Just this week, as I was sorting through my email, clearing out spam messages, a subject caught my eye. The subject was “I’m crack <[email protected]>”, and bad grammar aside, I wanted to see what the content of said message was. I’ve received similar messages before, but this one was a step up in sophistication. It read like an episode of Black Mirror, (Season 3, episode 3 to be exact). This was the content of the message (certain details have been removed).
I’m a hacker who cracked your email and device a few months ago. You entered a password on one of the sites you visited, and I intercepted it. This is your password from [email protected] on moment of hack: <password>
Of course you can will change it, or already changed it.
But it doesn’t matter, my malware updated it every time.
Do not try to contact me or find me, it is impossible, since I sent you an email from your account.
Through your email, I uploaded malicious code to your Operation System. I saved all of your contacts with friends, colleagues, relatives and a complete history of visits to the Internet resources. Also I installed a Trojan on your device and long tome spying for you.
You are not my only victim, I usually lock computers and ask for a ransom. But I was struck by the sites of intimate content that you often visit.
I am in shock of your fantasies! I’ve never seen anything like this!
So, when you had fun on piquant sites (you know what I mean!) I made screenshot with using my program from your camera of yours device. After that, I combined them to the content of the currently viewed site.
There will be laughter when I send these photos to your contacts!
BUT I’m sure you don’t want it.
Therefore, I expect payment from you for my silence.
I think $841 is an acceptable price for it!
Pay with Bitcoin.
My BTC wallet: <removed>
If you do not know how to do this – enter into Google “how to transfer money to a bitcoin wallet”. It is not difficult.
After receiving the specified amount, all your data will be immediately destroyed automatically. My virus will also remove itself from your operating system.
My Trojan have auto alert, after this email is read, I will be know it!
I give you 2 days (48 hours) to make a payment. If this does not happen – all your contacts will get crazy shots from your dark secret life! And so that you do not obstruct, your device will be blocked (also after 48 hours)
Do not be silly!
Police or friends won’t help you for sure …
p.s. I can give you advice for the future. Do not enter your passwords on unsafe sites.
I hope for your prudence.
After having a chuckle about the message, I duly trashed it, as I realised that it was nothing more than a scam attempt. But, after having thought about it for a bit, I realised that someone unfamiliar with scam emails could quite easily fall for this particular scam. With that in mind, I’ll go through the message, and outline how to tell this is a scam, and why this particular one caught my eye.
Let’s start by outlining why I feel that this is more sophisticated than others I’ve received. It specifically mentions one of my email addresses, and lists a password that I allegedly entered on a site. I removed the password above for security reasons, but the password listed was not my actual password, but very close, close enough to make me go “Hang on a minute!” I’ll talk about how the scammer could have got my password a bit later, as they most certainly did not “intercept” my password as I entered it.
So, let’s look at the tell-tale signs it’s a scam, and not from someone who’s actually hacked my account. For starters, the address and password are one I have used in the past for website accounts, and the actual password for my email account is different (this is why you use a different password for each account). Even so, having my email account password will not help installing a trojan on my computer, as it has a completely different username and password. So, no trojan, which means no way of capturing my alleged porn surfing habits (I assume that’s what the scammer meant when they referred to the “piquant” sites I visit).
Now, the scammer says that they hacked my email account, and sent the message from my own account, and at a quick glance this appears to be the case. However, digging deeper I could look at the headers of the email, and see that the scammer had simply set the reply to and from addresses to be my email. Checking where the email actually came from gave a completely different email host to the one I use.
The next problem is that the scammer threatens to send pictures of the “piquant” sites I browse to all my contacts. For starters, unless someone is browsing something illegal, I feel that this is a threat that will only scare a teenage boy. So, given that I don’t browse that kind of stuff, I feel pretty safe there. Besides, there’s also the fact that I actually have not contacts in my email program (they’re all stored elsewhere, on a different account). But, I realise that not everyone will be in the same situation.
So, the scammer asks for money, and gives a deadline, threatening that they’ll know when I’ve read the email, thanks to their trojan (which they couldn’t install, see above). They also threaten to block my device if I don’t pay. They finish off with the useful advice not to put my password in on unsafe sites (actually, I have to agree with that…).
Given that it’s now over a week since I received the message, I’ve not had embarrassing pictures of me spread over the internet, and I still have access to all my devices, I can say I have positive proof that this is simply just a scam. But, how did the scammer know my email address and (almost know) my password? Well, they hinted how in the message: They got it from a website that I’d signed up for.
How do I know this? I used a site called “Have I Been Pwned?” to see if the email address in the message was known to have been compromised. Unfortunately for me, I had used this email address for accounts on services which had become compromised. The most concerning one was that I’d used this address to register with Adobe for software, and Adobe had subsequently been targeted and compromised. My address also appeared in a listing of over 2800 data breaches that had been distributed online. I’m not sure exactly which account of mine appears in the listing, and the owner of haveibeenpwned.com is not making the contents available, for security reasons.
So, in the end the scammer did their best to convince me that I’d been hacked, but wasn’t convincing enough to make me fall for the scam. So, how can people protect themselves from things like this? There are a few simple things that you can do to protect yourself:
- Go to Have I Been Pwned right now and search for the email addresses/account names you use, and see if they’ve been compromised.
- Change your account passwords if they’ve been compromised
- Make sure you use secure passwords, and use a different one for each account
- If you have a lot of passwords to keep track of, use a password manager to store them securely.