New Extortion Tricks: Now Including Your (Partial) Phone Number!

Published: 2018-08-13
Last Updated: 2018-08-13 19:46:13 UTC
by Didier Stevens (Version: 1)
4 comment(s)

Barely a month after we saw extertion emails appearing with leaked passwords (New Extortion Tricks: Now Including Your Password!), we are now seeing extortion emails with partial phone numbers.

Like this example submitted by a reader:

For a couple of emails, we were able to verify that the digits of the partial phone number match the actual phone number of the owner of the destination email address.

We don't know yet what source is used by the extortionists that provides email addresses with partial phone numbers, but I think it is unlikely to be a data breach (like with the password extortion emails).

A classic data breach with phone numbers would contain full phone numbers, and I don't see why the extortionists would mask most of the digits.

They must have another source, and that's where we ask for your help: what ideas or remarks do you have?

We came up with possible sources like whois data or password reset mechanisms, like Gmail:

Please post a comment with your idea, and if you received a similar email, please consider submitting it.

 

Didier Stevens
Senior handler
Microsoft MVP
blog.DidierStevens.com DidierStevensLabs.com

4 comment(s)

Comments

What about people finder/reverse email lookup type websites? One of those sites one time showed me the first seven digits of my phone number.
From Alert Service <q3950173@126.com>
BTC Address:
1NQrcoefW8Ky33oEMC57vqD6KuFY4h7crS
I received a similar email with 4 matching digits at the end.

To the best of my knowledge, the only SMS password reset process that I use that displays 4 unmasked digits at the end is the Windows 10 store. The others use 2 digits.
Pretty sure it's google also. Every thirty days we have to re-register the device we are using to access our corporate email acct. Google uses our cell phone number to verify who we are. My company uses google for everything now. Since we switched to google there's been so many phishing attacks!

Diary Archives