Although email scams are often quite predictable, a new spin on the same old con could end up deceiving many users. This new form of ransomware uses the recipient"s real password as proof that their online data has indeed been hacked.
Woah. This is cool. A Bitcoin ransom with using what I think is passwords from a big leak. Pretty neat since people would be legit scared when they see their password. The concealed part is actually an old password I used to use. pic.twitter.com/clEYiFqvHY
— can (@can) July 11, 2018
Programmer Can Duruk is one of few the users who have received this email so far. Fortunately, it seems that the passwords the blackmailer has obtained are all over 10 years old, with none being currently used by recipients of the email. All of these emails seemingly start off with the statement, "I’m aware that [insert old password here] is your password", moving on to a demand of money from the recipient and a subsequent threat of releasing a video of their supposed visitation of a porn website unless the demands are met.
These passwords have presumably been obtained by the hacker in multiple corporate break-ins that have taken place over the past few years. Just to clarify, it is highly unlikely that "a malware on the adult video clips site" is installed to entrap users. According to Krebs on Security, the hacker has probably created a script that obtains usernames and passwords from a popular website breached over a decade ago, and then sends the same generic message to email addresses that were used to sign up at said website. This is why those affected by this scam have only been threatened with their old passwords.
This type of scam is termed "sextortion", and has unfortunately proven to be quite dangerous to any involved individual"s well-being. These cases usually consist of blackmailers persuading their victims to perform sexual acts in front of their webcam, the videos of which are then threatened to be released online unless they get paid. However, they can also involve techniques like the one being employed by this email scammer, in which victims are informed that, unbeknownst to them, they were recorded while performing an undesirable act, with their old password being provided as proof. This eventually leads to them panicking and succumbing to the blackmailer"s demands.
Unfortunately, a more industrious hacker could possibly use the data from a recently hacked website, threatening users with a much more believable, current password. In order to keep yourself safe from these sort of scams, it is recommended to periodically change your passwords and refrain from signing up at unknown websites.
Source: can (Twitter) via TechCrunch, Krebs on Security | Image via GoHacking