https://www.flickr.com/photos/tom-margie/16553695719

Blackmailing and huge passwords leaks

Introduction

I recently started to receive several emails, from various outlook.com accounts, attempting to blackmail me into paying a large sum of money through bitcoins. At first, I was startled, as they seemingly knew my password and this password was truly something I had been using. Luckily, I know that this password has not been in use for quite a while, so I started investigating what really was happening. Using the page: haveibeenpwned.com I know my passwords has previously been leaked in various security breaches and that this particular password was something I used on LinkedIn around 5 years ago. According to haveibeenpwned my LinkedIn password was leaked in 2012:

In May 2016, LinkedIn had 164 million email addresses and passwords exposed. Originally hacked in 2012, the data remained out of sight until being offered for sale on a dark market site 4 years later.

So in a sense, it is no surprise that someone has that password as it is now more or less public knowledge. In the email text below there several technical giveaways that shows the phishing mail is generated by a computer and not the personal attack it tries to indicate:

  • My personal computer has no webcam
  • It runs Linux and does not initiate RDP (Windows Remote Desktop technology) connections without extra software packages, root access, and configuration.
  • I have received the same mail with slight variations 4 times from different senders (with disposable outlook emails) with 4 different amounts to be paid which indicates that this definitely not a personal attack, but a scripted setup.

Should I be scared and what should I do?

No, you should not be scared. It is seemingly a scripted mail sent to millions of leaked password owners and not actual personal attacks. On the other hand, your password was leaked (albeit a long time ago), so this should be concerning and a reason to change this password if it is used in any other website.

The reason I am writing this post is to make sure that no one sends money to the perpetrators. It is a scam and while it is quite scary with the leaked password it is still just a scam. They have a huge list of 164 million emails and passwords and just needs to mail them all a seemingly personal attack. If just a fraction of these complies with their demands they will be quite rich. Alarmingly, while researching for this post I found that several of the posted bitcoin addresses from victims of similar blackmail had large transfers in the last couple of days, so unfortunately some people are falling for their tricks. You can check the bitcoin addresses on the site blockexplorer.com and see if anything has been transferred so far.

If anything the attempted blackmail should be a good reason to go over your online security and make sure that it is up to date. My personal recommendations are:

  • Use 2-step verification whenever possible – this makes it much harder for perpetrators to gain access by only knowing the password.
  • Use a password manager, either online or locally as KeePassXC. This way only one very strong password is needed.
  • Use different passwords on all sites. This limit the damage is a password is leaked which happens quite regularly.
  • Avoid security questions or at least do not answer them using publicly available knowledge. I usually give my first pet name a randomly generated password that I store in my password manager, see this article for more background: https://auth0.com/blog/are-your-security-questions-as-safe-as-you-think/

Mail text


… is your Password and I’m going to cut to the chase. You do not know me whereas I know you very well and you’re probably thinking why are you getting this mail, right?

I actually setup malware on porn video clips (adult porn) & guess what, you visited same porn website to experience fun (you know what I mean). When you were busy watching video clips, your device initiated functioning as a RDP (Remote Desktop) that has a keylogger which gave me access to your device and also your web cam controls. Immediately after that, my malware collected your complete contacts from messenger, social networks, and mailbox.

What have I done?
It’s simply your hard luck that I saw your blunder. Next, I invested in more time than I should’ve digging into your data and made a two screen sextape. 1st half shows the recording you had been watching and other half shows the view of your web camera (it is you doing naughty things). In good faith, I am ready to destroy all information about you and let you continue with your daily life. And I will give you two options that can accomplish your freedom. Those two choices are to either disregard this letter (bad for you and your family), or pay me $1000.

Exactly what should you do?
Let’s explore those 2 options in details. First Alternative is to disregard this e mail. Let’s see what is going to happen if you take this option. I definitely will send your sextape to all your contacts including members of your family, coworkers, and so on. It will not save you from the humiliation your self will face when relatives and buddies discover your sordid videotape. Second Option is to pay me $1000. We will name this my “privacy fee”. Now Lets see what happens if you go with this path. Your secret remains your secret. I’ll erase the sextape. Once you send the payment, You can freely continue on with your daily life and family that none of this ever occurred. You will make the transfer by Bitcoins (if you do not know how just type “how to buy bitcoin” in google)

BTC ADDRESS IS: 1HGfT6VLTveTzumGyK1Ppi5KMdH95RcH6L
(It’s CASE SENSITIVE, copy and paste it)

Notice: You have one day to make the payment. (I’ve a unique pixel in this e mail, and now I know that you have read this message). You shouldn’t explain no person what you will be utilizing the Bitcoins for or they might not provide it to you. The task to get bitcoins will take a short time so do not wait. If I do not get the Bitcoin, I will certainly send your videotape to all of your contacts including family members, coworkers, and many others. nevertheless, if I do get paid, I’ll destroy the sextape immediately. If you want to have evidence, reply with “yes!” and I will certainly send out your sextape to your 15 contacts. It is a non-negotiable offer, thus kindly don’t ruin my personal time and yours by replying to this e mail.

Further reading

Leave a Reply