Go to the U of M home page

Friday, July 20, 2018

Advisory: Scam Extortion Using Leaked Passwords

Attempt to extort bitcoin payment using passwords from data breaches.

Scam Details

  • Victim's email and a password are exposed in a data breach, i.e. Linked-in, etc.
  • Attacker crafts an email to that email address "revealing" they know the password, with the following details:
  • They have installed malicious software on the victim's computer 
  • They have used the victim's computer camera to secretly record the victim watching porn
  • They will send the recording to the user's contacts unless the victim sends bitcoin payment to buy their silence.

What's Going On

Data breaches are all too common - many yielding large "dumps" of email addresses and passwords. The attackers in this scenario are using this information to trick their victim into thinking they have been compromised - which is very, very unlikely. The most convincing piece of information is that they know a single password that the victim used somewhere at some time. Unless they use the same password everywhere (note: this is a very bad practice) it isn't going to unlock their computer.

How You Can Protect Yourself
  • Use unique, strong,  passwords for each account.
  • Use a password manager to track your passwords. (en.wikipedia.org/wiki/Password_manager)
  • Subscribe to haveibeenpwned.com to learn if your email has shown up in password dumps - change any password if an account turns up.
  • You can use haveibeenpwned.com to check to see if your email address has shown up in the past in any password breaches. [Note: haveibeenpwned will not tell you the password that was exposed, but it will tell you the date of the exposure. If your current password is newer than that date, you do not need to update your password.]
See Brian Krebs (notable security blogger) take on this scam at: https://krebsonsecurity.com/2018/07/sextortion-scam-uses-recipients-hacked-passwords/

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.