Online credential stealing this year alone affected millions of users.
On the dark web files containing password and email from Netflix, Last.FM, LinkedIn, MySpace, dating site Zoosk, adult website YouPorn, as well as popular games like Minecraft and Runescape have been found and several database leaking have been reported from websites such as LinkedIn, vk.com, and Tumblr.
May be it is time for you to learn and understand why unique and different password for your activities are important and can save you, your work and your family ?
I received a threatening email today on an old mailbox used to compartiment SPAM and "unsafe" registration on different website and application.
A simple combination used for hacking, games or porn forum I had to scan to test tools... something like 10 years ago.
Scanning them back I see one that was closed a few month ago and I guess the database was sold or ended in the wrong hands.
This is the email I found in my mailbox this morning:
I know that, xxxxxxx, is your pass word. you may not know me and you're most likely wondering why you're getting this mail, right?
The fact is, I setup a malware on the adult vids (sexually graphic) and you know what, you visited this website to experience fun (you know what I mean). While you were busy watching video clips, your web browser initiated functioning as a Rdp (Remote control desktop) with a key logger which gave me accessibility to your display as well as web cam. Just after that, my software program obtained all of your contacts from messenger, social networks, as well as email.
What exactly did I do?
I have made a double-screen video. 1st part displays the video you were viewing (you have a fine taste lmao), and 2nd part displays the recording of your webcam.
Exactly what should you do?
Well, in my opinion, $1200 is a reasonable price tag for our little secret. You'll make the payment through Bitcoin (if you don't know this, search "how to buy bitcoin" in google).
BTC ADDRESS: xxxxxxx
(It's cASe sensitive, so copy and paste it)
You have one day to make the payment. (I've a special pixel in this mail, and right now I know that you've read through this mail). If I do not receive the BitCoin, I will definitely send out your video recording to all of your contacts including relatives, coworkers, and so on. nevertheless, if I receive the payment, I'll destroy the video immediately. If you want to have evidence, reply with "yes!" and I will send your video recording to your 14 friends. It is a non-negotiable offer, thus kindly don't ruin my time & yours by replying to this email.
First should I be scare ?
- An email sent by someone with a fony name using an outlook.com email address.
- He grab a username/password combination I used a few years ago.
I checked the websites where I used it (a little more than half a dozen): 2 closed (one recently) 2 are still very active and most are in stasis.
- "busy watching video clips" on a porn site ?... I don't have extra time for digital porn. Ending my workday involve closing my laptop (else it goes on forever).
- My professional computer doesn’t have RDP (the webcam is obstructed anyway) and my "open" station doesn't have a webcam connected.
- I have tools to alert me for unusual activity (key logger for example), to filter my network and I look something like once a week to the running process list (I didn’t see something suspect).
- If I may have visited a website with sexual graphic (you never know) like a banner or a script over a website. I wouldn't have stay long for the guy to appreciate my taste. (thanks I have good taste anyway )
- All the rest is a kind of spying B movie tone with very little garanties something good happen if I comply.
Now, can a guy get a video of me looking at a computer screen ? Yes
Can he have access to a few of my friends and contact by scanning the net ? Yes
Can he create a fake video (me + porn) and post it somewhere ? Yes
Does he have access to my bank account credential and will I pay ? No
I didn’t post the 2 paragraph above to explain myself and what I’m doing on the web (or not) but to help you to analyse properly such message you may also receive.
Note: This was a private attempt to ransomed me not a business breach and unlike the usual African country lawyer that want to give you money. Each case is different.
What I hope is that it make clear for you that you can’t be sure data send over the internet will never be "found" or misused !
So please listen to specialists and follow the rules;
- Password must be unique and if not per website at least per activity.
- Username/Password combination should be traceable.
- Don’t use stupid or life related password (birthday dates, phones, etc). (this anyway without regard of the case above).
- Don’t believe everything you see without analysing, searching, verifying...
- Protect yourself (don’t let open doors, obstruct your webcam when not in use, use tools to monitor your computer activity, etc).
- If you can, use a dedicate computer for private activity with minimum output device and logger (webcam, Remote Desktop, etc).
More to my colleagues and customers willing to use publish a website;
- Use safe security driven software.
- Check that stored password are encrypted and not sent (recover password) over the net.
- Check that it respect user privacy.
- Don’t give access to your server or your user data to a freelancer without good references and reason.
- Consider security a priority and understand it may have critical consequence
- Discuss this question with a specialist because you can’t know everything and experience is priceless
Enjoy whatever legal thing you want to enjoy using the internet and a computer be use protection.