You may not be able to teach an old dog new tricks, but attackers have recently found a way to use an old password in a new scam.
A particularly sinister tactic, dubbed a “sextortion” scam, has been on the rise lately. In this blog, ADNET takes a closer look at how the attack works and how to handle it if you are targeted.
What It Is
In this type of attack, the victim typically receives an email containing a password that they have used at some point – current or not – in the subject line. That’s alarming enough, but the body of the email contains a more threatening message. The message may have some slight variations, but generally claims the following:
- The attackers claim to have hacked into your computer.
- They tell you they have installed malware on your system that has allowed them to take control of your webcam and obtain videos of you watching pornography, as well as videos of the pornography you have supposedly been watching. They also claim they have gained access to a list of your friends and contacts.
- The criminal then threatens to release this alleged “video” to your contacts if you don’t pay them a ransom, usually somewhere between $1,200-$1,600 in bitcoin. Some emails have reportedly asked for upwards of $8,000.
The emails tend to have poor grammar or spelling mistakes, but they may also use terms that the average computer user may not be familiar with in an effort to make them appear more legitimate.
How It Works
The premise of this scam is actually relatively simple. The person sending you the email is most likely exploiting one of the recent data breaches and leveraging an exposed password to threaten you. These breaches have been happening regularly for years, and when they occur, criminals may post the exposed information online for others to see and use in different attacks. The data available is usually a few years old, so the password sent to you may not even be one you’re using anymore. But cybercriminals are counting on you being rattled enough that they know even an old password that you’ll be willing to pay the ransom.
There is No Malware. There is No Video.
That’s all there is to it. The attacker doesn’t have a list of your contacts and in reality, has no idea who you are. Most of the emails being sent are automated, making it as simple as possible for the attackers to send massive volumes of them at a time. You in particular have not been targeted, but there are a few things receiving this email should tell you about your internet hygiene.
What This Tells You About Your Internet Hygiene
If you receive this type of email, your data may have been exposed in a data breach. If you’re unsure where or how this may have happened, check out https://haveibeenpwned.com/. If you type in your email address, this site will show you a list of other websites that your email/password may have been stolen from. It’s a handy tool that can point you in the right direction, and while it can’t cover every possible breach that has and will happen, it lists a lot of the big ones.
What To Do If You Receive the Email
- Don’t pay the ransom. Remember, the threat isn’t true, and there is no compromising video. Paying the ransom is only going to result in you losing money. And if the spammer thinks you’re naïve enough, they may try to extort you for even more money.
- Don’t respond to the attacker. Don’t click any links or view any images. Ignore and delete the email.
- Change your passwords on all of your accounts, especially if the password in the attempt is one you’re still using.
- Turn off, unplug, or cover your webcams when not in use. While there is no actual video, the FBI encourages this habit just in case.
Our Recommendations to Improve Your Internet Safety
- Regularly change your passwords on all accounts. We cannot stress enough the importance of good password hygiene. Make sure your passwords are long (aim for 12+ characters) and complex (including uppercase, lowercase, symbols, and numbers).
- Always use a different password for each account. This will help protect you if one of your accounts is hacked. That way, the hacker cannot then use that same password to get into all your private accounts.
- If possible, enable 2-factor authentication on the websites you use. They add an extra layer of security in case your password is exposed again.
- If you’re going to have difficulties remembering all of your different passwords, try using a reputable password manager. These programs are inherently more secure than writing down or storing passwords in a simple document. They can usually generate complex passwords for you as well, which takes the pressure off you to come up with something different every time. The following, while not a complete list, are some safe programs and their features:
- Dashlane: The free version will store up to 50 passwords and manage autofill on one device. The premium version is currently $60 a year and adds in dark web monitoring, alerts you if any of your passwords have been compromised in a breach, and offers a secure VPN, as well as unlimited password storage on unlimited devices.
- LastPass: There is a free trial available that will give you access to all premium features for a limited time with no payment information. After that, single premium access is currently $24 a year, and includes features such as a password generator, a ‘vault’ of your website logins, a security auditing feature, and more.
- StickyPassword: The free version offers several features usually found in premium subscriptions, such as biometric logins and very strong encryption. The premium version is currently $30 a year and adds in cloud backups in case you lose your device and cloud syncing across all your devices. They even offer a lifetime license option for $150.
Follow the ADNET blog for developing information on this scam, and remember, it’s an empty threat. Scammers are trying to scare you – don’t give them that power.