I took screenshot through the camera of your device, synchronizing with what you are watching. Oh my god! You are so funny and excited!  I think that you do not want all your contacts to get these files, right? If you are of the same opinion, then I think that $522 is quite a fair price to destroy the dirt I created. Send the above amount on my BTC wallet (bitcoin): 19D67Tgb3neJiTHd8pZDEBYmUn2qSjxEeB As soon as the above amount is received, I guarantee that the data will be deleted, I do not need it.  Otherwise, these files and history of visiting sites will get all your contacts from your device. Also, I'll send to everyone your contact access to your email and access logs, I have carefully saved it!  Since reading this letter you have 50 hours! After your reading this message, I'll receive an automatic notification that you have seen the letter.  I hope I taught you a good lesson. Do not be so nonchalant, please visit only to proven resources, and don't enter your passwords anywhere! Good luck!

نمونه دو
Subject: Change your password immediately. Your account has been hacked.
From: <email@example.com>
To: <email@example.com>

I greet you!

I have bad news for you.
11/08/2018 - on this day I hacked your operating system and got full access to your account webmaster@amnpardaz.com

It is useless to change the password, my malware intercepts it every time.

How it was:
In the software of the router to which you were connected that day, there was a vulnerability.
I first hacked this router and placed my malicious code on it.
When you entered in the Internet, my trojan was installed on the operating system of your device.

After that, I made a full dump of your disk (I have all your address book, history of viewing sites, all files, phone numbers and addresses of all your contacts).

A month ago, I wanted to lock your device and ask for a small amount of money to unlock.
But I looked at the sites that you regularly visit, and came to the big delight of your favorite resources.
I'm talking about sites for adults.

I want to say - you are a big pervert. You have unbridled fantasy!

After that, an idea came to my mind.
I made a screenshot of the intimate website where you have fun (you know what it is about, right?).
After that, I took off your joys (using the camera of your device). It turned out beautifully, do not hesitate.

I am strongly belive that you would not like to show these pictures to your relatives, friends or colleagues.
I think $813 is a very small amount for my silence.
Besides, I spent a lot of time on you!

I accept money only in Bitcoins.
My BTC wallet: 17vzpL7n29egdeJF1hvUE4tKV81MqsW4wF

You do not know how to replenish a Bitcoin wallet?
In any search engine write "how to send money to btc wallet".
It's easier than send money to a credit card!

For payment you have a little more than two days (exactly 50 hours).
Do not worry, the timer will start at the moment when you open this letter. Yes, yes .. it has already started!

After payment, my virus and dirty photos with you self-destruct automatically.
Narrative, if I do not receive the specified amount from you, then your device will be blocked, and all your contacts will receive a photos with your "joys".

I want you to be prudent.
- Do not try to find and destroy my virus! (All your data is already uploaded to a remote server)
- Do not try to contact me (this is not feasible, I sent you an email from your account)
- Various security services will not help you; formatting a disk or destroying a device will not help either, since your data is already on a remote server.

P.S. I guarantee you that I will not disturb you again after payment, as you are not my single victim.
 This is a hacker code of honor.

From now on, I advise you to use good antiviruses and update them regularly (several times a day)!

Don't be mad at me, everyone has their own work.
Farewell.


نمونه سه
Subject: emailaddress
From: <email@example.com>
To: <email@example.com>
Hello,
I am a spyware software developer. Your account has been hacked by me in the summer of 2018.
I understand that it is hard to believe, but here is my evidence (I sent you this email from your account).
The hacking was carried out using a hardware vulnerability through which you went online (Cisco router, vulnerability CVE-2018-0296).
I went around the security system in the router, installed an exploit there. When you went online, my exploit downloaded my malicious code (rootkit) to your device. This is driver software, I constantly updated it, so your antivirus is silent all time.
Since then I have been following you (I can connect to your device via the VNC protocol). That is, I can see absolutely everything that you do, view and download your files and any data to yourself. I also have access to the camera on your device, and I periodically take photos and videos with you.
At the moment, I have harvested a solid dirt... on you... I saved all your email and chats from your messangers. I also saved the entire history of the sites you visit.
I note that it is useless to change the passwords. My malware update passwords from your accounts every times.
I know what you like hard funs (adult sites). Oh, yes .. I'm know your secret life, which you are hiding from everyone. Oh my God, what are your like... I saw THIS ... Oh, you dirty naughty person ... 🙂
I took photos and videos of your most passionate funs with adult content, and synchronized them in real time with the image of your camera. Believe it turned out very high quality!
So, to the business! I'm sure you don't want to show these files and visiting history to all your contacts.
Transfer $966 to my Bitcoin cryptocurrency wallet: 1KzMDhZLokkNd1kcxs2mgwXm97pVvnfRBC Just copy and paste the wallet number when transferring. If you do not know how to do this - ask Google.
My system automatically recognizes the translation. As soon as the specified amount is received, all your data will be destroyed from my server, and the rootkit will be automatically removed from your system. Do not worry, I really will delete everything, since I am 'working' with many people who have fallen into your position. You will only have to inform your provider about the vulnerabilities in the router so that other hackers will not use it.
Since opening this letter you have 48 hours. If funds not will be received, after the specified time has elapsed, the disk of your device will be formatted, and from my server will automatically send email and sms to all your contacts with compromising material.
I advise you to remain prudent and not engage in nonsense (all files on my server).
Good luck!


نمونه چهار
Subject: Account compromised - Password change required (email@example.com)
From: <email@example.com>
To: <email@example.com>

Hey! I compromised your account and gained full access to it. As proof, I just sent this email from your account only (notice the from email address is support@amnpardaz.com).
Let me tell you exactly how did this happen. You visited a compromised adult website sometime back, and you got infected, and then I observed every action of yours. It gave me access to all of your contacts, browsing history, your passwords, your webcam, and even your microphone.
I noticed you were trying to please yourself by watching one of those nasty videos, well my son, I recorded your actions (thanks to your webcam) and even recorded your screen (the video you were watching). Now, if you do nothing, then I will send this video to all of your email, social media and messenger contacts.
You have the option to prevent me from doing all of this. All you need to do is to make the transfer of $969 to my bitcoin address. If you don't know how to make the transfer, search google for "buy bitcoin." It is quick and easy. Trust me.
My bitcoin address to which you need to transfer is 1LupWwgsFXjfHVeeorePjrYQgMNuHzsKLs
Once I receive the transfer (i.e payment), I will delete your video and everything I have about you, and you will never hear a word from me again. My malware will also self destruct itself once I get the payment. You have 48 hours to make the payment. As I mentioned earlier, I have full access to your system. Now I know that you have read the email, so your time starts now. If you are thinking about filing a complaint, save your efforts, since it will not result in anything. This email is untraceable, remember it been sent using your account only?
Don't think about sharing this message either because in that case, I will send your video to all of your contacts.

Bye!


نمونه پنج
Subject: email@example.com has been hacked, change your password ASAP
From: <email@example.com>
To: <email@example.com>

H​el​lo​,

A​s ​yo​u ​ma​y ​ha​ve​ n​ot​ic​ed​, ​I ​se​nt​ t​hi​s ​em​ai​l ​fr​om​ y​ou​r ​em​ai​l ​ac​co​un​t ​(i​f ​yo​u ​di​dn​'t​ s​ee​, ​ch​ec​k ​th​e ​fr​om​ e​ma​il​ i​d)​. ​In​ o​th​er​ w​or​ds​, ​I ​ha​ve​ f​ul​lc​ce​ss​ t​o ​yo​ur​ e​ma​il​ a​cc​ou​nt​.
I​ i​nf​ec​te​d ​yo​u ​wi​th​ a​ m​al​wa​re​ a​ f​ew​ m​on​th​s ​ba​ck​ w​he​n ​yo​u ​vi​si​te​d ​an​ a​du​lt​ s​it​e,​ a​nd​ s​in​ce​ t​he​n,​ I​ h​av​e ​be​en​ o​bs​er​vi​ng​ y​ou​r ​ac​ti​on​s.​
T​he​ m​al​wa​re​ g​av​e ​me​ f​ul​l ​ac​ce​ss​ a​nd​ c​on​tr​ol​ o​ve​r ​yo​ur​ s​ys​te​m,​ m​ea​ni​ng​, ​I ​ca​n ​se​e ​ev​er​yt​hi​ng​ o​n ​yo​ur​ s​cr​ee​n,​ t​ur​n ​on​ y​ou​r ​ca​me​ra​ o​r ​mi​cr​op​ho​n ​an​d ​yo​u ​wo​n'​t ​ev​en​ n​ot​ic​e ​ab​ou​t ​it​.
​I ​al​so​ h​av​e ​ac​ce​ss​ t​o ​al​l ​yo​ur​ c​on​ta​ct​s.
​Wh​y ​yo​ur​ a​nt​iv​ir​us​ d​id​ n​ot​ d​et​ec​t ​ma​lw​ar​e?​
I​t'​s ​si​mp​le​. ​My​ m​al​wa​re​ u​pd​at​es​ i​ts​ s​ig​na​tu​re​ e​ve​ry​ 1​0 ​mi​nu​te​s,​ a​nd​ t​he​re​ i​s ​no​th​in​g ​yo​ur​ a​nt​iv​ir​us​ c​an​ d​o ​ab​ou​t ​it​.
​I ​ma​de​ a​ v​id​eo​ s​ho​wi​ng​ b​ot​h ​yo​u ​(t​hr​ou​gh​ y​ou​r ​we​bc​am​) ​an​d ​th​e ​vi​de​o
​yo​u ​we​re​ w​at​ch​in​g ​(o​n ​th​e ​sc​re​en​) ​wh​il​e ​sa​ti​sf​yi​ng​ y​ou​rs​el​f.
W​it​h ​on​e ​cl​ic​k,​ I​ c​an​ s​en​d ​th​is​ v​id​eo​ t​o ​al​l ​yo​ur​ c​on​ta​ct​s ​(e​ma​il​, ​so​ci​al​ n​et​wo​rk​, ​an​d ​me​ss​en​ge​rs​ y​ou​ u​se​).​
​Yo​u ​ca​n ​pr​ev​en​t ​me​ f​ro​m ​do​in​g ​th​is​.
​To​ s​to​p ​me​, ​tr​an​sf​er​ $997​ t​o ​my​ b​it​co​in​ a​dd​re​ss​.
​If​ y​ou​ d​o ​no​t ​kn​ow​ h​ow​ t​o ​do​ t​hi​s,​ G​oo​gl​e ​- ​"B​uy​ B​it​co​in​".​
​My​ b​it​co​in​ a​dd​re​ss​ (​BT​C ​Wa​ll​et​) ​is 1NU15tokRymh45uiMU2GfnSwZavXmEXvJJ
​Af​te​r ​re​ce​iv​in​g ​th​e ​pa​ym​en​t,​ I​ w​il​l ​de​le​te​ t​he​ v​id​eo​,
​an​d ​yo​u ​wi​ll​ n​ev​er​ h​ea​r ​fr​om​ m​e ​ag​ai​n.
Y​ou​ h​av​e ​48​ h​ou​rs​ t​o ​pa​y.​ S​in​ce​ I​ a​lr​ea​dy​ h​av​e ​ac​ce​ss​ t​o ​yo​ur​ s​ys​te​m
I​ n​ow​ k​no​w ​th​at​ y​ou​ h​av​e ​re​ad​ t​hi​s ​em​ai​l,​ s​o ​yo​ur​ c​ou​nt​do​wn​ h​as​ b​eg​un​.
​Fi​li​ng​ a​ c​om​pl​ai​nt​ w​il​l ​no​t ​do​ a​ny​ g​oo​d
​be​ca​us​e ​th​is​ e​ma​il​ c​an​no​t ​be​ t​ra​ck​ed​.
​I ​ha​ve​ n​ot​ m​ad​e ​an​y ​mi​st​ak​es​.
I​f ​I ​fi​nd​ t​ha​t ​yo​u ​ha​ve​ s​ha​re​d ​th​is​ m​es​sa​ge​ w​it​h ​so​me​on​e ​el​se​, ​I ​wi​ll​ i​mm​ed​ia​te​ly​ s​en​d ​th​e ​vi​de​o ​to​ a​ll​ o​f ​yo​ur​ c​on​ta​ct​s.​

​Ta​ke​ c​are

راهکار

اخیرا کاربران زیادی ایمیلی مشابه ایمیل بالا را دریافت کرده‌اند. این ایمیل معمولا در دامنه‌های سایت‌های سازمانی/اداری و غیر شخصی دریافت می‌شود. دلیل دریافت این ایمیل اشکالی در تنظیمات ایمیل‌سرور شماست، ولی به معنی هک شدن آن نیست.

شاید باور این مساله سخت باشد، اما به همان سادگی که نویسنده ایمیل مجاز است هر عنوان و متنی را انتخاب و ارسال کند، در انتخاب آدرس فرستنده نیز کاملا مختار است.  علت این است که طراحی پروتکل‌های انتقال ایمیل به دهه ۱۹۸۰ میلادی و زمانی که کلاهبرداری و ارسال اسپم و … وجود نداشت برمی‌گردد و از پست کاغذی الهام گرفته شده است. به همین علت درست مانند یک نامه کاغذی که آدرس فرستنده در آن قابل چک کردن نیست، برخی موارد به ظاهر مهم و بدیهی در این پروتکل‌ها وجود ندارد.

در سال‌های اخیر تلاش‌هایی برای جلوگیری از کلاهبرداری و امن‌سازی پروتکل ایمیل انجام شده است که یکی از مهمترین آنها SPF یا Sender Policy Framework است. اگر ایمیل بالا را دریافت کرده‌اید به احتمال بالا مشکل میل‌سرور شما عدم استفاده و احراز هویت SPF است. نحوه تست و رفع این مشکل در ادامه شرح داده می‌شود.

نحوه تست و راه‌اندازی SPF برای دامنه

فلسفه SPF این است که صاحب نام دامنه، اعلام می‌کند که از نظر وی کدام آدرس‌های IP اجازه ارسال ایمیل از طرف دامنه وی را دارند. به عنوان مثال اگر ایمیل شما info@amnpardaz.com است، صاحب نام دامنه amnpardaz.com اجازه دارد سرورهای ارسال ایمیل خود را تعیین نماید.

چگونه وجود SPF را تست نمایم؟

فرض کنید که دامنه ایمیل شما amnpardaz.com است و می‌خواهید وضعیت SPF آن را چک کنید:

1. خط فرمان ویندوز (cmd) را اجرا کنید.
2. دستور nslookup -type=txt amnpardaz.com را اجرا کنید.
3. خروجی دستور چیزی مشابه زیر خواهد بود:

   Non-authoritative answer:
   amnpardaz.com text =
   
         "v=spf1 mx -all"

4. عبارتی که به صورت درشت نوشته شده مقدار SPF دامنه شماست. اگر عبارتی با عنوان text=  را در خروجی نمی‌بینید به این معنی است که دامنه شما فاقد تنظیمات SPF است.

غیر از وجود SPF صحیح بودن آن نیز مهم است. برای این منظور می‌توانید از سرویس‌های آنلاین چک SPF کمک بگیرید.

به علاوه دقت کنید که در انتهای SPF معمولا باید عبارت -all قرار بگیرد تا موثر باشد. بدون وجود این عبارت، سایر آی‌پی‌ها و سرورها همچنان اجازه ارسال ایمیل از طرف شما را خواهند داشت.

نحوه تنظیم SPF برای دامنه

جهت تنظیم SPF باید به پنل نام دامنه (DNS) خود مراجعه کنید. این پنل بسته به جایی که از آن نام دامنه را خریداری کرده‌اید متفاوت است و در صورت لزوم باید با سرویس‌دهنده خود تماس بگیرید. دقت کنید تنها کسی اجازه تنظیم SPF را دارد که صاحب نام دامنه است.

برای تنظیم SPF باید یک رکورد DNS از نوع TXT روی دامنه خود تنظیم نمایید. بدین منظور یکی از دو عبارت زیر در اکثر کاربردها کافیست:

•  v=spf1 mx -all یا
• v=spf1 ip4:11.22.33.44 -all (که در آن 11.22.33.44 را با آی‌پی سرور خود جایگزین کرده‌اید)
• در موارد معدود، اگر از یک سرویس‌دهنده دیگر (مانند جیمیل یا …) جهت ارسال ایمیل استفاده می‌کنید ممکن است نیاز به تنظیمات پیشرفته‌تر داشته باشید که باید در مستندات سرویس‌دهنده خود به دنبال آن باشید.

برای آشنایی با مفهوم عبارت داخل SPF و انجام تنظیمات صحیح مستندات مستندات SPF را بخوانید. اگر هر مشکلی در انجام این تنظیمات دارید از سرویس‌دهنده DNS خود یا متخصصین مربوطه کمک بگیرید.

مرحله آخر: تنظیم سرور ایمیل

تا اینجا شما موفق شدید که جلوی ارسال ایمیل جعلی از دامنه خودتان به دیگران را بگیرید. ولی آیا میل‌سرور خود شما SPF را رعایت می‌کند؟

در آخرین مرحله، سرور ایمیل شما باید تنظیم شود تا برای ایمیل‌های وارده SPF را چک کرده و ایمیل‌های جعلی را دور بیاندازد. این تنظیم برای هر نوع میل‌سرور متفاوت است و باید به مستندات میل‌سرور خود مراجعه کنید.