Extortion Emails Containing Your Username & Password
by Amber Mac on July 25, 2018
Guest Post by Ryan Duquette – Founder and Principal, Hexigent Consulting Inc.
In the last few days we have had many concerned people contact us in relation to an email they had recently received. For some, this particular email ended up in their junk folder, while for others it came right to their inbox. Some initially believed it to be a phishing email, but had some concerns, while others thought it may have been legit. Some went to our website and read our blog posts about how to spot phishing attacks, but still had concerns.
https://www.hexigent.com/blog-posts/3-signs-that-an-email-may-be-a-phishing-attack
Luckily, for all that contacted us, they took the advice from one of our other blog posts and took a moment to think before reacting.
https://www.hexigent.com/blog-posts/the-1-thing-you-can-do-to-protect-yourself-from-phishing-attacks
However, even after reading our blogs, all still had concerns due to one differentiating aspect within the email they had received. All of the emails had a username and password contained within it that the recipients had either used in the past or were still using.
The email that they received is a variant of “sextortion” scam emails that have been around for some time. However, adding a username and password personalized the email, which can often increase the chance that people think it is real and fall for the scam.
Here is an example of one of those email (areas redacted)
From: Paton Reiner <jrreinaldxtt@outlook.com>
Date: July 20, 2018 at 12:32:24 PM EDT
To: “__________________ (redacted)”
Subject: (redacted – this was the recipients “username” and “password”)
I know (redacted – this was the recipients password) one of your pass. Let’s get right to the purpose. None has paid me to check you. You do not know me and you are most likely thinking why you’re getting this e mail?
actually, I actually setup a software on the xxx videos (porno) website and you know what, you visited this website to have fun (you know what I mean). While you were watching videos, your internet browser started operating as a Remote Desktop that has a key logger which provided me access to your display and web cam. Immediately after that, my software program obtained every one of your contacts from your Messenger, Facebook, as well as e-mailaccount. After that I created a video. First part shows the video you were watching (you have a good taste hahah), and second part displays the recording of your web camera, yea its you.
You do have not one but two choices. We will take a look at each of these solutions in aspects:
First alternative is to disregard this e-mail. In this case, I am going to send your actual video recording to every bit of your personal contacts and then just consider concerning the awkwardness you experience. Not to mention if you happen to be in a relationship, precisely how it will affect?
In the second place alternative is to pay me $7000. Lets name it as a donation. In such a case, I most certainly will straightaway eliminate your video recording. You can continue on with everyday life like this never took place and you will not ever hear back again from me.
You’ll make the payment by Bitcoin (if you don’t know this, search “how to buy bitcoin” in Google search engine).
BTC Address to send to: _____________________ (redacted)
[CASE SENSITIVE so copy and paste it]If you are making plans for going to the cop, well, this message can not be traced back to me. I have covered my actions. I am not trying to ask you for money so much, I simply want to be compensated. I have a special pixel in this email, and right now I know that you have read through this email. You now have one day to pay. If I don’t receive the BitCoins, I definitely will send out your video to all of your contacts including members of your family, coworkers, etc. However, if I do get paid, I’ll erase the video immidiately. If you want evidence, reply Yup & I definitely will send out your video to your 9 friends. This is the non:negotiable offer, so don’t waste mine time and yours by responding to this e mail.
And another example:
From: Lucien Arrow <subkteddyhfq@outlook.com>
Date: July 19, 2018 at 1:08:42 AM EDT
To: “___________” (redacted)
Subject: Re: (redacted – was username and password)
I will cut to the chase. I do know (redacted – was password) is your password. More to the point, I know your secret and I’ve proof of your secret. You don’t know me personally and nobody employed me to investigate you.
It is just your misfortune that I discovered your blunder. The truth is, I actually setup a malware on the adult vids (porn) and you visited this web site to experience fun (you know what I mean). While you were busy watching videos, your browser began functioning as a Rdp (Remote desktop) that has a key logger which gave me access to your screen and web cam. After that, my software collected all of your contacts from fb, and mailbox.
Next, I put in more hours than I should have into your life and created a double screen video. First part shows the recording you were viewing and next part displays the recording of your cam (its you doing nasty things).
Frankly, I am willing to forget all information about you and let you move on with your life. And I will provide you two options which will accomplish that. These two choices with the idea to ignore this letter, or simply just pay me $3900. Let us examine above two options in more details.
First Option is to ignore this email message. You should know what is going to happen if you select this path. I will certainly send out your video recording to all your contacts including members of your family, colleagues, and so on. It won’t save you from the humiliation your self will face when relatives and buddies find out your sordid details from me.
Other Option is to pay me $3900. We will call this my “privacy charges”. Let me tell you what happens if you opt this path. Your secret remains your secret. I’ll delete the video immediately. You keep your daily life as if nothing like this ever occurred.
Now you must be thinking, “I’ll just go to the cops”. Without a doubt, I’ve taken steps to ensure this email message cannot be linked to me and it won’t stay away from the evidence from destroying your daily life. I am not seeking to dig a hole in your pocket. I just want to get compensated for the time I place into investigating you. Let’s hope you have decided to generate all this vanish entirely and pay me the confidentiality fee. You’ll make the payment via Bitcoins (if you do not know this, search “how to buy bitcoins” on search engine)
Required Amount: $3900
Send To This Bitcoin Address: ______________ (redacted)
(It’s case sensitive, so you should copy and paste it carefully)Share with no-one what will you use the bitcoin for or they possibly will not sell it to you. The method to get bitcoin may take a few days so do not wait.
I’ve a specific pixel within this email message, and right now I know that you have read through this email message. You have two days to make the payment. If I do not get the Bitcoin, I will certainly send your video to all your contacts including members of your family, co-workers, and so on. You better come up with an excuse for friends and family before they find out. Nevertheless, if I do get paid, I will erase the recording immediately. It’s a non negotiable offer, so kindly don’t ruin my personal time & yours. Time is running out.
It is not surprising that the people who contacted us were slightly concerned. The recipient of the first email told us that the password was one that he still uses, while the other said that she has not used that password in many years. Research on this particular scam shows that the passwords contained in these emails are quite old (up to 10 years). The most likely explanation is that the perpetrators behind these scams have gathered the email address, username and passwords of their victims from older data breaches and have set up automated tools to email those email addresses found within the data-sets.
Regardless if you have received this type of email or not, here are some tips that could help protect you from these types of scams, and also helps to protect your data.
1. Use a password manager
There are many password managers for you to choose from (https://www.pcmag.com/article2/0,2817,2407168,00.asp). Pick on that is best suited to your operating system and usage. Some allow a user to fill web forms, while others don’t. Some allow you to securely share your passwords across multiple devices (i.e. you make a new password on a laptop and it will also change that setting on your mobile device). As you only need to remember the password to gain access to the manager, make long passwords (30 or more characters).
2. Change your password after a data breach
The fact that one of the people that contacted us is still using the same username and password for the past 10 years, and also uses the same password on many accounts is VERY concerning. If you haven’t changed your password in some time, don’t wait any longer. And don’t use the same password on multiple accounts.
3. Set up 2-factor authentication
2-factor authentication is a secondary form of authenticating access into your accounts. The website https://twofactorauth.org/explains how to set this up on many applications, websites, social media, etc. While some sites send you a text or SMS message, you may also need to install an app such as Authy (https://authy.com/) or Google Authenticator on your devices in order to get 2-factor codes from various places. This is also considered by many as a more secure method than text messages.
Notwithstanding the horrible grammar and spelling mistakes contained in the 2 examples listed above, there are some other impacts to this email that you need to consider.
Ability for someone to Remote Desktop into your system
Someone having remote access to your system is certainly possible given the right circumstances. There are a few ways that you can reduce this risk. One is to disable remote desktop capability. There are many websites such as this one (https://www.lifewire.com/disable-windows-remote-desktop-153337) that instruct you through how to do this. We also recommend not using the Admin account on your own system. Set up a standard user account that does not have full admin privileges. https://www.ghacks.net/2017/02/23/non-admin-accounts-mitigate-94-of-critical-windows-vulnerabilities/
Key loggers
Key loggers can capture every keystroke on a system, capture video of what a user is doing on a system and more. With access to your system, a perpetrator can certainly install a hidden key logger on your system that will allow them to capture all the activity you do on your system. https://searchsecurity.techtarget.com/definition/keylogger
Access to your web cam
As mentioned above, once someone is able to access your system, they can do a lot, including turning on your webcam or microphone without you knowing about it (no lights indicating they are on). https://null-byte.wonderhowto.com/how-to/hack-like-pro-secretly-hack-into-switch-on-watch-anyones-webcam-remotely-0142514/. There are many things you can do to help with this risk. Many put a piece of tape over their webcam or use more sophisticated methods such as sliding covers. There is also software you can install on your system that will inform you every time your webcam or microphone are activated. On a Mac, one example is OverSight, which can be found at https://objective-see.com/products/oversight.html.
A special pixel in an email that allows someone to know it has been read
This is also possible for someone to do. There are many methods to track if an email has been read, such as the overt one’s available in many email programs (read notifications), and one’s that are more covert in nature. https://en.ryte.com/wiki/Tracking_Pixel.
Hopefully none of you reading this has fallen for this scam and taking some of the steps we’ve mentioned above will certainly help to protect your data.
Stay safe!
This is a guest post from The Hexigent Team
