Hacked Passwords Being Used In Blackmail Attempt — Expect More Of This
from the isn't-the-internet-greate dept
Last week I received the following email with my name and a very, very, very old password that I haven’t used in probably at least a decade in the subject line (even though I’m not longer using it, I’m editing it out of this because… it’s still weird):
I am aware, ********, is your pass word. You don’t know me and you’re probably wondering why you’re getting this mail, right?
In fact, I actually installed a malware on the adult videos (adult porn) site and there’s more, you visited this site to experience fun (you know what I mean). While you were watching videos, your internet browser initiated working as a RDP (Remote Desktop) having a key logger which provided me with access to your screen and cam. Immediately after that, my software collected all of your contacts from your Messenger, FB, and email.
What exactly did I do?
I created a double-screen video. First part displays the video you were watching (you have a nice taste rofl), and 2nd part shows the recording of your web cam.
exactly what should you do?
Well, I believe, $2900 is a reasonable price for our little secret. You’ll make the payment via Bitcoin (if you don’t know this, search “how to buy bitcoin” in Google).
BTC Address: [REDACTED] (It is cAsE sensitive, so copy and paste it)
You have one day to make the payment. (I’ve a specific pixel in this e mail, and right now I know that you have read through this email). If I don’t receive the BitCoins, I will send your video recording to all of your contacts including members of your family, colleagues, and so forth. However, if I receive the payment, I will erase the video immidiately. If you really want evidence, reply with “Yes!” and I will send your video recording to your 9 friends. This is a non-negotiable offer, and thus do not waste my personal time and yours by responding to this message.
This was immediately obvious as a scam from a hacked database of passwords. Besides the fact that I haven’t used that particular password in ages (and even when I did, it was the password I used for “unimportant” sites), there are a whole bunch of other reasons why it was obvious that the email was fake and it would be literally impossible for the person to have whatever it was they claimed to have on me. I found it funny enough that I reached out to some other folks to see if this was getting around, and a few people told me they’d seen similar ones, noting that the final note about sending it to “9 friends” appeared to be an increase from the usual of “5” that they had seen before.
Indeed, Brian Krebs, who is always on top of these things, wrote a story about how a bunch of people got these emails last week. That one only asked for $1400, and also promised to send it to 5 friends. It has a few other slight differences to the one I received, but is pretty clearly sent by the same person/team of people with just a few modifications. Like the ones that Krebs reported on, mine appeared to come from an outlook.com email address. As Krebs notes, he expects that this particular scam is about to get a lot more popular, and will probably use a lot more recent set of passwords:
I suspect that as this scam gets refined even more, perpetrators will begin using more recent and relevant passwords ? and perhaps other personal data that can be found online ? to convince people that the hacking threat is real. That?s because there are a number of shady password lookup services online that index billions of usernames (i.e. email addresses) and passwords stolen in some of the biggest data breaches to date.
Alternatively, an industrious scammer could simply execute this scheme using a customer database from a freshly hacked Web site, emailing all users of that hacked site with a similar message and a current, working password. Tech support scammers also may begin latching onto this method as well.
And, at the very least, this scam appears to be working. It’s unclear just how many people are receiving these emails — and how many people are pointed to the same Bitcoin wallet address to pay — but the one that Krebs included in his post shows a single payment of approximately $2000. When I first got the email the Bitcoin wallet address in the email I received showed no transactions, but I just looked again and there are two transactions, both within a day of when I received the email (one for .23 Bitcoins or ~$1600 and another for 0.3 Bitcoins or ~$2,000).
Of course, this should be a warning for everyone on a variety of levels:
- Use a password manager already, and stop saying they’re too difficult to use. They are not.
- Use 2 factor authentication wherever possible
- Cover your webcam with a sticker or tape or something when not in use
- Don’t believe every stupid threat email you receive
- Don’t randomly pay money to every stupid emailer who pretends to threaten you
Anyway, it will be worth watching how this particular scam evolves, but as Krebs notes, it’s likely we’ll be seeing it a lot more often as it seems to hit all the key points for a popular internet scam these days.