So, we’ve all heard of phishing and no one is going to click on odd e-mails from your bank asking for your username and password or reply to emails where you've won a free pizza or $10-million. Well here’s a new twist on an old favorite, an e-mail that is currently doing the rounds.
I am aware that <actual-password-here> is one of your passwords”
You don’t know me and you’re thinking why you received this e mail, right?
Well, I actually placed a malware on the porn website and guess what, you visited this web site to have fun (you know what I mean). While you were watching the video, your web browser acted as a RDP (Remote Desktop) and a keylogger which provided me access to your display screen and webcam. Right after that, my software gathered all your contacts from your Messenger, Facebook account, and email account.
What exactly did I do?
I made a split-screen video. First part recorded the video you were viewing (you’ve got a fine taste haha), and next part recorded your webcam (Yep! It’s you doing nasty things!).
What should you do?
Well, I believe, $1400 is a fair price for our little secret. You’ll make the payment via Bitcoin to the below address (if you don’t know this, search “how to buy bitcoin” in Google).
BTC Address: 1Dvd7Wb72JBTbAcfTrxSJCZZuf4tsT8V72
(It is cAsE sensitive, so copy and paste it)
You have 24 hours in order to make the payment. (I have an unique pixel within this email message, and right now I know that you have read this email). If I don’t get the payment, I will send your video to all of your contacts including relatives, coworkers, and so forth. Nonetheless, if I do get paid, I will erase the video immediately. If you want evidence, reply with “Yes!” and I will send your video recording to your 5 friends. This is a non-negotiable offer, so don’t waste my time and yours by replying to this email.
How the e-mail extortion works
Firstly, although technically possible all of the above is completely fictitious – no one has any video of anyone doing anything – this is straight extortion created from assumptions. Except for the password.
Aside from being slightly frightening, this is also fascinating. Phishing has always been about trying to get your passwords – now they’re leading with your password straight off the bat as a means to establish credibility. That’s right – your password.
The password used is actually correct (or at least was). We believe the password information in these recent instances has been either from the LinkedIn hack of 2012, or the Ashley Maddison hack of 2015 (maybe both). Almost more concerning is the number of people on message boards and in the comments section of various articles that are still using the same password they did in 2012 or 2015.
There is also nothing ordinary in this email that causes it to be blocked by normal spam protection – no links, no malware, and no attachments. It would only be blocked by a solution like Advanced Threat Protection that does deep content scanning on all email.
I’ve also heard of a less digital version of this scam that has been used in LA recently, and this time delivered by good old fashioned post: "We know what you’ve been doing, we have evidence, and if you don’t pay x to this bitcoin address, we’ll send the videos to your wife."
What you need to do
The worst thing about this, is that there is clearly a big enough target group in middle-class suburbia to make the scam worthwhile.
So, if you do end up on the receiving end of one of these horrible little scams, make sure you follow the following 7 steps:
Do not click on any links or attachments in the email.
- If you still use that password anywhere, change it immediately.
- Do not re-use passwords (use a password manager, including for your business).
- Enable 2 factor authentication (2FA) for all online accounts that support it.
- Do not respond to spam or phishing emails.
- Do not pay ransomware or extortionists.
- Talk to us about automated security training for your company.
Cover image credit: John Schnobrich/Unsplash