I got tricked into visiting the former resume website PJScout.com, where scammers captured my login and then used it in a failed attempt to extort money out of me. Here’s how to avoid my fate.
There used to be a jobs website called PJScout.com. It still exists, technically, although it’s essentially defunct. But at this point I have evidence that the site has been compromised in some way and now serves as a trap for hackers/scammers to capture your login email address and site password(s) so they can send you extortion spam. As a result, it’s likely not even safe to visit PJScout.com in order to disable your account. And if you’re like most people who use just a few passwords everywhere, then you’re going to want to change your password at any other site where you used the one from PJScout.com.
Let me add a necessary caveat, however: A review of the news (mostly out of Europe) and a few sites like the EFF indicate that this scam is on the rise and that the scammers are using hacked passwords that were released on the dark web. I know one of the passwords the scammer(s) used to try and catch me up was compromised over ten years ago, so it’s possible that both passwords are floating around the dark net somewhere. And it may be coincidence that the scammer(s) timing was right after someone had probed PJScout.com looking for my password – twice – and shortly after I visited the site to update my information. But I don’t think it’s coincidence and I’ve written this accordingly.
With that public service announcement out of the way, it’s probably useful to some people how I figured this out. The story lays out a few signs I missed at the time (or attached too little importance to) and tips to help you not get tripped up by scams like these, and I’ll dissect the scam emails themselves in a later post. Finally, I am not an internet security expert. My tips are just that – tips – and should not be taken as the only or best ways to protect yourself from extortion scams.
Early warning signs
This last August, I was checking my email when I got an unexpected email from PJScout.com. Someone had tried to log in and and had clicked on “send me my password.” So PJScout.com sent me an email with my password – in plain text [Sign #1]. There was a link in the email to contact the webmaster at PJScout.com if I was not the person who requested the password, and so I did. The next morning I received a “could not deliver this message” warning [Tip #1], indicating that the contact email address for PJScout.com was not functioning [Sign #2].
This was the point at which I probably should have given up PJScout.com as a dead website and scammer trap, but I didn’t. Now I know better.
A few days later I received a second email saying that someone had requested my password – again sent in plain text. And this time I decided to visit the site and figure out what had happened and change my password. However, I knew that someone had been probing my account, so I was wary. Not wary enough, unfortunately. What I found at PJScout.com was a pretty bare-bones jobs website. It had been 15 years since I visited last, but if they were still doing much business, they should have had a much more modern website design [Sign #3]. I logged in, changed my password from my ancient and compromised password [Tip #2] to another old password (just in case the site had been compromised), and left, thinking “even if the site is compromised, at least they won’t get one of my secure passwords that actually matter.”
Then, about a month ago, I woke up to discover the first of what would become dozens of extortion spam. So far.
The first email was very similar to the one in the footnotes below, Scam Email #1 (I’ll go into detail on others like this in a follow up post). The scammer claimed to have hacked my computer, downloaded my porn history and contacts list, and was threatening to send that history to my entire contacts list if I didn’t pay up within 48 hours. The scammer included no details on how they got my old email address or how they hacked my computer, but they did include a scammer alias, an amount demanded, and a bitcoin address to which I was supposed to send money.
Naturally, my initial reaction was “oh shit!” Not because someone was trying to blackmail me over my porn history, but because someone might have got malware on my computer or hacked my email. But with a little careful Googling [Tip #3], I was able to determine that this was a scam, and so I reported the email as spam, ran a virus scan and malware scan (from different providers, and neither turned up anything) and then spent an hour updating my new email provider settings to catch spam like this more easily.
Over the next couple of weeks I received another dozen or so very similar scams. The only difference seemed to be the alias of the scammer, the amount being demanded in bitcoin, and the bitcoin account to which I was supposed to send the money. Except that the amount demanded kept increasing, even in cases where the bitcoin account was the same. It’s almost as if the scammer was trying to dial in the right amount to ask for to maximize his return. But if I wasn’t going to pay $500 to protect my porn history, why would I suddenly pay nearly $1,000?
Yet in no case was my porn history or other incriminating evidence sent to my contacts. It’s almost as if the claims to have hacked my PC were untrue. Go figure.
Holy shit, that’s an old password!
And then the scammer (or scammers) got more serious. They sent me an extortion spam with an actual password of mine embedded in the subject. For purposes of reference, let’s call this password “password #1.”
Password #1 was one of my first ever passwords. I first used it in grad school over 20 years ago, and as an eight digit mix of letters and numbers it was quite strong for its day. It’s been compromised so many times that the only thing I use it for now is low security items that can’t hurt me financially or personally if they get compromised. On second thought, let’s make that “used” as I’ve abandoned it permanently at this point.
Naturally, after my obligatory “oh shit!” moment, I immediately went out into every account that I had which still used that old password and changed it. Not to any of my secure passwords for my banking or personal details, mind you, but to a brand new password that I could remember but still use widely for my low security items [Tip #4]. And I visited the old email site to check if it was still up and running or had been hacked, but it used a different password from password #1, so that indicated that the scammer(s) hadn’t actually hacked that old email account.
While I was abandoning password #1, however, I got to thinking about where the scammer could have gotten password #1, and I remembered that it was the same password that had been sent to me, in plain text, from PJScout.com. In addition, the scam emails have all been coming to a very old email account that has been unusable as email (it’s exclusively for automated spam scanning these days) for the last five years. But the combination of the old email address and the old password was the same as my login and password for PJScout.com when I logged in, and before I changed my password back in August.
This was strong indication that PJScout.com had a problem, but as one of my oldest login combinations, it’s probably available to hackers and scammers all over the world by now. So this wasn’t a smoking gun by any means.
After that scam, I also started researching password managers in order to lock everything down with unique passwords. And I ran not just another virus scan and another malware scan, but I also downloaded a rootkit scanner [Tip #5] from a reputable company. Nothing turned up. Which again strongly suggested that the claims in the scam emails that the scammer(s) had hacked my PC weren’t even bullshit, they were horseshit.
About this point was when the nature of the scammer(s) extortion spam shifted a little. The amounts being demanded by the scammers largely stabilized in the $700-$900 range, but the scammers started adding little details that were clearly intended to ramp up my anxiety that they had successfully infiltrated my PC. They started explicitly claiming that they’d used a rootkit or keylogger, and/or they’d say that they had used a specific vulnerability in a website’s router to hack it and then hack me. But even so, I still haven’t seen proof that any of the claims in the email are true.
Wait a second, that’s….
About a week after I received the first scam email with password #1 in it (I’ve since had at least six, each one pointing at a different bitcoin account), I got another email with another of my old passwords (password #2). Password #2 is also a 20+ year old password, but unlike password #1, this one was insecure when I made it and so I have only ever used it for insecure sites.
Like sites where I’m concerned the site’s security has been compromised. Sites like PJScout.com, where I’d intentionally used password #2 specifically in case something like this happened.
After getting a scam with password #2 in it, I committed. I ran yet another virus sweep of my PC, another malware sweep, and another rootkit scan (different from the one I’d done previously [Tip #6]). All came up negative. I signed up for a password manager for the whole family and started migrating every site my wife and/or I use to new, unique, randomized passwords [Tip #7]. I turned on two-factor authentication on every account that has the option [Tip #8].
And I’ve warned my friends and family to avoid PJScout.com like the plague.
Summarizing the case against PJScout.com
I’m very confident that a hack of PJScout.com was the method the scammer(s) used to get my email and passwords, but I can’t prove it beyond a reasonable doubt. That said, I’m very confident that it was PJScout.com, and not just some extortionist using a list of logins they found somewhere on the dark web.
- PJScout.com’s website is so rudimentary by modern standards that it appears to be essentially defunct as a resume site.
- PJScout.com was being probed using my email address in an attempt to either a) hack the site or b) convince me log in and “fix” my account, which I did.
- In response to the probing, PJScout.com sent me my password in plain text. No up-to-date or legitimate website has used plain text for password help for years.
- The contact email address (“firstname.lastname@example.org”) PJScout.com’s email said to use in case I hadn’t requested my password is disconnected and my email was undeliverable. This breaks all sorts of rules for maintaining current physical addresses and contact information for all websites.
- When I logged into PJScout.com, I used the old email address as my login and password #1 as my password. That email address is the only address that has been spoofed in the extortion spam I’ve received. None of the scams have used any of my other email addresses.
- Password #1 was my original login password at PJScout.com, and password #2 was the password I changed to when I “fixed” my account.
- The extortion spam started about a month after I “fixed” my PJScout.com account.
I don’t know if scammer(s) took over PJScout.com and acquired the databases, or if they actually hacked a router at the PJScout.com like some of the spam claims, or something else entirely. Regardless, there’s an excellent chance that PJScout.com is the method that the scammer(s) used to acquire my email address and passwords that they used to attempt to extort money out of me.
In a week or so I’ll post examples of the extortion spams I’ve received along with hints about how to ensure you’re not taken in by them if you have the misfortune to receive any yourself.
Tips and warning signs
Again, I’m not a security expert, so please don’t treat the following as gospel.
- Sign #1: No modern website sends login passwords via plain text emails anymore because email is so easy to intercept and read. Always treat websites that still do this today with a great deal of caution.
- Tip #1: If you ever get an email saying that you requested a new password, take it seriously. It means someone is using your email to try and gain access to a website. Always follow up with the site to make sure that they know someone is trying to access your account. Follow up with the contact email address included in the notification, but always check to make sure that the email address matches and makes sense.
- Sign #2: Websites are required to provide email addresses for purposes of reporting problems with the site, and those addresses are required to be kept up-to-date. Sites that fail to do this can lose their addresses and be taken off-line by the organizations who run the Internet. If the email provided in a password notification either a) doesn’t match the site’s domain name or b) is disconnected (you’ll get an “email undeliverable” notification), that means the site is likely defunct no matter what the password notifications claim.
- Sign #3: Modern websites, even deliberately sparse ones like Google.com’s search page, have all sorts of active elements and a look and feel to them that is modern. Care is taken to make the site usable and readable. PJScout.com’s website was poorly designed, hard to read, and used odd color combinations. It had the feel of a site that hadn’t been updated in 8-10 years, if not longer. Be cautious at sites like this.
- Tip #2: Don’t do what I did and keep using old passwords that had been compromised. Once a password is compromised, abandon it and never use it again for anything. If I’d done that, the extortion spam probably wouldn’t have evoked much in me beyond a derisive laugh.
- Tip #3: If you get an email claiming to have hacked your computer and demanding money, grab some text from it that has some distinctive aspect (poor English, weird spelling, bad grammar, etc.) and paste that entire string of text into the Google search. Most likely you’ll find others who have posted about scams targeting them too. To date, I’ve never heard of anyone who’s been targeted by a scam like this who actually had his or her personal information released.
- Tip #4: I don’t know anyone who uses completely unique passwords for every single account. I’m sure there are people in the world who can remember 50 different passwords, but I don’t know any. That said, come up with a method that you can use for each password so that you can use the same password but make each site unique. For example, if your easy-to-remember password was “barf”, you could take the name of the site you’re at and mix the letters “barf” into it to create a site-unique password that you can still remember. It’s not ideal, but it’s at least something you can remember.Or you can use a password manager.
- Tip #5: Rootkits are malware or viruses that embed themselves in the deepest layers of your computer’s operating system (OS). As such, most virus scanners don’t look for them and tend to focus on preventing infection in the first place. Since standard anti-virus programs can’t look at the guts of the OS that they’re running on, rootkit scanners are specialized programs that are designed specifically to look at the guts of the OS, find these things, and remove them. If you suspect a rootkit, you’ll need to do more than just update your antivirus and run a standard scan.
- Tip #6: Don’t rely on a single manufacturer’s products for every protection. Mix and match your anti-virus, malware, and rootkit scanner suppliers. If you use Symantec for antivirus, download Malwarebyes for malware and McAfee for the rootkit scanner. The reason to do this is because each supplier’s products have different strengths and weaknesses, and what might be a good product one year might not be good the next. In this process, I used the same companies for my antivirus and malware scans, but I used two different suppliers for the rootkit scans I’ve run. I’ll probably use a different one again the next time I run a rootkit scan, just to cover my bases.Companies I’ve used in the past for various things include Symantec, McAfee, TrendMicro, WebRoot, and MalwareBytes. I don’t recommend Kaspersky for anything given their connections to Russian intelligence.
- Tip #7: A password manager is a program that keeps track of passwords for you and helps you maintain strong passwords (12+ characters, a mix of letters, numbers, capitals, and symbols, and unique across each site). My research determined that either LastPass or Dashlane would be right for me because my entire family could use it for a nominal fee, but there are other suppliers out there. If you’re going to go the password manager route, do some research on your own and be prepared for a steep learning curve. And choose a very, very strong master password that don’t use, and will never use, anywhere else for anything.
- Tip #8 Two-factor authentication is when you use a code either sent to you in email or by text to verify your login, or you use a code generated by an authenticator application on your phone. Two-factor authentication is far stronger than just passwords because not only do you need your username and password, but you also have to be in possession of a device that can receive the code that is sent to you by the site as arranged previously. And it is much, much harder to hack that arrangement without physical access to your phone or computer. I highly recommend using it whenever possible, and always for critical personal or financial information.
One example of extortion spam I’ve received thus far
There’s a lot of header information in these emails that I haven’t posted, and won’t, because there is a lot of information that may be unique to me in the headers. I’d rather scammers not target me more directly than they have thus far if I can help it. I’ve also removed my email address and the bitcoin account for the same reason.
To: [old email address]
Subject: Security Warning. Third party accessed to [old email address].
Date: 24 Nov 2018 02:07:59 +0200
I’m is very good coder.
I am known by my nickname [scammer alias].
I hacked this mailbox more than six months ago,
through it I infected your operating system with a virus (trojan) created by me and have been spying for you a very long time.
I understand it is hard to believe, but you can check it yourself.
I’m sent this e-mail from your account. Try it yourself.
Even if you changed the password after that – it does not matter, my virus intercepted all the caching data on your computer
and automatically saved access for me.
I have access to all your accounts, social networks, email, browsing history.
Accordingly, I have the data of all your contacts, files from your computer, photos and videos.
I was most struck by the intimate content sites that you occasionally visit.
You have a very wild imagination, I tell you!
During your pastime and entertainment there, I took screenshot through the camera of your device, synchronizing with what you are watching.
Oh my god! You are so funny and excited!
I think that you do not want all your contacts to get these files, right?
If you are of the same opinion, then I think that $602 is quite a fair price to destroy the dirt I created.
Send the above amount on my BTC wallet (bitcoin): [account number removed]
As soon as the above amount is received, I guarantee that the data will be deleted, I do not need it.
Otherwise, these files and history of visiting sites will get all your contacts from your device.
Also, I’ll send to everyone your contact access to your email and access logs, I have carefully saved it!
Since reading this letter you have 48 hours!
After your reading this message, I’ll receive an automatic notification that you have seen the letter.
I hope I taught you a good lesson.
Do not be so nonchalant, please visit only to proven resources, and don’t enter your passwords anywhere!