Who is Nicole really? Who got messages from Nicole? Who is behind the messages? What is the resolution of Nicole’s profile images? Do I really have to be a racist to join her server? This comment section’s purpose is to collect all that information.
First time for me happened last night. Posted it here already, but for the sake of compiling information I’ll repeat it here. I run a DNS whitelist firewall and logged a blocked address
https://cdn-discuss-online.s3.us-east-005.backblazeb2.com/upon opening Lemmy with the message notification. LW cached and served the image for me when the connection to this link was unavailable. I cannot say anything further about what is happening in this connection. I can only confirm that it exists. The moment I saw the message I checked my logs and am certain that this is correlated.
We get one “Suspicious” by Trustwave on Virustotal for that.
What does this mean for people who have received these messages? Should I be worried just about having loaded the image by opening my lemmy messages?
I know as much as you do.
@ada@lemmy.blahaj.zone @supakaity@lemmy.blahaj.zone
Since y’all are both much more technically literate than me, could I ask one of you to take a look at what’s going on with embedded images from the Nicole spam seemingly loading trackers? Is this something Blahaj users should worry about or take steps to deal with?
I’m not sure it’s really worth worrying about ?
My understanding is, they can PM you with a code in the url like xyz123.jpg and then when your browser loads that image they will know normal web server stuff about your browser and device. It’s the same information you share with every website you visit.
They can’t load a tracker in your browser and follow you around the web.
Thanks for the reply, I guess I’m just paranoid about what anyone could do with that information given the political climate in the US right now. I don’t say anything on here that I wouldn’t be fine having read off in court anyway, but a lot of people here do not seem to have the same inhibition, so guilt by association is a worry of mine. Probably unrealistic, but I’d rather be a little paranoid now than extremely sorry in the future.
It’s good to have a healthy level of concern.
Sometimes it’s hard to know what’s healthy and what’s excessive.
They can link your lemmy account to your ip address which isn’t ideal
I'm no expert. In life I am very much a knockoff swiss army knife. I can technically do a lot, but I am the shittiest pair of scissors ever made.
I dislike how obtuse networking stuff can seem. I run a whitelist firewall because it is the easy way to control exactly what I connect to my computer. I have written bad code and will continue to do so. I download sketchy stuff some times, but it cannot escape. Telemetry stuff all gets blocked too.
It is a pain in the ass to initially setup and maintain a DNS whitelist. It must be on a third party device or you’ll need to be super meticulous about how your system is setup. Lots of packages can and do try to bypass a local firewall on the same device they run on. I have to log in and add addresses and ports manually for everything I visit. Still, I can let an AI write code I barely understand and run it knowing it cannot escape. Scripting and configuring your own whitelist setup on a device is not fun. Once option that is reasonable and fairly easy is PC WRT. That is a small business commercial version of OpenWRT. It is just an Asian guy in Texas, but his stuff works pretty well and he maintains it long term. I modify all of my routers to add an external USB to TTL serial module to the port on the PCB. For most routers, the internal UART serial port gives access to the bootloader and OS in ways that are nearly impossible to hide what is happening. I’ve screwed around with PC WRT stuff a good bit and it seems legit. If you are really concerned about aquariums for sharks, this will get you an interface for Open VPN, all the adblock options, and most add on features people configure in OpenWRT.
Ultimately, such a DNS filter is your digital front door to your home. If you run adblock, someone else is closing your front door to old familiar bad actors only. With a white list, I’m only opening my door to those I wish to enter.
It is pretty clear that Nicole is not what they appear to present. It is fishing. If they were relevant they would not spam. The main litmus test for anyone is if they have a diverse and mostly positive post and comment history. Anyone that has a monolithic presence in any one space is fake or potentially dangerous.
In the short term, you can use a client that doesn’t load inline images in DMs. Our tesseract front end is one such client if you’re using a browser.
Thanks for the reply! I’ll check out tesseract.
Has anybody contacted George Brown University, particularly the Dean of the health sciences department? If “Nicole” actually exists, and someone is using her images without her knowledge, this seems like the quickest way to let someone know it’s happening.
I did but I don’t think they trust anyone telling them about some Fediverse with a Lemmy and some bots which post stuff about students attending the College.
Did you show them her photo?
I linked this community.
Is it even possible to track the user who spams with these messages?
Might be in a bigger admin cooperation.
Hey y’all, I know this theory might be a stretch, but remember that this could be someone using someone’s name/face without their permission to harass them or frame them or something. Please just keep that in mind as you dig.
It probably is, it looks like a frame grab from a webcam video.
With what appears to be a bong in shot. I can’t imagine someone using such an unflattering photo if they were using their own face.
This exactly tbh
There is some variation in a college/university name:
- George Brown College
- Toronto Metropolitan University
Extra photos:
Maybe we can get rainbolt involved?
Those all look like screenshots from a video call.
https://www.fortinos.ca/en/store-locator/details/0055 this seems to be the page for the store listed in the Matrix server description. The Matrix description really makes this seem like someone is doxxing her tbh.
I think is a funny meme and everything but I feel uncomfortable with people sharing her pictures. I doubt the real person on the pictures gave concent to this.
I’ve had three, all identical messages, all from different usernames and accounts. I haven’t followed any of the links.
Everyone who got a Nicole message: Please get in touch here, you all might have something in common.
i’ve registered on lemmy.sdf.org just recently and i’ve already got 3 spam messages from her…
I got a message from the username but without an image.
I live in Toronto.
Not sure there’s much else I’d be willing to divulge. I’d bet that this whole thing is somebody trying to harass this poor woman though.
without an image
I thought so, too, but I switched to “Private Browsing”—which disables most of my extension—and opened my inbox there, and there was the image. Went I went back to my normal browser where the tab was still open, there was the image, too. So it just seemed like it took a very long time to load.
The image URL was
https://quokk.au/pictrs...which is another Lemmy instance, and the message was from bogymanstout(at)quokk.au. So the image wasn’t hosted externally to the Lemmiverse, so it can’t really be a deanonymization attack like some people were theorizing. There’s nothing else in the message. No tracking pixels or anything.On the other hand, it’s a very small instance with only 8 communities. The largest of which, world news, has almost 1,000 subscribers. Not impossible to be a fake instance designed for spying, but seems unlikely.
Update:
I just opened my inbox in a normal window again, and Firefox simply refuses to load that image in my inbox. I don’t know why. It loads fine if I open that URL in a new tab.
I recently read an article that broke down a webp vulnerability that was being actively exploited. Which of course I can’t find right now.
If I had access to my PC at the moment I’d pop open the image itself and see if I could find any odd strings anywhere inside of it. I’m sure someone better at this stuff than I could take a deeper dive into the image itself if so inclined.
The only webp exploits for which I can find articles are from 2023. Some new articles, but still about the 2023 exploit. Both in Chrome and in iOS.
The first step would be to see if the “PNG” file is actually a webp file. To see if what you’re saying is plausible.
However, if there were a new, unpatched webp exploit, there’s zero reason to spam users with DMs when you can just post the image in popular communities. It could be any image and there’d be no reason to keep sending images pretending to be a girl looking for friends.
It’s the links in the image which are important to the attacker. Originally they weren’t in the image and it was easy for admins to filter them out, so the attacker took the time to embed them in the image. This points to traditional catfishing and pig butchering as the attack.
Then again they could be playing 4D chess and masquerading the real attack as simple catfishing.
Update
Oh. My. God.
Byte
Ox000cbb7fcontains the word “Cum”!
They’re trying to poison our minds!
It’s just a normal PNG file.
Thanks for the insight.
The article I read was recent - within the last week or so. Maddening that I can’t find it again. Should have bookmarked it.
Anyway, that all scans. Figured it was a possibility even if it wasn’t likely.
I only got one after I mentioned somewhere that I hadn’t gotten one yet. It wasn’t immediately after, but close enough to make me suspicious.
Received it after leaving a comment in gonewild. Prime hunting grounds for lonely guys I guess. Was my second comment ever and my first was way earlier therefore I’m sure that it was the gonewild comment that triggered the bot to send me the message.
I comment on literally anything and I’ve left some comments on porn posts so that could be it.
I got one, and I saw it being referenced somewhere else on some post, so I decided to search Nicole and found this community and your message then. Any idea what this means? What’s going on haha
I’m Nicole!
Im nicole
Topic from the Matrix room:
I work at ***, *** ** **, Woodbridge, ON L4L 1A7, Canada. Come say hi sometime!
I work in the *** section, so just ask for Nicole!Does somebody live nearby?
This is textbook internet harassment if this is a real place someone works, this is not good.
Seems like the “scam” may be a harassment campaign?
She is most likely the victim of a stalker who’s trying to get her harassed and possibly fired
So update, topic was removed.
This is creepy as hell.
Just posting here as well to make sure it’s documented.
I just got Nicole Classic™ without crypto links. I’m beginning to suspect there are Niclones out there as well
Breaking News
The Matrix room is gone.
Got Nicole’d twice, last time ~a hour ago.
My guess is that the scammer is simply hitting random Fediverse people, with no meaningful pattern besides “some post/comment activity”.
got hit twice. my only guess is I argue with Russian/Chinese bots
Idk, the Fediverse feels like it’s a niche. Too much effort to scam small number of people.
Also, does anyone got reply from “Nicole” after the initial DM?
I’m Nicole.
I’m Spartacus
We all are Nicole on this blessed day.
Speak for yourself.
I am all Nicole on this blessed day.
