In July of 2018, a new scam started making waves, attempting to extort money with the fear of a sex video recorded of you, gained from a hacked password. But is there more to this?
A new scam is making its way around the internet. It goes something like this:
You don’t know anything about me, but I have your secret password. I have a video of you doing something, and if you don’t pay my ransom, I’ll send it to everyone you know.
It sounds like you’ve just been caught up in a Hollywood movie, but this scam does share something with the story: it’s all fiction.
On this special edition of The Wrap, we’ll explore what this scam does, how it works, and why you shouldn’t be scared.
You have one day to make payment. I know you’ve read this email. Do not delay.
In July of 2018, a new scam started making waves. Arriving with slightly different messages, the crux is generally the same: someone has your password, someone has a video of you accessing pornographic videos from your phone or computer, and if you don’t pay the ransom, your video will be shared with the world.
But is this really as clear as the scam would suggest?
Patrick Gray: So basically what these people are doing is picking through dumps of people’s usernames and passwords and then sending that to people, sending people’s own passwords to them to freak them out and give themselves some credibility as hackers. But no, in the case of this latest scam, these people do not actually have videos of you doing nasty things.
That’s security podcaster Patrick Gray, and he’s not alone, with a view shared by others in the industry.
McAfee’s Alex Merton-McCann told us that in most of the scam reports so far, the passwords have been as old as ten years, and that this was being used to strike fear into people.
Alex Merton-McCann: It’s very unlikely the person who’s emailed you actually has a video of you watching porn, and it’s almost certainly a scam to scare people into paying up. However, it does highlight how creative fraudsters have become.
Your password might seem private, but there’s a good chance the scammer has acquired it from a previous password hack.
Whether you realise it or not, you’ve likely had a service hacked in the past, be it Dropbox, Sony’s Playstation Network or something else, and that has been stored alongside your email address. When those details were hacked, they were likely left in a place that anyone could gain access to, such as pastebin.
Think of this as the communal lost and found, where your lost details can be found by someone else.
When this inevitably happens, people are generally advised to change their passwords immediately, but this doesn’t always happen.
In this extortion email scam, the scammers have tied your email and old hacked password together with a threat. They contain virtually nothing else identifiable, and it’s just a bluff.
Hopefully you changed your password, but if you didn’t, this can seem real, and it should be your wake up call to change that password immediately.
This is a non-negotiable one time offer. Please do not waste my time and yours by replying.
Replying to the email won’t result in anything. The scammer will likely just string you along and try to convince you that you need to pay, threatening you with a video they don’t have.
But the threat is what drives us to pay, and given how much attention this scam is getting, it’s likely working.
So what can you do?
Security podcaster Patrick Gray says you should change your password, and it’s an opinion shared by most journalists, security experts, and researchers.
Patrick Gray: You will want to change the password that sent you if you still use it anywhere, and that’s another bit of good generic advice for 2018 which is don’t recycle passwords. It’s very important that you use different passwords for each service that you sign up to. That way if one of those services gets compromised and someone gets a hold of your password, they can’t use it in other places.
Agreeing with this was Kaspersky Lab’s Noushin Shabab, who said passwords should be complex to help prevent these scams from affecting you.
Noushin Shabab: It’s highly recommended to choose hard to guess passwords including special characters, and also avoid reusing one password for different services. You can even use password managers to manage different passwords for you.
But passwords aren’t the only way out, and there’s more you can do.
Alex Merton-McCann: To avoid being caught out by this scam, if you do receive this email (or anything similar) it’s important you do not respond. To exercise caution, it’s best to change all of your passwords.
Alex’s ideas are common, and they’re shared by Patrick, who agreed and added one more tip.
Patrick Gray: Where ever possible, user multifactor authentication. Gmail lets you download a multifactor authentication app for your smartphone, for example, and you can even use that app as a second factor for a bunch of different services that support it.
And finally, if you’re going to do something in front of your computer that you wouldn’t want other people to see, just put a bit of sticky tape over the camera. You’ll sleep better.
As always, be sceptical of the emails you receive. Cybercriminals will look for any way to relieve you of money, so protect yourself with security, information, and just a healthy amount of scepticism.