Crypto-blackmail - yet another email scam
We're all told to be vigilant about internet scams, and to safeguard our online profiles. But, in trying to do this, have we unwittingly exposed ourselves more than we already were? A few years ago, probably through a post on a forum somewhere (I don't remember), I heard about a site called "Have I been Pwned?" From memory, the author of the post touted this as a great way to go and check if your email had been hacked. At the time, there had been a spate of email hack attacks so I went and did a check. Phew! I hadn't been hacked. Now that this latest scam has come around, I have to wonder whether that was a good idea. I mean, really, I had no clue if that site was legit or not. Did I stupidly give hackers a working email address? I haven't linked to the site for a good reason... read on McDuff!
The latest scam is an email giving a password that the author claims to be yours. Interestingly, in one of the 2 emails I've gotten, the password quoted was quite like a password I used about 5-6 years ago (but don't anymore). Initially that made me sit up until I realized it was the same email as I'd received a few days prior. It then goes on to say that, because I'd been surfing "adult video clips" and that the hacker had embedded malware on these clips which my "viewing" had launched. He/she then drones on about what they did, blah, blah, blah (you can read the gist of it here). The fact that I don't frequent "adult" sites is a bit of a giveaway. Now, had they said YouTube, Hulu or aviation websites, I might have been slightly concerned. The clincher is the use of my webcam. Errrr, WHAT webcam? LOL, I don't have a webcam on my desktop.
Professor Emin Gün Sirer of Cornell University tweeted one example of the scam email (view the tweet) and urged people not to pay the scammers. He claims that (here we go!!) this email was sent to everyone who'd used the haveibeenpwned website! So isn't THAT ironic? Either it was always a scam website, or they have been hacked themselves!!
What should I do?
Step 1, look at the password quoted in the email. Most users have reported the password is anything up to 10 years old, so it seems the data being used comes from a very old data breach. If you no longer use that password ANYWHERE, go to Step 2. If that password is still in use, CHANGE IT IMMEDIATELY! If the breach is that old, you should really have already changed it numerous times. And, please, use a good solid password. Not sure how to create a difficult password? Go to this site to create a new password. If possible, you may also want to consider changing your username, though this option is not always available.
Step 2. The little "X" icon in your mail client is your friend! Delete the email and go about your business. NEVER pay - that's the last you'll see, plus you identify yourself to the scammer and all their friends (you think getting off legit mailing lists is hard...)
Some tips from the FBI
- Never send compromising images of yourself to anyone, no matter who they are — or who they say they are.
- Don't open attachments from people you don't know, and in general be wary of opening attachments even from those you do know.
- Turn off [and/or cover] any web cameras when you are not using them.