'I know your password...and much more' sextortion scam spreads quickly
'I know your password...and much more' sextortion scam spreads quickly
David Cotie (Courtesy David Cotie)
It was an email from a stranger that David Cotie couldn't just ignore:
"I'm going to cut to the chase. I'm aware (XXXX) is your password. Most importantly, I am aware about your secret and I've proof of it."
The password (which I've seen, but omitted here) was accurate. Whoever the writer was, he had Cotie's actual password -- an old one, anyway. And he claimed to have much more.
"I installed a malware on the adult video clips (porno) and you visited this site to experience fun (you know what I mean)," the email says."I then gave in much more time than I should've digging into your life and made a double screen video. 1st part displays the recording you were viewing and 2nd part shows the video from your cam (its you doing dirty things)."
(Misspellings included intentionally)
The writer goes on to demand $3,200 in bitcoins to "forget" the incident. Otherwise, the sextortionist writes, he'll send the incriminating video to all of Cotie's friends and email contacts. Cotie is also warned not to "call the cops."
"You now have 48 hours to make the payment," the note says. "You better come up with an excuse for friends and family before they find out. Nonetheless, if I do get paid, I'll destroy the recording immediately. It's a non negotiable offer, thus kindly don't ruin my time & yours. The clock is ticking."
Cotie didn't respond. He instead forwarded the message to his IT department, which found this story on Brian Krebs' security news site explaining the scam.
None of it would seem very real or menacing, but for the "real" password which the criminal sent in the extortion note. Cotie says he hadn't used the jumble of letters and numbers for about three years, but the criminal had it. And that made the threat seem more serious.
"I wouldn’t say I was close to falling for it but it would have been the closest I have ever come and I was jarring more than anything," Cotie told me. "I can see though how some people could fall into it if they actually do stuff on-line that would be embarrassing. These scammers are ruthless and very clever."
Billions of passwords have been stolen in recent years. In fact, 3 billion were taken in just a single hack at Yahoo.com. I spent three months investigating the Yahoo hack in my podcast, Breach. Attacks like these are why. These hacks can have consequences for years. Those passwords are floating their way around cyberspace now, as criminals try their best to wring cash out of the pilfered data.
In one sense, Cotie should probably feel relieved. As "hacking" crimes go, this is a fairly harmless use of an old, stolen password. It probably means whatever criminal initially stole that data has given up trying to use it to login at any of the usual places -- appearance in this kind of Hail Mary extortion note suggests the stolen data is on its last legs of usefulness to criminals.
Still, being presented with a real (if old) password by a criminal could certainly be jarring enough for some victims that they might momentarily panic and concede to a demand.
"I was a bit shaken and felt angry and violated to an extent...I get a lot of phishing e-mails in that filter but the fact that had a password I used was very unsettling once I read it," Cotie said. "I took comfort in that I knew it was not a password I had used in at least 3 years and there was nothing I had done that would embarrass me to the extent the scammer was saying. But it gave me pause for sure. ... I almost wrote an antagonistic reply but thought better of it. I can see though how some people could fall into it if they actually do stuff on-line that would be embarrassing. These scammers are ruthless and very clever."
RED TAPE WRESTLING TIPS
Online extortions of all kinds are a serious and growing problem. To really avoid trouble, consumers should avoid going to the Internet's darkest places, and consider covering up or disabling webcams. When receiving menacing notes, don't panic: Most of the time, they are just scams. And keep in mind that, like Social Security numbers, many of your passwords aren't really a secret any more, thanks to all these hacks. So don't be impressed by a criminal brandishing an old password.
If you've read this far, perhaps you'd like to support what I do. That's easy. Buy something from my NEW LIBRARY AND E-COMMERCE PAGE, click on an advertisement, or just share the story.
