Once again, another sex-extortion (hence, sextortion) scam is going around and potential victims are receiving bogus emails implying that the sender of the email has incriminating video or photos and will expose the victim if a ransom isn't paid. The thing that makes this one a bit different than previous bogus emails is that a real, previously used password is included in the email making it seem more "real" to the victim. A few of my clients have contacted me in the last few days with the same email message that was sent to them. It's bogus.
How did this password get there? Well, considering there have been so many breaches of legitimate web sites in recent years (Equifax, Citibank, etc.), it's not a surprise that the "bad guys" have multiple databases of real passwords that some people have used in the past. So, the bad guys are hoping on a few things: the victims have indeed visited porn-related web sites, users believe the scammer's assertion that their computers have been "hacked" to record videos of themselves, and that the users have used the same passwords on those adult sites as the ones that were stolen from legitimate web sites. This would make it seem that the scammer's assertion may be true.
The rest of the message appears to be rather vague with no specifics about the user. However, it's relatively threatening and the scammer is demanding a ransom payment or compromising information will be sent out to many of the victim's friends (how would the scammer know this?).
The take home messages on this scam:
- It's a scam. It doesn't "feel" personalized other than the stolen password from another site.
- Never use the same password on more than one site. That way, if the password does get stolen or compromised, the other sites you use (Amazon, eBay, Gmail, etc.) can't get hacked. You wouldn't use the same physical "key" on your keychain for every door you need to unlock, would you? If you had multiple physical keys and one gets lost, you wouldn't need to replace all your other keys. See the analogy?
- Change your passwords often and make sure they're strong passwords. Use a few words strung together if don't like complex passwords that combine multiple letters, numbers and symbols. Something like "Bone-tricycle-4hotpot" is a much stronger password than "3$Hru151#js!" and is much easier to remember.
- Use a password manager to make it easy to generate strong passwords and to keep track of them. I've got over 400 unique passwords and I keep track of them in 1Password. Get it.
- Good security is not convenient.
Read on hear about more on this bogus scam.