I've been getting bombarded with a lot of spoofed messages from alleged hackers lately claiming they have stolen my password by inserting a Trojan from some porn site that I had supposedly visited, and they have hacked my webcam and if I don't pay them in bitcoin they will release whatever... blah blah blah. Here you can read an example below:These messages are clearly spoofed based on the header and IP information. They obviously didn't hack my email. Anyway, pretty funny right?
As you may have noticed, I sent you an email from your account.
This means that I have full access to your account: On moment of hack your account has password: [SOME PASSWORD]
You say: this is the old password!
Or: I will change my password at any time!
Yes! You're right!
But the fact is that when you change the password, my trojan always saves a new one!
I've been watching you for a few months now.
The fact is that you were infected with malware through an adult site that you visited.
If you are not familiar with this, I will explain.
Trojan Virus gives me full access and control over a computer or other device.
This means that I can see everything on your screen, turn on the camera and microphone, but you do not know about it.
I also have access to all your contacts and all your correspondence.
Why your antivirus did not detect malware?
Answer: My malware uses the driver, I update its signatures every 4 hours so that your antivirus is silent.
I made a video showing how you satisfy yourself in the left half of the screen, and in the right half you see the video that you watched.
With one click of the mouse, I can send this video to all your emails and contacts on social networks. I can also post access to all your e-mail correspondence and messengers that you use.
If you want to prevent this, transfer the amount of $523 to my bitcoin address (if you do not know how to do this, write to Google: “Buy Bitcoin”).
My bitcoin address (BTC Wallet) is: 1EGap2ZeR8pf9hfJ2KrSAQ1eYCPBcxJrqo
After receiving the payment, I will delete the video and you will never hear me again.
I give you 48 hours to pay.
I have a notice reading this letter, and the timer will work when you see this letter.
Filing a complaint somewhere does not make sense because this email cannot be tracked like my bitcoin address.
I do not make any mistakes.
If I find that you have shared this message with someone else, the video will be immediately distributed.
Krebs On Security wrote a post about a similar scam, and this is what they surmised:
It is likely that this improved sextortion attempt is at least semi-automated: My guess is that the perpetrator has created some kind of script that draws directly from the usernames and passwords from a given data breach at a popular Web site that happened more than a decade ago, and that every victim who had their password compromised as part of that breach is getting this same email at the address used to sign up at that hacked Web site.Oh, just a site that was hacked 10 years ago? No big deal right? I disagree. I think the passwords these script kiddies are using came from a LastPass breach.
If you don't remember, back in 2015 LastPass reported a major data breach. At that time PC World reported:
The good news is it appears hackers didn’t get away with anyone’s encrypted password vaults. Still, it certainly sounds like a bad breach, but the consensus among security experts is that it could’ve been a lot worse.I'm beginning to think that was either a lie, or LastPass didn't realize how deep their breach really was. Why do I think that? For three reasons:
- The number of spam emails I've received from these guys
- Many of them show different passwords. If it was just one or two sites that were breached I'd see a pattern of the same passwords.
- Many of the passwords these guys show (although not the actual passwords, but are close enough that I can tell that they have my actual password info somewhere) are randomly generated. I only use such randomly generated passwords with LastPass.
So what did I do about it? First, I reset my LastPass master password again, all of my financial account passwords, all of my social media passwords, online store account passwords, etc. I also went through LastPass's security challenge tool to update old passwords, or any passwords I had previously re-used in multiple sites inadvertently.
I had changed my LastPass credentials shortly after the breach in 2015 as directed by LastPass, but at the time believed the reports that none of the vault password information was touched. I'm starting to think that may not be accurate. If you agree with me, then it's time to change all of your passwords too.
Have you received any of these emails? What are you doing about it? Let us know in the comments!