Warning of a potential keylogger script running on the forum

[donoghu]

Hey guys!

I really hate to do this kind of stuff, but better announce it now and letting people be prepared than to shut up about it and see it pop-up for others.

What's following is only an assumption, but all the hints I could gather points toward this.

I got some kind of bad news for some of you.
Seems like some kind of system/software/virus/whatever might have been placed in one way or another which act as a keylogger.

I haven't done a lot in the recent week in terms of checking stuff online so it's not that hard for me to get an idea of where things might have gone wacky.

Today, I have received an email from a prick telling me that he know one of my password (he does give it out).
That password is the password I use on this forum and it's different from my other passwords.
(Usually, when I join a forum or other kind of system that has a database that can be cracked open more easily than something like the server of a bank system, I use an unique password. After all, a forum like this uses a relatively "open" system that can be cracked open like an eggs relatively easily if you know what you have to do.)

This is what makes me warn you as I'm usually using the Private mode whenever I'm on the web (especially forums) as it clear the cache after closing it automatically. (Making it more secure if, next time, something tries to get access to that cache.)

Now, I'm not saying that the forum itself is affected, but more that there's potentially something on it that do act as a keylogger.

Here's the 3 potentials sources which could have "acted" as keyloggers:
• The forum itself. If there's some code inserted into it while the administration wouldn't be aware of it.
I doubt that this is the case because it would have surfaced like a plague.

• An advertisement API being exploited by an exterior party.
For those who doesn't understand, basically an ads also act as a local keylogger. For sure, if the keylogger would have been installed outside of the browser, it wouldn't be as easy and many would have been receiving some notice that something is fishy by their PC security (be it anti-virus, web security, etc.)
This means that it could be a passive thing that only affect the forum's website such as a keylogger that only scan while it's on the page and only scan activity in the forum's page. (Basically, registering all inputs done while the page with the funky ads is loaded.)

• Through a Vimeo's video, the keylogger could have been loaded.
In the last week, the only kind of stuff that has been "loaded" through my PCs are YouTube and Vimeo. The thing though is that, in relation to this forum, I only have watched embedded Vimeo videos up to now in my private message. I'm not pointing fingers and I won't share the name of those who have PM me just out of fear.

For now, I did have replied to the scammer as there are many things that doesn't make sens in his demand while, at least, the Password was actually the password of this forum and it's not a word you find in a dictionary. Basically, he contacted me through a different email from the one I have used for the forum. He did it through one of the most easiest one to find which is on my Freelance Website. (If you know the name of my freelance business which I have already displayed around on the forum, it's not hard to find it in the next minute.)

People who would have access to more than the forum information would mostly have contacted me through another email, knowing that it's more "hidden" and less public. Funny enough, I guess this is due to the fact that the email I have used for this forum hasn't been shared yet on the forum. The guy haven't done a really good job at hunting up my info.

There's also another point that made me wonder... and that's the fact that the amount requested out of me was relatively higher than the usual scamming amount, if I look at other example online. The scammer asked me for $7,000 to be paid in Bitcoins. Usually, this kind of scam doesn't aim so high and goes for around $500 to $600 as it's clearly not everyone who has so much money as $7,000 in their bank account. This means that the scammer has an idea that I may be able to afford such a price (which I am not btw). I shouldn't have to remind that the subject of this forum is primarily products that range at grand (1,000) as a entry-level.

There's the possibility that the scammer might be one of us or someone who has access to the forum's database up to a point.

Still, there are the points that point toward the forum as the source:
• Unique password that is only used on the Forum.
• The scammer is aware that I "might" be able to afford $7,000
• $7,000 is an amount that could be easily linked to Real Size Dolls' purchases.
• The scammer was able to link this account to my business which, to be honest, can't easily be done unless I have stated it.

I haven't wrote that I'm a freelance and haven't given my business name for quite a while, prior to this forum. You could say that this forum is the most "up-to-date" source of information on it with the exception of Facebook which I use 1-2 times per month.

If the scammer ever reply to me as I asked me for more proof that a single password that's only used on 1 forum on the web, I'll give you an update.

In case you wonder what he "will do" if I don't pay him...
Basically he supposedly have recorded me going onto porn website and have recorded it with my webcam and If I didn't pay him back in 24 hours or if I replied to him, he would have send the video to my 9 contacts. (Who are those 9 mysterious contacts? I don't know.)

By the way, funny fact is that my only webcams are the ones on my phone and tablet as well as the one on my laptop. I haven't visited this website with neither my phone nor tablet so there shouldn't be any kind of trace related to the password I was used on this forum. The laptop webcam... well... if he did was able to make it run, that means he would have done quite a lot to make it work as it's not just turned off by software, but I cleaned everything in the PC about it up to the point where Windows doesn't even detect that I got a webcam in the laptop.

Just in case... if it wasn't a keylogger or the database being hacked, it could simply be a kind of password analytic system.
I can't tell if there's anything kind of security measure on the forum when it comes to having an massive amount of failing attempt to login.
If an admin can have access to such things as the amount of failed attempt to login with an account on the forum, we could rule out this possibility.

What's a password analytic system? It's a software that tries many variation of password to enter another system.
To be honest, when I decided of a password for my account on this forum, I took a really simple password with no symbols nor number. Just minuscules letters. The weakest kind obviously. A word I have though on the spot. If you were to use a password analytic system and tryout combination of only the letters, it could easily be cracked on a system that doesn't have anything against repetitive failures to log in. This forum uses a really basic and unprotected system that can easily be countered. (I tried it by entering my account and a wrong password.)

I don't want people to stress over all of this.
If this only happens to me, this means that it truly is a keylogger from another source or maybe from one of the PM I have received in here.
I did made things relatively simple for anyone with a bit of a brain to be able to do it: writing about my freelance job and having a simple password.
Makes it easy to get access to my business email address.

In a way, that's why I didn't care as making things unique each time allows me to easily retrace things.

Of course, I have already changed my password on the forum. It's now much more complex, but still unique and different from all my other password.
Wonder if another scammer will try to ask for money with that new password?

[kambui]

Maybe your PC is infected?

[Gundam]

Hmmmm. I use a separate VM for this so I am not worried about anything except what I do here. I will say, something in here has been acting very strange lately as this VM gets really bogged down over the last two days and I have to kill the VM and reboot. I was wondering if it wasn't some script. I will try some trouble shooting myself later when I have time. But this might answer why I am getting so slowed to a crawl. Again, this is the only app running, other than Xviewer. I also have a page open to an email I only use for Doll stuff here.

Thanks for the update and warning of this potential problem.

[donoghu]

Maybe your PC is infected?

There's multiple reason why I can confirm that this isn't the case.

1) I did, just for the sake of it, made whole batch of scan on both of my PC.

2) In the last 3 weeks, the only places I have been, online, are the following:
Facebook
Amazon.ca
Ebay.com
dollforum.com
mangafox.* (it changes the * every couple of months)
ups.com
*some porn site*
*Real size Dolls websites*
AbiExpress.ca (only visited. Haven't bought anything nor created an account)
My bank's website

Now, here's the thing. Out of all those website, the only password they sent to me is the one that has the least value.
If the scammer was to send me the password of one of my 2 bank account, I would have shat myself. That would have been one huge "I got your info due to a keylogger" crystal clear message. But no... Instead, it sent me that lousy bad password that comes from the least secure website in the small amount of websites I have visited.
I'm not writing that there's "no security" here... but let's just say that I could probably create my own "password cracker" in a few week for this forum.

If you fails to type the right password on this forum, on the 4th time, it request you to answer a question. If you hide behind a fake IP, it never request any question at each fails. The question asked is not an image, but an actual copyable and scanable text like "How many X is in A,B,C,D, etc." Sure, for anyone, that sound well secure because "how can someone know the answer to a random question?", but what if I told you that all the questions can be easily accessed and answered. That's why image based captcha's are much more efficient as, at least, it takes a lot more time to detect the "content" generated than a bunch of words.

3) Anything sending data outside of your PC is traceable.
In fact, just to make sure, I did check what kind of packet was going out of my PC and their size. I did it both with the PC is sleeping, when no software are opened and when when a browser is opened. The packet were clear and totally not big enough to allow someone to have any kind of image nor sound. All packets have a clear ID and while you might not be able to know what's inside, you can know where it's going. This makes you able to know if that's a packet send to Window's update server or to your antivirus or to strange IP that returns you a relay in the middle of nowhere. The later would be a sign of someone gets data from you and tries to hide his identity.

One of my PC runs Windows 7 and the amount of data going outside is insanely small and easily traceable.
My laptop runs Windows 10 and it took quite a lot longer for me to check things out as the number of stuff sent by the PC is 12x higher than the PC with windows 7. Still, I took the time to check each of those nifty little packets' info.

This means that unless our little scammer is getting his little keylogger information through some kind of really big corporation (not impossible... but hugely improbable), the data, when I checked it, clearly wasn't "leaking" off somewhere. (It's impossible to completely hide packets from being sent. Think of it as the post office system. No address on a postcard and the postcard never leave the room. Packets has the same kind of stuff. They have a "content", a "Sender" which can be falsified and a "Receiver" which has to be the right address and is traceable or the packet never leave the PC.)

I know that some will point toward my *some porn site* and I agree that there's clearly a risk there. The thing though is that I only visit sites that allows me to run NoScript at full force. What's NoScript? Simply put, it turn off all scripts in a page from even starting. I only turn it off for some embedded videos (which is why I stated that embedded Vimeo videos as a possible source). Image based ads can run, but anything that runs on Javascript or embedded C++ doesn't run with that. For example, if you have an ads that play a video, the video script is stopped when the page is loaded.

I won't say that the chance of my PC to be infected is 0%. That's impossible. But I will say that, if I was really infected and it was that much hidden and impossible to check, why going for that password and not something of higher value? Why not accessing my business bank account or my personal bank account? Why going for the most crappy information of the whole bunch?

Also, that 9 contacts is a bogus for sure. Where are those 9 contact coming from? Even on Facebook, I don't have 9 friends.
In my emails? I got way more than 9 contacts... If you count the email the scammer used? That's less than 9 contacts... Actually, that's like 5 or 6.

As a freelance, I use at least 3 different emails based on the "status" of the one who contacts me. One is general in case I end up with more than myself in the place. One is for my "public" personal email which includes a nifty amount of spam. The scammer used that one btw. The last one is one I keep for the customers that keep returning for more of my services. Call it the VIP email. For everyone of my customer who has it, I make their sign a contract of confidentiality over that email as, in exchange, they become my priority list when they need me.
That's without considering that I also got a couple of emails that runs with GMail and Outlook (Hotmail) as it allow me to easily access files customers might want to sent to me.

Now, you might think "Maybe it's one of your customers that sent you the virus?", but even that can't be true as, right now, it has been over 5 months since I had my last customer's email. I'm on a semi-break of graphic design as I'm working on my video game project and also as I had (previously) a side-job in a grocery store with around 32h/w of work. Why would it takes them so much time to get a password and ended up with the one I use for this forum?

If you want to scam someone out of his/her money, you got to sound dangerous. That guy (I guess it's a guy with the fake name he used) was a joke.
Sure, initially, my heart did skip a beat because my reflex was "why is one of my passwords in the title of an email?" but once I have read the email, I was like "That's it? The guy got my password for DollForum.com? Really? No proof that he has anything?" Just "***** is your password! I recorded you while you were on porn site. Send me $7K in 24 hours or I'll sent the video to your supposedly 9 contacts!"?

In the reply I sent back, I asked for a picture of myself, if he did really have access to my cam... Or at least give me some emails of those contacts... Or even the video I have watched since he told me I had good taste. Literally wrote to him "Put some meat around the bone you have sent me!"

[Note that the following text is not about a reply, but about his original email. Sorry if it's confusing, but I just wanted to push the knife deeper about how crappy his email was written.]
As funny as it is, he wrote that he have placed an hidden pixel in the email so he knows I have read it. He might have forgotten that... a pixel means that it's an image and we can trace back such thing. I opened the email in an totally exposed way (all codes and scripts) and guess what? No pixel neither as an image nor as a reference code!

This is why I don't want people to be alarmed by this. That guy is a joke and mostly a scum. For some reason, he had access to that one single password and that's the only reason why I took it much more seriously than simple spam and wrote about it here.

[Gundam]

I just installed "NoScript" and "Ghostery" on my browser just to be a little safer. I checked the URL for this server at "VirusTotal.com" and it seemed clean to them but it appears this site hasn't been scanned in months, so if this is relatively new, they wouldn't know about it. Would like to see the admin here do a scan. I can see the NoScript is blocking a script from this page and as far as I can tell, I am not missing any features. So not sure why there is a script that is trying to run. Probably nothing malicious, but who knows?

[haremlover]

I have half a feeling that it's most probably your own computer which is infected or has been compromised.

Best wishes

Harem

[donoghu]

I have half a feeling that it's most probably your own computer which is infected or has been compromised.

Best wishes

Harem

Just finished over quite a bunch different scans and it all returned false.

Thinking that it's my own computer that is infected, right now, is like if a surgeon never noticed that he has cut his hand from 1 side to the other as he's cleaning his hand after a surgery. What I did in the latest hours is cleaning out the "blood" from the PC to see if it's mine or someone's else. For now, no wounds in my PCs.

Like I wrote, I can't pin point how someone (if that's someone) found out about my password. Remains that the password comes from this forum one way or the other. Funny enough, the scammer knows my password yet doesn't know my name and used the first part of my email address as a name which makes me think that this isn't just a person, but maybe a semi-automated system.

Thing is that I know how I would do it (with 100% chance of success as of right now) to get it at least my password on this forum.
That's something you can easily learn if you launch your own forum. It's not easy to do and succeed, but it's easy to learn. My old password had 7 minuscule letters and my account name (which can be used to login) is right there in the list of recent posts.
I would estimate the number of attempt to log in with different passwords to be around 80,000 and 125,000 attempts before reaching a positive result. As I previously state, the security when a password is "wrong" is a joke on the forum and any basic password cracker could work around it after a while. That's if someone tries to brute-force his way into my forum's account. If that someone had access to the admin accounts or even better to the hosting server of the forum, finding the password of the people around here would be a breeze and all that is required to try to try to anonymously scam them would be to know a way to email them.

Not only that, but that password only exist since 3 weeks and, during those 3 weeks, I can remember all my activities on my 2 PCs.

In a sense, you could say that, right now, I'm a no-life guy doing nothing much out of his life as I'm on my break before resuming my work. I can count on my hand the number of site I have logged on in the last 2 months and a majority of them uses Facebook to or Google+ to log in. (If you wonder what I have been doing with my time, that would be simple: Cooking, watching Youtube stuff, reading at the local library, shopping at the grocery store, swipping on Tinder, playing video games on the XBox One.) The reason is because of my legs which were in a damaged state due to my last job where I ended up pushing stuff that weight over 1900 pounds around. I had some early cases of Patellofemural syndromes in both of my legs. It only been a week since I started to walk as much as I was before (and it been over 2 months since I started having problem with my legs)

Anyway, I have given my piece.
If it's my PC who's infected, there's nothing that can detect it right now and it's magically going out of my PCs without going through the Ethernet cables. (I don't use wireless connections with my PCs.)

If your password on the forum is the same as something else that is important to you, I guess I would say "you should change some passwords" just in case, but that's only if what happened to me doesn't scare you.

[jackbeenimble]

It’s a phishing scam going around...

https://krebsonsecurity.com/2018/07/sex ... passwords/

[SynthetikReality95]

Citizen,

I am with the FBI CyberIntelligence Division. Your computer and it's data is forfeit under the Patriot Act of 2001. Do not delete posts and please desist all resistance of our surveillance efforts, or you will be criminally charged in federal court.. Thank you for your cooperation. God bless the United States of America.

[Nescio50]

To us security is very important. The system may not be as save as a banking system using a two-phase authentication, but we are careful. We have our own dedicated servers and only a very *VERY* limited number of people have a little access to them.

If our database was hacked, for sure there would have been more reports.

Also, please know that scams like this are in the news today. Are you sure you never used this password before? As right now there are scams saying they have info about you. One of the scams in the news is that they are telling you that they hacked your webcam and recorded a vid while you were watching porn and they will publish this vid if you don't pay. To put up the pressure they tell you your password. But they got these passwords not from you visiting an adult site, they got these passwords from a data leak some time ago (not from TDF!). Also they didn't hack a webcam. They just try to scare people with passwords and email addresses they got from some data leaks. So that's also why you may receive such a scam without being hacked. Advice from authorities is never to pay.

[Phreddie]

Donoghu,
Thank you for the information, I happened to be on the server a few days ago while upgrading some of the sister sites. Any time I'm on I do a general security sweep (check to see if anyone else had logged in, do I recognize all IPs, firewall still running, packet counts on the various rules look reasonable (hasnt been reset)), and since I was updating software on Doll Album, I had also checked out the database to ensure that there was no sillyness like it listening on an external port, nor allowing access for users outside of localhost.

You had mentioned that the password you used here is unique, but is it also unique compared to any sites you used 10 or 20 years ago? Its interesting that the email they used to contact you is not the one you used on the forum. I'm really wondering if you did indeed use this password way back, along with your freelance email address.. possibly on a site that you long since forgotten about.

Additionally, we don't use insane ads with api backdoors here that gather and track user's info like many other sites. They are simply images with links.

I have also checked to ensure no one else has logged into your account on the forum from a different IP. If someone were targeting you specifically, I would imagine they'd at least verify your password worked here. Additionally, due to the nature of this site, if they wanted to hold something against you, it would be far more advantageous for them to spell out a sex doll site, or something of the like other than "porn site".

The other issue is that if you replied to the email, then you are telling them that they are on the right track, and you are worried. Now that they know someone is behind the email, they'll scour the web for more information specially tied to that email address, and utilize anything you've said to their advantage, either against you, or just the next scam in general. One of my old tricks with friends is telling them one small vague piece of information, then they assume I know more, so they tell me more, and now I have yet more information. "Hey! how did you know I went to Walmart on tuesday and bought a ps4?" "Uhh.. because you just told me.... all I said was I hope you are having fun with your latest purchase".... Of course this is over-simplifying, and a password is more than just trivial information. But so many times, I've also heard of people replying to such emails saying "oh yeah? Well, I don't have mac, I have a windows 10 box, an android galaxy 6, and drive a honda accord".. And I always so to those people "are you seriously trying to convince a scammer he's a scammer by pointing out the flaws in his scam, so he can better himself"?

I do realize that those emails can be scary. The a few I've gotten over my 30+ years online were a bit freaky, but the more I know and understand, the better. Especially now that you can grab a phrase out of the email, pop it into google and see that its a form-letter.

Also, did you follow jackbeenimble's link? Interesting read...

On another note, more on point, we'll be addressing some security issues (re-checking the # of brute force attempts before blocking users, etc..) As mentioned, since we OWN our server, we do have some extra security put in place that's not as common (or vulnerable) as the typical shared server.

[ThePope]

Keyloggers run on your computer, and doubt they have the expensive tech to run a webcam remotelywothoit you knowing. Their script betrays poor technical knowledge on their part.

This is a new type of scam, so I wouldn’t worry about it:

https://krebsonsecurity.com/2018/07/sex ... passwords/

[Forb]

Maybe it was the Russian router hack. That affected millions of routers in use today. https://www.tomsguide.com/us/russian-ro ... 27288.html

Just some of the affected routers:
Linksys E1200, E2500 and WRVS4400N; the Netgear DGN2200, R6400, R7000, R8000, WNR1000 and WNR2000; and the TP-Link TL-R600VPN SafeStream VPN router.