Have you received this email recently?
I am well aware YOUR-PASSWORD-REVEALED-HERE is your pass words. Lets get straight to point. There is no one who has compensated me to investigate about you. You may not know me and you’re most likely wondering why you are getting this e mail?
in fact, i installed a malware on the xxx streaming (porn) web site and there’s more, you visited this website to experience fun (you know what i mean). When you were viewing video clips, your internet browser began working as a RDP having a key logger which provided me access to your display and web camera. Right after that, my software obtained all of your contacts from your Messenger, social networks, and email . after that i created a double-screen video. First part displays the video you were viewing (you have a nice taste lol), and next part displays the recording of your cam, yeah its u.
You actually have a pair of possibilities. Lets read up on these choices in aspects:
1st option is to just ignore this e mail. in this scenario, i will send out your video recording to just about all of your personal contacts and then imagine concerning the shame that you receive. Not to forget in case you are in an intimate relationship, how it will affect?
2nd option is to give me $999. Let us name it as a donation. in this case, i will without delay eliminate your video footage. You can carry on your daily life like this never happened and you never will hear back again from me.
You’ll make the payment via Bitcoin (if you don’t know this, search for ’how to buy bitcoin’ in Google search engine).
BTC address:
1nY7QVUBd5si4eLpxmboa9cnWetcFP3VE
[CaSe-SeNSiTiVe copy & paste it] if you may be looking at going to the law enforcement officials, look, this email message cannot be traced back to me. I have covered my moves. i am just not attempting to ask you for money a whole lot, i would like to be paid. You now have 48 hours to pay. i’ve a specific pixel within this mail, and now i know that you have read through this e-mail. if i don’t get the BitCoins, i will definitely send your video recording to all of your contacts including family members, coworkers, and so forth. Nevertheless, if i receive the payment, i’ll destroy the video immediately. it’s a nonnegotiable offer and thus please don’t waste my personal time & yours by responding to this mail. if you really want proof, reply with Yeah then i will send out your video recording to your 10 friends.
If you have, please don’t take it seriously …
This email is just another in a growing list of extortion attempts centred around revealing a password you have used somewhere in the past. Maybe it’s one of your favourite passwords which you use across lots of different websites?
The gist of the email is that somebody has hacked into your computer and used your webcam to capture compromising footage. If you don’t pay them a ransom, they’re going to send this footage out to your contacts …
The proof they are presenting? The smoking gun which proves beyond doubt that they are to be taken seriously?
They know one of your passwords.
That’s a worry and rightly so. But is the premise of the email to be given any credibility? No, it’s nonsense. You can safely ignore this email for the spam that it is.
However, one important question still remains to be answered …
How did they get my password? Have I been hacked?
Nope.
You haven’t been hacked.
Your email address and password have been exposed during a data breach – which is another way of saying some company or institution you hold an account with have been hacked.
It happens more often than you may realise …
Have you ever :-
- Booked online to stay at a Marriott Hotel?
- Researched your genealogy on Ancestry.com?
- Had your Internet provided by AOL or TalkTalk?
- Booked a ride in an Uber?
- Had a Yahoo email address?
If the answer to any of these is yes, the email address and password you used with them may have been compromised. The companies above have all been hacked in recent years.
It’s not just those companies either.
According to ComputerWeekly.com – the personal information of more than a billion people was compromised in 2018 as companies holding the data failed to keep it safe.
How can I check if my details have been compromised?
If you’ve received the email at the start of this article (or a similar one) and it reveals a password which you recognise, then they definitely have 🙁
Microsoft MVP (Most Valuable Professional) & online security expert, Troy Hunt, has built a website, https://haveibeenpwned.com, where you can check if your email address and password are known to have been exposed in publicly available lists of compromised accounts.
Despite it’s odd sounding name (pwned is Internet speak for ‘owned’), it’s a legitimate website. In Troy’s own words …
Think of it as a search engine – where you search your email address against a database of known breaches. At the time of writing, the database contains nearly 7 billion email addresses from around 334 known hacked websites.
I encourage you to visit his site and enter your email address – it’s safe and the results may make for interesting reading.
Have you been pwned?
I’m going to assume you’ve discovered that some of your login credentials have been compromised – which unfortunately means they may be circulating the interweb.
If you’ve used any of the sites identified since they were hacked, its likely that you’ve already changed the password on those sites – they should have forced you to do so.
If you haven’t accessed those sites in a long time and you no longer need them, you might want to consider closing them down. This will limit your exposure should they be compromised again in the future.
Have you re-used those credentials on other websites?
I did a search on one of my email addresses and discovered breaches of Bin Weevils, Dropbox, LinkedIn, Last.FM, CD Projekt Red (creators of The Witcher game series), Exactis, Forbes & MyFitnessPal.
LinkedIn is the only one of those which I still use, truth be told, I’d forgotten about the others.
Like many folks, I’ve got an old document of accounts and passwords I’ve held over the years.
Searching that document, I was able to determine which passwords I’d used on some of those breached sites. I then checked for other accounts where I’d used the same password and went about changing them, or closing them down (my kids used to love Bin Weevils many moons ago but they’d never use it now).
Imagine my surprise when I logged into Rockstar Games Social Club (another one I’d forgotten about and not used for many years) & discovered that somebody was using my Rockstar Games account to play Grand Theft Auto …
Shortly after removing their game data and changing my password, I received an email from the perpetrator in Russian which I ran through Google Translate. It was something along the lines of “You’ve made a terrible mistake and you will pay the consequences”. Charming …
Had I not re-used that password across a number of gaming sites I used to use, it’s likely that would never have happened. I probably opened some of these accounts 10 years ago and didn’t think too much about the passwords I used back then. I do now, but I’d forgotten about those accounts.
We all make mistakes.
Is it possible some shady character’s using one of your old accounts?
Fair enough, somebody playing my copy of Grand Theft Auto is no big deal, no harm done – but it hopefully illustrates a point …
The big problem with password re-use
You’ve probably been advised plenty of times not to re-use passwords across different websites. Have you ever stopped to consider why?
Credential Stuffing attacks happen when somebody (or more likely some script or software they have created) attempts to gain access to a site using an email and password combination exposed from a breach of a different site.
Working from massive lists of breached email addresses and passwords, hackers can automate logins across many different websites and see which sites let them in.
If you’re re-using passwords, this could leave your other accounts open to exposure too. Hackers are counting on you having a favourite password which you’ve used across multiple websites.
It’s human nature. Passwords can be difficult to remember – so folks have a favourite one they use everywhere.
So with this in mind …
If the password you use on Ancestry.com is the same password you use on Amazon or eBay, you’re leaving the door open for intruders should Ancestry.com ever get breached. Which, as I mentioned earlier, they have – in November 2015 – some 300,000 accounts were compromised and the data subsequently dumped publicly on the Internet.
Take a look at one of Troy’s videos below to see what he has to say on password re-use …
Meet your new friend – the password manager …
Password managers work together with your favourite web browser (Chrome, IE, Edge, Firefox etc). They generate very strong, unique passwords and then store them away in a secure encrypted “vault”, protected by a single master password.
Each time you visit a site you have stored in your vault, the password manager will automatically enter these login credentials for you.
You don’t even need to know those passwords, so you can let it generate random ones for you.
Using LastPass as an example, here’s a few random passwords I just had it generate …
aQFqdeGQodl0 – 7wQQYACiAA2U – atg3bcFuc16j
Effortlessly strong, unique passwords that I don’t even have to remember – which is just as well as I don’t think I could …
These passwords will sync between any of the devices you are using the password manager on – PC, laptop, phone, tablet. No problem.
There’s a question that might be running through your head …
If there’s only one password safe-guarding all my other passwords, isn’t that dangerous?
Providing you choose a strong, unique password to guard them all, it’s still better than the alternative of re-using weak & memorable passwords.
Password managers don’t have to be perfect, they just have to be better than not having one …
Troy Hunt
If you’d like a little more information on password managers, here’s a useful article from the guys at HowToGeek – https://www.howtogeek.com/141500/why-you-should-use-a-password-manager-and-how-to-get-started/
Closing thoughts
The purpose of this article is to inform our customers of a widespread issue which they may not be aware of.
We’ve been asked by some of our customers about these recent spam emails, believing their personal computers may have been compromised as it appears somebody knows their password.
This article should put your mind at rest that your computer hasn’t been hacked and the claims made in these emails are fantasy. Hopefully it’s also raised awareness of issues with password re-use and some steps you can take to secure your accounts and manage your passwords better.
You will be doing something about those passwords won’t you? Promise?
Have you found this article useful?
If you found this article useful, please consider sharing it with your friends using the share buttons on the left. You could also raise awareness in your local community by sharing this post on Nextdoor.
As ever, if you would like our help with any of your computer related problems, installations, repairs or support, please get in touch. We're here to help!