Who is Nicole really? Who got messages from Nicole? Who is behind the messages? What is the resolution of Nicole’s profile images? Do I really have to be a racist to join her server? This comment section’s purpose is to collect all that information.
First time for me happened last night. Posted it here already, but for the sake of compiling information I’ll repeat it here. I run a DNS whitelist firewall and logged a blocked address
https://cdn-discuss-online.s3.us-east-005.backblazeb2.com/upon opening Lemmy with the message notification. LW cached and served the image for me when the connection to this link was unavailable. I cannot say anything further about what is happening in this connection. I can only confirm that it exists. The moment I saw the message I checked my logs and am certain that this is correlated.
@ada@lemmy.blahaj.zone @supakaity@lemmy.blahaj.zone
Since y’all are both much more technically literate than me, could I ask one of you to take a look at what’s going on with embedded images from the Nicole spam seemingly loading trackers? Is this something Blahaj users should worry about or take steps to deal with?
I'm no expert. In life I am very much a knockoff swiss army knife. I can technically do a lot, but I am the shittiest pair of scissors ever made.
I dislike how obtuse networking stuff can seem. I run a whitelist firewall because it is the easy way to control exactly what I connect to my computer. I have written bad code and will continue to do so. I download sketchy stuff some times, but it cannot escape. Telemetry stuff all gets blocked too.
It is a pain in the ass to initially setup and maintain a DNS whitelist. It must be on a third party device or you’ll need to be super meticulous about how your system is setup. Lots of packages can and do try to bypass a local firewall on the same device they run on. I have to log in and add addresses and ports manually for everything I visit. Still, I can let an AI write code I barely understand and run it knowing it cannot escape. Scripting and configuring your own whitelist setup on a device is not fun. Once option that is reasonable and fairly easy is PC WRT. That is a small business commercial version of OpenWRT. It is just an Asian guy in Texas, but his stuff works pretty well and he maintains it long term. I modify all of my routers to add an external USB to TTL serial module to the port on the PCB. For most routers, the internal UART serial port gives access to the bootloader and OS in ways that are nearly impossible to hide what is happening. I’ve screwed around with PC WRT stuff a good bit and it seems legit. If you are really concerned about aquariums for sharks, this will get you an interface for Open VPN, all the adblock options, and most add on features people configure in OpenWRT.
Ultimately, such a DNS filter is your digital front door to your home. If you run adblock, someone else is closing your front door to old familiar bad actors only. With a white list, I’m only opening my door to those I wish to enter.
It is pretty clear that Nicole is not what they appear to present. It is fishing. If they were relevant they would not spam. The main litmus test for anyone is if they have a diverse and mostly positive post and comment history. Anyone that has a monolithic presence in any one space is fake or potentially dangerous.
In the short term, you can use a client that doesn’t load inline images in DMs. Our tesseract front end is one such client if you’re using a browser.
Thanks for the reply! I’ll check out tesseract.
We get one “Suspicious” by Trustwave on Virustotal for that.
What does this mean for people who have received these messages? Should I be worried just about having loaded the image by opening my lemmy messages?
I know as much as you do.
Has anybody contacted George Brown University, particularly the Dean of the health sciences department? If “Nicole” actually exists, and someone is using her images without her knowledge, this seems like the quickest way to let someone know it’s happening.
I did but I don’t think they trust anyone telling them about some Fediverse with a Lemmy and some bots which post stuff about students attending the College.
Did you show them her photo?
I linked this community.
Is it even possible to track the user who spams with these messages?
Might be in a bigger admin cooperation.
Hey y’all, I know this theory might be a stretch, but remember that this could be someone using someone’s name/face without their permission to harass them or frame them or something. Please just keep that in mind as you dig.
It probably is, it looks like a frame grab from a webcam video.
With what appears to be a bong in shot. I can’t imagine someone using such an unflattering photo if they were using their own face.
Eh, it’s more than likely a pig-butchering scam.
The groups that do these are rather unsophisticated and mostly don’t speak english. It would make sense that their poor internet connections only have low quality photos and this is likely just one of many scams with equally-bad photos.
A decent quality photo isn’t that big, even over dialup you can send a better one.
For a pig butchering scam, a bad photo might actually make a lot of sense. If it looks like it might be a scam, only the most naive people will answer. That way, they can filter out anyone not in their target audience.
Yeah, they supposedly make deliberate spelling mistakes as well, to filter out the smart ones.
This exactly tbh
I felt I need to contribute something to the “massive” quest to uncover more about Nicole.
I went through all my messages (from my main account, this one is a burner) and found an interesting name that kept coming up, from a couple of messages that were about 2 months old, “beyorkisan”. This was a PeerTube username she included, which does not exist anymore. But I scoured the internet and found another interesting PeerTube instance which is still running and on which she has uploaded a video.
Federated link on hitchtube.fr, if the site is not loading. Also there is no audioAlso, there was another live-stream.
Going through the video and live-stream comments, seems like she had quite a following and from there I deduced a couple of things,
- She was doing some sort of engagement on a chatting website called stumblechat.com.
- She liked Krashboyz Bordel Krew Live Show 24/7
- @lnxtx@feddit.nl comments in this thread might be correct, she might indeed be living in Canada.
- If she is really the one who was doing all that, then she was active on PeerTube, federating on Fediverse and thus making herself a Fediverse Chick (pun intended).
Also there seems to be a twitch account named beyorkisan with her picture. Might be hers.
Now this is the kind of detective work we all come here for!
So seems like the image is from livestreams instead of a hack
We know about this, please delete your comment since it might be a real account.
What’s the point of this thread, then
https://www.fortinos.ca/en/store-locator/details/0055 this seems to be the page for the store listed in the Matrix server description. The Matrix description really makes this seem like someone is doxxing her tbh.
I think is a funny meme and everything but I feel uncomfortable with people sharing her pictures. I doubt the real person on the pictures gave concent to this.
There is some variation in a college/university name:
- George Brown College
- Toronto Metropolitan University
Extra photos:
Those all look like screenshots from a video call.
Maybe we can get rainbolt involved?
Got Nicole’d twice, last time ~a hour ago.
My guess is that the scammer is simply hitting random Fediverse people, with no meaningful pattern besides “some post/comment activity”.
Topic from the Matrix room:
I work at ***, *** ** **, Woodbridge, ON L4L 1A7, Canada. Come say hi sometime!
I work in the *** section, so just ask for Nicole!Does somebody live nearby?
She is most likely the victim of a stalker who’s trying to get her harassed and possibly fired
This is textbook internet harassment if this is a real place someone works, this is not good.
Seems like the “scam” may be a harassment campaign?
This is creepy as hell.
So update, topic was removed.
Just posting here as well to make sure it’s documented.
I just got Nicole Classic™ without crypto links. I’m beginning to suspect there are Niclones out there as well
Hello. My name is “unrealized”. I have been nicoled. It has been one week since me last nicoleing. A number 36 this time, from lemmy.imagishpe.re. Thank you.
Everyone who got a Nicole message: Please get in touch here, you all might have something in common.
i’ve registered on lemmy.sdf.org just recently and i’ve already got 3 spam messages from her…
I got a message from the username but without an image.
I live in Toronto.
Not sure there’s much else I’d be willing to divulge. I’d bet that this whole thing is somebody trying to harass this poor woman though.
without an image
I thought so, too, but I switched to “Private Browsing”—which disables most of my extension—and opened my inbox there, and there was the image. Went I went back to my normal browser where the tab was still open, there was the image, too. So it just seemed like it took a very long time to load.
The image URL was
https://quokk.au/pictrs...which is another Lemmy instance, and the message was from bogymanstout(at)quokk.au. So the image wasn’t hosted externally to the Lemmiverse, so it can’t really be a deanonymization attack like some people were theorizing. There’s nothing else in the message. No tracking pixels or anything.On the other hand, it’s a very small instance with only 8 communities. The largest of which, world news, has almost 1,000 subscribers. Not impossible to be a fake instance designed for spying, but seems unlikely.
Update:
I just opened my inbox in a normal window again, and Firefox simply refuses to load that image in my inbox. I don’t know why. It loads fine if I open that URL in a new tab.
I recently read an article that broke down a webp vulnerability that was being actively exploited. Which of course I can’t find right now.
If I had access to my PC at the moment I’d pop open the image itself and see if I could find any odd strings anywhere inside of it. I’m sure someone better at this stuff than I could take a deeper dive into the image itself if so inclined.
The only webp exploits for which I can find articles are from 2023. Some new articles, but still about the 2023 exploit. Both in Chrome and in iOS.
The first step would be to see if the “PNG” file is actually a webp file. To see if what you’re saying is plausible.
However, if there were a new, unpatched webp exploit, there’s zero reason to spam users with DMs when you can just post the image in popular communities. It could be any image and there’d be no reason to keep sending images pretending to be a girl looking for friends.
It’s the links in the image which are important to the attacker. Originally they weren’t in the image and it was easy for admins to filter them out, so the attacker took the time to embed them in the image. This points to traditional catfishing and pig butchering as the attack.
Then again they could be playing 4D chess and masquerading the real attack as simple catfishing.
Update
Oh. My. God.
Byte
Ox000cbb7fcontains the word “Cum”!
They’re trying to poison our minds!
It’s just a normal PNG file.
Thanks for the insight.
The article I read was recent - within the last week or so. Maddening that I can’t find it again. Should have bookmarked it.
Anyway, that all scans. Figured it was a possibility even if it wasn’t likely.
I believe I have got three messages from Nicole, two in the last few weeks, one just this morning.
I suspect what we have in common is that we all use Lemmy or Mastodon
Of course, but people who aren’t active seem to get fewer spam. But they might just don’t post it, because they are inactive.
i got a message yesterday, and havent been very active for a few weeks now
I’ve stopped getting them after my first one, and I’ve got none on the microblogging side of things.
If the user isn’t active, the spammers have less chance 9f getting their username
Yeah I only started getting them when I posted/commented
I thought it was because they are reading comments and posts that people share and spamming those people.
Had something similar on reddit a long time ago, got added to a private subreddit because they saw me comment in a community
Got my first one today
Received it after leaving a comment in gonewild. Prime hunting grounds for lonely guys I guess. Was my second comment ever and my first was way earlier therefore I’m sure that it was the gonewild comment that triggered the bot to send me the message.
I comment on literally anything and I’ve left some comments on porn posts so that could be it.
I got one, and I saw it being referenced somewhere else on some post, so I decided to search Nicole and found this community and your message then. Any idea what this means? What’s going on haha
i get them every so often. This morning I had two
Nice try Zuckerberg
I got a message immediately after commenting on a Canada@lemmy.ca post.
I only got one after I mentioned somewhere that I hadn’t gotten one yet. It wasn’t immediately after, but close enough to make me suspicious.
What user was it from and when?
I just got nicole’d today. I am feeling honored, I never won anything before in my life!
Breaking News
The Matrix room is gone.
I’ve had three, all identical messages, all from different usernames and accounts. I haven’t followed any of the links.
