There has been a recent rash of scammers using some very effective tactics to scare money out of people. They claim to have hacked your computer, and they include one of your actual passwords as part of the subject line to shake your nerves. I’ve been getting questions about this probably twice a week from clients, so let me answer this for you.
No, your computer was not hacked. Yes, they have one of your passwords. No, they didn’t uncover this password themselves. I don’t have any proof of this, but the most likely explanation for these recent emails is that in one of the big data breaches in recent history (Yahoo, LinkedIn, etc.), hackers got your password for this account along with millions of other passwords. That password may have been floating around the dark web for years for all we know. Some scammer bought a password list that you’re on and is trying to scare you into making their investment worthwhile, since the content of your LinkedIn account probably isn’t very valuable to them but they can use that info to scare money out of you. You don’t have to pay them the ransom, because all they have of yours is a password from one website.
So what should you do? I suggest immediately changing your password on any service where you use any form of this password and never use it again. And not just things that you consider high-risk. A few months ago someone hacked my Panera Bread account and ordered a salad with my card, all because it was protected with a password that I had been using for years elsewhere. No one hacked Panera as far as I know, but because it was a re-used password I don’t know what service was hacked. I just didn’t think that my Panera account was worth giving a unique password to. Luckily Panera refunded the small amount but it was annoying and slightly violating.
And here is another reason you should be using a password manager. They will help you create unique passwords as well as alert you when you are using a known compromised password. Or at the very least systematically document your passwords in a way that works for you and allows you to find them when needed. Don’t rely on your memory. That’s the worst way to keep safe online.
It’s also not a bad idea to start closing down accounts for services you no longer use. The more places your information is the more chances of your information getting hacked. Thanks to the recent EU GDPR legislation, most websites now allow you to close your account.
Here is a sample of the email that I’ve been seeing with some personal info redacted.
I will directly come to the point. I know XXXXXX is your password. Most importantly, I’m aware about your secret and I’ve evidence of your secret. You do not know me and no one paid me to check out you.
It is just your hard luck that I came across your bad deeds. Well, I actually installed a malware on the adult vids (pornographic material) and you visited this web site to experience fun (you know what I mean). While you were busy watching video clips, your web browser began operating as a Rdp (Remote control desktop) that has a keylogger which provided me with access to your display screen and cam. Immediately after that, my software program collected your entire contacts from messenger, fb, and mailbox.
I then gave in much more time than I should have digging into your life and created a double screen video. First part displays the recording you were watching and other part shows the view of your web cam (its you doing dirty things).
Honestly, I’m ready to forget details about you and allow you to continue with your life. And I will give you 2 options that will accomplish that. The above option is either to ignore this letter, or simply pay me $ 1900. Let’s explore above 2 options in more detail.
First Option is to ignore this e-mail. You should know what is going to happen if you take this path. I will send your video recording to your contacts including members of your family, coworkers, etc. It does not shield you from the humiliation you and your family will have to feel when family and friends uncover your sordid videos from me.
Other Option is to send me $ 1900. We’ll call this my “confidentiality tip”. I will explain what happens if you opt this option. Your secret will remain your secret. I’ll erase the recording immediately. You move on with your life that nothing like this ever occurred.
Now you may be thinking, “I’ll just go to the cops”. Let me tell you, I have covered my steps to ensure that this email message cannot be tracked back to me and yes it will not stop the evidence from destroying your daily life. I am not trying to break your bank. I just want to be compensated for my time I put into investigating you. Let’s hope you have chosen to produce all of this disappear and pay me my confidentiality fee. You will make the payment by Bitcoin (if you don’t know this, type “how to buy bitcoins” on google)
Amount to be paid: $ 1900
Send To This Bitcoin Address: XXXXXXXXXXXXX
(It is CASE sensitive, so you should copy and paste it carefully)
Expalin no person what you should be sending the Bitcoins for or they will often not give it to you. The procedure to get bitcoin may take a day or two so do not wait.
I have a unique pixel in this message, and at this moment I know that you’ve read this mail. You now have one day to make the payment. If I do not receive the Bitcoin, I will definately send your video recording to all of your contacts including friends and family, colleagues, and many others. You better come up with an excuse for friends and family before they find out. Nevertheless, if I receive the payment, I will destroy the video and all other proofs immediately. It’s a non negotiable one time offer, thus kindly don’t waste my time & yours. Your time is running out.