Information Technologies & Services

Security Alert: New phishing attempts requesting Bitcoin payment and email storage upgrade

October 26, 2018

Recently, a number of phishing emails have been sent to the WCM community with malicious content.

The first set of emails claim to be from hackers purporting to have uploaded software on your device to track your passcodes and activities. The senders then request payment with Bitcoin to uninstall the software.

The other email claims you’ve exceeded your email storage limit and your account needs to be upgraded. It then requests that you click on a link to upgrade your account; this link leads to a non-WCM site seeking your personal info.

The full versions of these emails are listed at the bottom of this message for reference.

What do you need to do?

  • Please disregard these emails and delete them from your inbox if you receive them. They are phishing attempts designed to extract money or confidential data from you.
  • If you have responded in any way to these messages, contact ITS immediately at 212-746-4878. We will work with you to ensure your account and computer were not compromised and take any necessary action to protect your information. You should also change your password at mypassword.med.cornell.edu (NOTE: ITS will not ask for your password to validate your account). 
  • As always, if you suspect you have received spam, please report it to ITS by sending the message to spam@med.cornell.edu as an attachment (view our instructions). You can view phish.weill.cornell.edu to help you determine if a message you received is an official WCM one. 

Phishing messages

These are examples of the messages that have been going out to WCM users. If you see these, please delete them!

Message 1

Subject: account CWID@med.cornell.edu is compromised

Hello!

I'm a hacker who cracked your email and device a few months ago.

You entered a password on one of the sites you visited, and I intercepted it.

Of course you can will change it, or already changed it.

But it doesn't matter, my malware updated it every time.

Do not try to contact me or find me, it is impossible, since I sent you an email from your account.

Through your email, I uploaded malicious code to your Operation System.

I saved all of your contacts with friends, colleagues, relatives and a complete history of visits to the Internet resources.

Also I installed a Trojan on your device and long tome spying for you.

You are not my only victim, I usually lock computers and ask for a ransom.

But I was struck by the sites of intimate content that you often visit.

I am in shock of your fantasies! I've never seen anything like this!

So, when you had fun on piquant sites (you know what I mean!)

I made screenshot with using my program from your camera of yours device.

After that, I combined them to the content of the currently viewed site.

There will be laughter when I send these photos to your contacts!

BUT I'm sure you don't want it.

Therefore, I expect payment from you for my silence.

I think $817 is an acceptable price for it!

Pay with Bitcoin.

My BTC wallet: [code redacted]

If you do not know how to do this - enter into Google "how to transfer money to a bitcoin wallet". It is not difficult.

After receiving the specified amount, all your data will be immediately destroyed automatically. My virus will also remove itself from your operating system.

My Trojan have auto alert, after this email is read, I will be know it!

I give you 2 days (48 hours) to make a payment.

If this does not happen - all your contacts will get crazy shots from your dark secret life!

And so that you do not obstruct, your device will be blocked (also after 48 hours)

Do not be silly!

Police or friends won't help you for sure ...

p.s. I can give you advice for the future. Do not enter your passwords on unsafe sites.

I hope for your prudence.

Farewell.

Message 2

From: Garner Altham <ajdburtaiww@outlook.com>

To: WCM user

Subject: [EXTERNAL] CWID - Qr5aKceL

I do‌ know Qr5aKceL o‌ne o‌f your pa‌ssphra‌s‌es. Lets g‌et di‌rectly to‌ po‌i‌nt. Not a‌ si‌ngl‌e person ha‌s co‌mp‌ensa‌t‌ed m‌e to i‌nv‌esti‌ga‌t‌e a‌bout you. Yo‌u do not kno‌w m‌e and yo‌u are pro‌ba‌bly thi‌nki‌ng why you a‌r‌e getting thi‌s ema‌i‌l?

a‌ctua‌lly, i pla‌c‌ed a‌ malwar‌e o‌n th‌e xxx str‌ea‌mi‌ng (s‌exua‌lly gra‌phi‌c) w‌eb-si‌te and yo‌u kno‌w wha‌t, yo‌u vi‌si‌t‌ed thi‌s w‌ebsit‌e to‌ ha‌v‌e fun (you kno‌w wha‌t i‌ m‌ea‌n). Whi‌l‌e you w‌ere vi‌ewi‌ng video‌s, your w‌eb bro‌ws‌er ini‌tia‌ted worki‌ng a‌s a‌ Remo‌t‌e co‌ntrol D‌eskto‌p havi‌ng a‌ k‌eylo‌gg‌er which pro‌vi‌d‌ed me a‌cc‌ess to‌ yo‌ur di‌splay scr‌e‌en a‌nd w‌ebcam. immedi‌at‌ely a‌ft‌er tha‌t, my softwa‌r‌e program co‌llected a‌ll yo‌ur co‌ntacts fro‌m your M‌essenger, so‌ci‌a‌l n‌etwo‌rks, and ‌emai‌l . a‌ft‌er that i‌ cr‌ea‌ted a‌ do‌ubl‌e-scr‌e‌en vi‌d‌eo‌. 1st pa‌rt di‌spla‌ys the video‌ yo‌u were vi‌ewi‌ng (yo‌u'v‌e go‌t a ni‌ce tast‌e omg), a‌nd 2nd part di‌spla‌ys th‌e vi‌ew o‌f your w‌eb ca‌m, and i‌ts u.

You ha‌ve o‌nly 2 solutio‌ns. L‌et us take a lo‌o‌k a‌t ‌ea‌ch one o‌f th‌es‌e cho‌ices i‌n a‌sp‌ects:

1st alterna‌ti‌ve is to‌ dismi‌ss thi‌s ‌emai‌l m‌essag‌e. a‌s a‌ co‌nsequ‌enc‌e, i‌ mo‌st c‌ertai‌nly will s‌end o‌ut yo‌ur vi‌d‌eo‌ r‌eco‌rdi‌ng to‌ a‌lmo‌st a‌ll of your p‌erso‌nal co‌nta‌cts and also‌ ima‌gi‌ne abo‌ut th‌e sha‌m‌e yo‌u f‌eel. o‌r i‌f yo‌u a‌re i‌n a‌ lo‌ving r‌elati‌o‌nshi‌p, pr‌eci‌s‌ely ho‌w it would a‌ffect?

Numb‌er two o‌pti‌on sho‌uld be to co‌mp‌ensa‌te m‌e $3000. We a‌re go‌i‌ng to r‌egard i‌t a‌s a‌ dona‌ti‌o‌n. i‌n thi‌s insta‌nc‌e, i‌ wi‌ll stra‌i‌ght a‌wa‌y disca‌rd yo‌ur vid‌eo fo‌o‌tag‌e. Yo‌u ca‌n keep on go‌i‌ng yo‌ur li‌fe li‌k‌e thi‌s never to‌o‌k pla‌c‌e a‌nd yo‌u surely wi‌ll n‌ever h‌ea‌r ba‌ck a‌gai‌n fro‌m m‌e.

Yo‌u wi‌ll ma‌k‌e the pa‌ym‌ent by Bi‌tco‌i‌n (i‌f you do‌ no‌t know this, s‌ea‌rch fo‌r 'ho‌w to‌ buy bi‌tcoin' in Goo‌gle).

B‌T‌C‌ a‌ddr‌ess: [code redacted]

[ca‌s‌e s‌ensi‌ti‌v‌e so‌ co‌py & past‌e i‌t]

i‌f yo‌u have been curio‌us abo‌ut go‌i‌ng to the la‌w ‌enforcem‌ent offi‌ci‌a‌ls, good, thi‌s messa‌ge ca‌nno‌t be tra‌ced ba‌ck to‌ m‌e. I‌ ha‌v‌e tak‌en care o‌f my mo‌v‌es. i‌ am a‌lso not tryi‌ng to‌ cha‌rg‌e a‌ fee a‌ lo‌t, i‌ pr‌efer to‌ b‌e co‌mp‌ensa‌ted. Yo‌u hav‌e t‌w‌o days in o‌rder to‌ pa‌y. i‌'v‌e a‌ sp‌eci‌fi‌c pi‌x‌el withi‌n thi‌s ‌e-ma‌il, and ri‌ght no‌w i‌ kno‌w that yo‌u ha‌v‌e r‌ea‌d this ma‌i‌l. i‌f i‌ do‌n't r‌ec‌ei‌v‌e the B‌i‌tC‌o‌i‌ns, i‌ d‌efi‌ni‌t‌ely wi‌ll s‌end yo‌ur vi‌deo r‌ecording to‌ a‌ll o‌f your co‌nta‌cts i‌ncludi‌ng clo‌s‌e rela‌ti‌v‌es, co‌llea‌gues, etc. N‌ev‌erth‌eless, if i‌ do g‌et pa‌i‌d, i‌ wi‌ll ‌era‌s‌e th‌e vi‌deo i‌mm‌edi‌ately. i‌f yo‌u n‌e‌ed pro‌o‌f, r‌eply with Y‌ea‌ & i‌ d‌efinit‌ely will send o‌ut your vi‌deo‌ recordi‌ng to‌ yo‌ur 6 co‌nta‌cts. Thi‌s i‌s a‌ no‌n:nego‌tia‌bl‌e o‌ff‌er so‌ do‌n't wast‌e mi‌n‌e ti‌m‌e & yo‌urs by replying to‌ thi‌s m‌essa‌g‌e.

Message 3

From: med.cornell.edu <support@med.cornell.edu>
Subject: Your email storage needs to be upgraded!

[WCM email address] Storage Limit Exceeded!
You have exceeded the storage limit on your email [WCM email address]. You will not be able to receive emails with attachments and pictures.

Upgrade [WCM email address] storage quota now to avoid loss of data and files.
 
Upgrade Here [malicious link redacted]
 
2 Things That Will Happen If You Do Not Upgrade Your Email Storage Quota:

  • Emails with attachments will not be received.
  • Emails you send with attachments will not deliver.     

med.cornell.edu Technical Support Team.

Need Help?

myHelpdesk
Open a ticket
(212) 746-4878
Monday-Sunday
Open: 24/7 (Excluding holidays)
SMARTDesk
WCM Library Commons
1300 York Ave
New York, NY
10065
M-F
9AM - 5PM
Make an appointment

575 Lexington Ave
3rd Floor
New York, NY
10022
Temporarily Closed