More Spam news, Threatening and Blackmail based extortion
There has been another upturn in spam activity, this time a slightly different track to our recent reports where the aim has been to harvest your log on details or infect machines with Malware, this latest round of spam takes a less technological track and flat out blackmail and/or threaten the recipient.
The first example has been picked up by local police, and has received coverage on the Derbyshire Constabulary website. Threatening physical violence against the recipient, obviously a number of people have been greatly concerned about receiving this and similar messages. The Police have said “This is a scam. Do not pay the ransom. We don’t believe the threats to be genuine.” and urged people to share information about this type of email scam “Please share this message with your family and friends, particularly if they are vulnerable” The full contents of the email are available on the link above if you want to familiarise yourself with it.
The second example does not contain threats of physical violence, but tries to illicit a payment via Bitcoin to prevent video captured through your webcam from being leaked, this is often termed “sextortion” . The email claims to have gotten access to your computer via malware, and hijacked your webcam and recorded you while you are unaware. This kind of scam has been around for a while, the additional twist that is being placed on these emails recently is that they also claim to know your password, and they add it into the email, for example:
This is your badluck. I do know loveheart is your pass word. More importantly, I do know about your secret and I have evidence of this. You don’t know me personally and no one employed me to investigate you.
This of course they hope will add more weight to their claim and is used to further scare you into paying the blackmail amount, which varies, the highest we have seen first hand so far is $3600…
the kicker is the password they claim to know may well be correct! So the whole email has got to be legitimate yeah?
Well… not quite. There are have been many many leaks from online services, a few examples are listed here (in fact, even while I have been editing this post, there has been an announcement Reddit has suffered a breach) one of these leaks may have supplied your email address and a password used on one of these sites, and taking into account human nature and that a majority of people use the same, or similar passwords for multiple sites over a long period of time, then it is a distinct possibility that the password in the email is enough to shake you a little bit. But that does not mean that anyone has actually managed to access your computer and view your webcam.
You can in fact use this same site to search if your details have been found in any of the leaks. What do you do if your email does come back with resilts? well that depends on your password practices. If you use a different password for each site you visit, and you have changed your email address since the date of the leak, then you have already done everything you can. If you use the same email address and password (or a close variant) on a number of sites then you may want to change your password.
There are many different guides to best password practice, but most of them share the same core advice, make it long, make it memorable, use unique password for each service / account you have.
Back to the spam email… The rest of it is pretty much run of the mill, along the lines of, I have video of you that you would not want anyone else to see, If you give me money I will delete it all, If you do not give me money then I will send this to all your friends, post it on social media and then goes on with few basic instructions of how to pay the required amount via bitcoin.
Please be mindful of any spam threatening or extorting money from you, or insisting on any action that could provide any furhter details, not all is as it may seem on the face of it, take breath and double check to see if anything you receive into your mailbox is legitimate.