Late Spring last year, there had been a significant rise in people getting dire extortion scam mail messages, demanding payment to sidestep possible uncorking of vulnerable data. Close to all instances involve these emails claiming malware hiding in your computer has gotten hold of compromising photos of you thru the webcam. There can easily be, however, variations on the same theme.
These extortion scam mails are not a new phenomenon. However, given the sudden climb of such occurrences, many may wonder if they ought to be worried. If you have gotten such an email message and ponder over possible responses, we have more than a couple of tips.
There are a number of characteristics these extortion scam emails share: a typical sample would start out by informing you that the scammer’s in the know of one of your passwords. What really ups the ante is the fact that the said password is really one of your several passwords. Now you begin to fear the worst, believing that the remainder of the email is true as well. Spoiler – it’s not!
Subsequently, it lets you in the know that the scammer is aware of compromising details about you, including photos of you in periling positions caught thru malware hiding in your computer. Of course, all variants do not have to share this voyeuristic posture. The general tune, however, remains that of doing something damaging with data pilfered from the user.
For the scammer to be calmed, you receive instructions to the effect that you must remit payment in BTC. the pressure is such that there’s no room for clear thought – you just have to rush and obey!
How truthful are the extortionate demands?
In the vast majority of these cases, none is true. There’s simply no malware involved. The scammer is not in actual possession of any of the alleged evidence. Unless you pay the demanded sum, something awful will happen. Close to all such cases can be safely ignored.
The part about your compromised password, however, is true. The password did not reach the scammer because of a See-All sneaking up on you with malware binoculars. So it’s not as melodramatic or cyber sci-fi as all that. Instead, the truth is much more mundane: the password made its way to the malevolent scammer thru a third party, courtesy of a data breach.
The mechanics of the data breach
What eventuates is that a site you have an account on gets infiltrated, and there’s the extraction of more than handfuls of email addresses and passwords. These bits of data are most likely sold to criminals on the ‘dark web’. It is also possible that this information is just published in a ‘dark web’ website, encouraging criminality just by being there. Those of a mischievous bent of m9nd can just collect a number of email addresses and passwords and send crafty extortion scam mails to ‘all and sundry.
There’s a certain ripple effect with the publication of sensitive data on dark web websites. If the sensitive data is now out of date and has fallen into disuse, there’s no reason for concern. However, if unscrupulous persons use the compromised data, it can infiltrate and pervade whole layers of your virtual and real life. A lot of other things now come under the threat of compromise.
Nipping the rot in the bud: password security steps
# changing your password
Most importantly, on any account using the password later compromised, change your password. Make doubly sure it’s a good one. Long, random passwords are the best.
A good habit is that of using a different password for every site. If one password unlocks your account on one site and a host of others – losing that key password would make a whole lot of accounts spread across websites a lot worse in terms of security risks. But you do not have to memorise a large number of silly passwords.
#Enter: Password Manager
A password manager is a program made to retain your passwords for you. Password managers are not limited to the use of mere passwords but other ancillary details like site name, username and security questions.
Some password managers encrypt your passwords and help them get distributed across devices. You perhaps have a password manager already since you are very likely using Chrome(Google Password Manager), Safari (iCloud keychain), or Firefox (Firefox Password Manager).
If you would like something more complex yet customisable, you could opt for Password1 or Lastpass.
As the moniker suggests, the ‘Master Password’ is the master of your password universe. That is all ‘passwordy’ you have to remember. Then and there, you have all your secret info under your belt.
Just make sure this master has the mastery of secrecy, which happens only if it’s both long and easy to remember. A passphrase might just be the thing. Do not use landmark info. You want a hacker to be able to dream up word associations unlocking this puzzle.
But we are grateful there’s more to online account security than password security management.
#Enter: 2FA or Two Factor Authentication
Two Factor Authentication is a secondary bit of info, besides the password, that becomes a requirement you must fulfil to access a website. These generally are a sort of code that must be used to enable logging in.
As a rule, these codes are sent to you via text messages to your phone. These codes can be made to change every 30 seconds or so. These can be yielded by apps that also function as password managers, like Authy.
Setting up Two Factor Authentication is possible also with the aid of the website you are targeting. The latter will have the relevant info on this, besides, of course, what type of 2FA the website does support.
# No lie detection: when there’s no Two Factor Authentication
Two Factor Authentication is very much in the same league as Password Managers, or perhaps even better. You may become fond of them if setting them up for different sites becomes your thing! But there will be times when you encounter security architecture that does not permit 2FA. What then?
You know the series of security questions like” What was the name of your best friend during childhood?” The problem with these kinds of questions is that they might be in the public domain. What security could they possibly afford then?
We will take the cloak of Realpolitik here. This is the only time when you are explicitly advised to lie in the best of your own interests. Then, and only then, would a hacker/infiltrator be disabled. So make up the answers to these security questions as something so fanciful that only you can know and remember. The name of your best friend during childhood could thus be Daisy Ridley. Or you can come up with an atrocious long-winded string of symbols that, of course, would have to be easily committed to memory as well.
Ransomware and data exfiltration: the golden standard for Extortion Scam
No matter how we stretch the extent to which extortion scam affect us, they are nowhere near the ability of Ransomware and data exfiltration to inspire horror. Nevertheless, we will give a cursory glance to these other threats – not in order to be complacent, but in order to be aware. Regardless of how bad things could get security-wise, we need preparedness, sans panic.
Data exfiltration: how scammers could gain entry
Below are some of the most common attack vectors:
Scammers send carefully extortion scam mails to a targeted group. The said email would contain malicious links to an imperilled website that starts downloading malware as soon as the email recipient opens the website. The malware installs a backdoor that could enable either direct stealing, or the installation of rootkits and keyloggers.
- Hacked Remote Desktop Protocol
RDP is a remote protocol that emperors users to access and manage a computer over a network connection. Scammers seek and find computers with IP and TCP port ranges that RDP servers use.
Scammers use brute force tools, attempting to log in automatically repeatedly, deploying millions of character combinations to figure out the computer’s login credentials.
Scammers may steal files seemingly chaotically, or exfiltration may proceed selectively in which scammers target only files of high value.
Even these scammers and these are not as powerful as they could easily be made out to ve. File stealing is time, bandwidth, and server space consuming. In case the target can make out that something’s amiss, they may well be able to take steps to check the attack prior to the threat actors completing both the encryption and the exfiltration. This could potentially render the scam and theft a colossal, certain failure.
When faced with an extortion scam email, the most important thing is to keep a cool head and avoid knee jerk reactions. The scammers who send these mail count on mail recipients to respond to urban legends rather than facts. Scammers are nowhere as powerful as all that. No malware can invade systems to become an All-Seeing program that surveils the user’s every action. But passwords are stolen, and that is the manageable threat we must learn to assess.