Recently a friend of mine called me in a panic after receiving the following email, showing their email address and password in the subject line and blackmailing her:
Original Email Scam Message sent to my friend in Hayward:
From: Celinka Connally <firstname.lastname@example.org>
Date: Tue, Jul 24, 2018 at 4:28 PM
Subject: <her name> - <her complex password here>
To: <her email address>
Lets get straight to the point. No-one has paid me to check you. You don't know me and you're most likely wondering why you're getting this e-mail?
Well, I actually setup a malware on the 18+ streaming (porno) website and there's more, you visited this site to have fun (you know what I mean). When you were viewing videos, your internet browser began operating as a RDP with a key logger which provided me with accessibility to your display screen and web cam. Just after that, my software program collected your entire contacts from your Messenger, social networks, as well as email . And then I created a double-screen video. 1st part shows the video you were viewing (you've got a good taste hahah), and next part displays the view of your web camera, and its u.
There are two different options. We will read each of these options in particulars:
1st solution is to just ignore this e mail. In this instance, I will send out your very own videotape to almost all of your contacts and then consider about the embarrassment you experience. Do not forget in case you are in an important relationship, precisely how it will affect?
Next option should be to pay me $7000. We will name it as a donation. In this instance, I will instantly remove your video recording. You could keep your daily routine like this never occurred and you would never hear back again from me.
You'll make the payment via Bitcoin (if you don't know this, search "how to buy bitcoin" in Google).
BTC Address: 13UHSx6u*****************<stripped for blog>Va5yvgKpee
[CASE-sensitive so copy and paste it]
In case you are looking at going to the law enforcement, good, this email message cannot be traced back to me. I have taken care of my moves. I am also not attempting to demand so much, I would like to be paid for. You now have one day in order to pay. I've a special pixel within this email, and right now I know that you have read through this message. If I do not receive the BitCoins, I will definately send out your video recording to all of your contacts including relatives, co-workers, etc. Nevertheless, if I receive the payment, I will erase the video right away. This is a nonnegotiable offer, and thus please don't waste my time and yours by replying to this e-mail. If you want to have evidence, reply with Yeah! then I will certainly send your video to your 14 contacts.
Pretty Scary Right?
So first thing I did was let her know not to panic. Then I pulled up Google and found a website called: https://haveibeenpwned.com/ made by 1Password. I've written about password managers before, last mentioning it on a blog post I did last week about IT Security for Law Firms. Well in this case after putting in my friends email here is what I got:
My friend had her password compromised on 8 websites:
- 8 Tracks (a music streaming website)
- Adobe (used for her Creative Cloud Subscription for Photoshop/Illustrator)
- Dropbox (a file sharing tool)
- LinkedIn (social network)
- Ticketfly (used to purchase concert and Burningman tickets)
- and more...
So cyber criminals used these now public passwords and crafted the scary, threatening, and intimidating email above. Thankfully my friend did the right thing and didn't pay the ransom in untraceable cryptocurrency but instead called an IT Professional she knew - me!
These types of internet scams are on the rise in the Bay Area. I've several other simular situations come into our help desk in the last 6 months.
What can you do to prevent these scams and stay safe online?
- Never reply to a scammer, report it to your IT Department or outsourced Managed Service Provider
- Use a separate password for each and every website
- Use a password manager such as Lastpass or 1Password to manage and save all your passwords (you simply copy and paste them or use a browser plugin to autofill them into websites after entering your password + security key)
- Use a Yubikey or other 'Security Key' for Muti-Factor Authentication to get into your password manager, Office 365, Gmail, Salesforce, Dropbox, and other cloud applications. This is a $20 device that is required to plugin and connect every time you login along with your password proving multiple authentication methods that you are you. Read how none of Google's 85,000 employees got hacked because of Yubikeys
- Make sure to go back through all your website logins and that you have new updated passwords for each website. Lastpass offers a free random password generator built into to their free and paid plans.
Lastpass' free password generator and Chrome Extension.