Several months ago, I wrote an article about a good friend who nearly fell victim to a cyber-extortion scheme. The short version of the story is that my friend received an email message from someone who claimed to have hacked his computer and allegedly captured incriminating webcam images and screen captures. The extortionist threatened to send the images to everyone in my friend’s address book if he didn’t pay up. Thankfully, the message turned out to be a sham and my friend’s computer was not actually compromised.
‘We’ve been hacked!’
I had all but forgotten about the incident until a night a few weeks ago. I was in my office working on an article when my wife came running up the stairs and burst into the room. She then shouted three simple, but fateful words that practically made my heart stop — “We’ve been hacked.”
I have to confess that my wife’s words absolutely terrified me, but I tried to remain calm and asked her why she thought that we had been hacked. She then opened her laptop and showed me an email with a subject line that read “your password is…” Admittedly the message’s subject line was alarming, but I tried to detach all emotion from the situation and pretend that I was trying to help some random client rather than dealing with a situation that affects me personally.
The next thing that I asked my wife was whether that was really her password. Before the words were even completely out of my mouth, I was already thinking that it was a stupid question. After all, she probably wouldn’t be in my office in a panic if the email subject line did not list her actual password. Even though I felt dumb for asking the question, I got an unexpected response of, “No, but it used to be.”
At that point, I was thinking that the hack was probably real and that I could use the date of my wife’s most recent password change to narrow down when it happened. From there, I could begin examining our system logs in an effort to track down the breach.
I assumed that my wife probably wouldn’t know the exact date when she changed her password, but I asked her anyway, hoping to get a rough idea of the general time frame. It was then that I got my second unexpected answer of the evening. My wife told me that she had last changed her password about a week ago, but that she was pretty sure that she had not used the password listed in the email subject line since somewhere around the year 1997. Now I was intrigued.
Something looks suspiciously similar
Up to this point, we had not even opened the email message in question, so reading the message seemed to be the next logical step. Upon opening the message, I discovered that the message body was very similar to the one that the friend that I mentioned at the beginning of this article had received nearly a year ago. Here is what the message said:
I’m aware that <XXXXXXXX> is your password.
You don’t know me and you’re thinking why you received this email, right?
Well, I actually placed a malware on the porn website and guess what, you visited this website to have fun (you know what I mean). While you were watching the video, your web browser acted as an RDP (Remote Desktop) and a keylogger which provided me access to your display screen and webcam. Right after that, my software gathered all your contacts from your Messenger, Facebook account, and email account.
What exactly did I do?
I made a split-screen video. First part recorded the video you were viewing (you’ve got a good tastes haha), and next part recorded your webcam (Yep! It’s you doing nasty things!).
What should you do?
Well, I believe, $9,700 is a fair price for our little secret. You’ll make the payment via bitcoin to the below address (if you don’t know this, search “how to buy bitcoin” in Google).
You have 24 hours in order to make the payment. If I don’t get the payment, I will send your video to all of your contacts including relatives, co-workers, and so forth. Nonetheless, if I do get paid, I will erase the video immediately. This is a non-negotiable offer, so don’t waste my time and yours by replying to this email.
An obvious fraud
Upon reading the message, it became obvious that it was a fraud. My wife isn’t into porn, nor does she use Facebook or Messenger. Besides, there are several other things in the message that are technically implausible.
One of my favorite lines in the movie “Sgt. Bilko” was “we don’t need to be holding four aces if they think we’re holding four aces.” That quote ties right in with one of the points that I made in the article that I mentioned earlier. An extortionist does not actually have to hack anything in order to get paid. All they have to do is to convince their victim that they have been hacked.
Another point that I had made in my first article was there is little reason to view a threat as being credible if the perpetrator does not offer up any evidence that a hack has actually occurred. In this new version of the scam, however, the message does contain a bit of evidence — a password. The sender probably found a bunch of 20-year-old passwords on the dark web and is hoping that some of the message recipients have not changed their password in the last two decades and will, therefore, assume that their system really has been compromised.
Two things to remember about cyber-extortion
When it comes to protecting yourself against cyber-extortion, there are two things that come to mind. First, never assume that a threat received by email is credible unless the sender provides hard evidence. The inclusion of a password, in this case, was nothing more than a scare tactic. If the sender really had incriminating webcam footage they would no doubt include a screen capture as a way of spooking their intended victim. After all, the sender’s goal is to get paid and what better way to convince someone to pay up than to show them a photograph that the victim really does not want anyone to see?
The other thing that comes to mind is that this scam clearly illustrates the importance of frequent password changes, and of not using the same password for every site. Remember, if one site is compromised then an attacker will likely try to use the stolen passwords to gain access to other sites.
One of the best things that you can do to protect yourself against cyber-extortion is to use a password manager. Just make absolutely sure to regularly back up your password database. I suspect that it will only be a matter of time before someone starts creating a form of ransomware that is specifically designed to attack password managers, effectively locking attack victims out of all of their online resources. Just imagine losing access to everything from your social networks to your Amazon and PayPal accounts and you can begin to understand the impact of such an attack. Therefore, the lesson is to use a password manager but to avoid allowing that password manager to become a potential single point of failure.
Featured image: Shutterstock