Internet scams

I thought I’d share this email I sent to friends and family about a recent scam that happened to me so you can avoid it to. Fortunately for everyone it is doubtful there is any salacious videos of me out there - otherwise I’d be sending out free eye bleach for all recipients:


Dear Friends and Family,

I received an email tonight with an attempt to exploit me for money by claiming my computer had been hacked. It was ‘sophisticated’ enough that I thought I should warn you about it in case it happens to you.

The person attempting to exploit me had actually hacked into my email account that I hadn’t secured very well and sent me an email from that same account to try to trick me. They told me they had activated my computer camera and had video of me viewing embarrassing sites and would send that video to all of my contact list if I didn’t pay them $500 in Bitcoin. They also shared with me my actual password for that email account to try to convince me that they had control over my computer. They claimed they had been watching my computer, exploiting my camera and recording my keystrokes for three months.

While it is possible for hackers to do these things, such as use a web camera without you knowing it or logging your keystrokes, in this case I’m not worried about how they are trying to exploit me. But I’m sending this email so if it happens to you or someone you know, you know what to do and how to best react. Also, because its is likely they’ve gotten access to my online contact list you could get an email with malware attached claiming to have compromising video of me. Of course don’t open it or any unknown attachment because it will almost certainly contain malware - or potentially video of me online reading about current events and getting irritated or falling asleep in front of my computer - which might actually be embarrassing. But it is extremely unlikely they have even that.

So how does this scam work, you are probably wondering? And more importantly how do you identify it or protect yourself?

Unfortunately many passwords get compromised from even legitimate websites and the hackers then post your passwords on the web accessible to everyone. You’ve all undoubtedly gotten notifications from various websites, banks, and other online service providers letting you know your information has been compromised. And once that is out there it is out there for good. Somewhere my password for my email account got posted, and this individual was then able to log into my email account and send me an email from my own account. It becomes alarming when they share your password with you, and it becomes convincing because they’ve shared something with you that only you should know. But just because they have your password doesn’t mean they have control over your entire computer.

So, here are some recommendations on what you should do to protect yourself from these types of exploitations:

  1. First check out your email accounts at https://haveibeenpwned.com - this site will let you know if your email or phone has been included in a data breach. And if it has you should change your passwords immediately. It gives a list of sites that have been breached in the past, and basically there are a lot of big named websites out there, Facebook and Microsoft among them. If you haven’t been breached I would be very surprised - it is that common.

  2. Make sure you have CURRENT virus and malware protection software on your computers - and that the subscription is current if applicable. There are many free services out there, and your internet service provider may even provide you with free services from Norton, etc. Most importantly though, the subscription must be active - this is the cost of ownership with computers unfortunately - but if your virus software isn’t up-to-date it is basically useless.

  3. Use a password manager and don’t use the same password across accounts or sites - If you use Apple products like I do, the Safari password protection built into the system is sufficient - or chose one of these services. Best Password Manager to Use for 2022 - CNET They create passwords for you and remember them for you… so you don’t have to. Many will also alert you if your password has been compromised so you can change it.

  4. Set up wherever possible two-factor authentication . This is where when you log into a site it asks you to verify another way, like text a code to your phone. This makes it very difficult for someone else - even if they do have your password - to login. This is where I failed - this email account is with Microsoft and their default protection without this is woefully insufficient and I hadn’t set that up yet.

  5. Check regularly your email accounts and where people have logged in. Here is how you do it for Outlook, How to See if Someone Is Accessing My Outlook Email | Small Business - Chron.com and here is how you do it for Gmail, Last account activity - Gmail Help . Or if you use a different service just Google “How to check where people have logged into (your email service provider)"

  6. Many people recommend covering your computer camera when you aren’t using it and I may start doing that myself. Security expert friends also do not recommend having security cams anywhere INSIDE your home.

——

What to do if you get one of these ‘ransomware’ emails?

Most importantly - don’t panic!

  1. Change your password immediately - the scam email will likely tell you not to change your password or they’ll carry out how they are trying to exploit you - odds are very high that all they have is your password and not access to your computer, nor the compromising information they claim to have. Typically if they have compromising information about you they’ll share it with you (like they did my password - but conspicuously absent was the purported video). Most email services also have the ability to sign you out of all other devices - so do that, and check where someone has attempted to sign in. This one for me happened in Algeria.

  2. Make sure your malware software is up-to-date and run a current scan . Again, it is possible they have access to your computer, but unlikely. But you’ll want to make sure your computer is clean.

  3. Check your sent and deleted files, and check to see if they’ve set up any email rules to filter your email to hide their presence - recently another friend was exploited like this and sadly fell for the scam. The scammer had set up some email filtering rules so they could send emails to exploit other of his friends and set up filters to move and delete emails so he had no idea they were sending emails from his account.

  4. Don’t send anyone money anywhere without talking to someone you trust first . That ’someone you trust’ also shouldn’t be someone who will be emotionally invested in the exploitation. Once that money is gone it is gone, and they may attempt to exploit you for more money after they succeed. I know someone personally who was bilked out of their life savings, not only because they fell for the first scam, but it opened them up to other subsequent scams. They talked to their spouse about it almost immediately, but because they were both emotionally invested they both made bad decisions together.

If you are really worried about it, shut off your computer and feel free to contact me or better yet someone who knows what they are doing. I am far from an expert, but can at least help you check some things, or point you to a real professional. But talking to someone is key - these predators try to exploit embarrassment. Whether it is embarrassment from what you may have done, or embarrassment that you fell for a scam. Don’t be embarrassed.

This particular exploit didn’t work because I’m not embarrassied by a potential video. Regardless, it evoked a strong reaction that my privacy had been breached directly - and even that they’d attempt to send false or embarrassing information about me to others. Plus as mentioned above, if they really had embarrassing information from me they’d likely send me a sampling first.

I AM embarrassed that I failed on this email account to take the advice I’ve given to others so many times.

So, stay safe out there, and remember if you get weird emails from me (or weirder than normal) delete them and please let me know that you received it. It is unlikely that you will.

I first had users reporting this particular scam about 3 years ago.

The importance of maintaining distinct passwords can’t be overstated. Periodically changing passwords is also a must. Password managers are really good, but be prepared to switch gears quickly if it gets hacked.

Based on the password age of some of my users who got hit with this one, I think it may have been either an Adobe hack or a Yahoo hack of about 10 years ago.

Email addresses & compromised passwords are bought & sold on hacker markets, and given the age of the Adobe / Yahoo / (who else?) hacks, this is a pretty lucrative hold up for the bad guys that keeps making the rounds.

  • False emotional triggers - “been watching you as you watch bad videos”. That will catch some substantial percentage of recipients, along with the threat to use their address book to let everyone know what they’ve been up to.

  • This one is a low-tech ransomware, an old password and email addy is the only real leverage point. But it freaked out a couple of my users until I talked them down.

  • The real ransomware sophisticates use a number of vulnerabilities to escalate permissions & encrypt sensitive data. It’s a big business. In the one big case I know of, the bad guys sifted through 15 TB of data, found a few MB of ransomable data and moved it offshore to a different country on the other side of the world, a “safe” server they’d hacked to use to hold payload.

The ransom was about $500K paid in Bitcoin, the bad guys covered their tracks amazingly well, and even provided a step-by-step account of how they did it. (In case their country joins the EU in the future and prosecution is attempted, they could offer a defense of providing consulting services, an expensive PenTest)

The stakes can be really high. I personally know of a Google security engineer who was offered $10 Million a year to change teams. It’s crazy out there.

2 Likes

I’m not actually really an Outlook or Microsoft user - this particular email exists largely because we developed some software on .net and so using the Microsoft email environ with this program was the easiest path. So I was honestly a bit surprised at how shallow their default security is, particularly compared to services like Gmail, AWS, etc.

Gmail basically requires you to do two factor authentication, and the second they detect anything even slightly weird you get a notification that an unusual login has occurred, or unusual activity has occurred.

After I changed my password in this account I went to harden some of the security - and found that there had been multiple attempts and access to the account from strange countries around the world. How they didn’t pick up I wasn’t in Algeria and Brazil on the same day is beyond me.

Fortunately this email is strictly for business use, it had no online contact list and if they take the time to scrub my emails they won’t find anything of value other than other potential victims to target with malware. Because of that I was pretty cavalier in my security of it, but even with the knowledge I had, I still got that surprise/shock feeling that for me runs from the top of my head like an electric shock to the tips of my fingers and toes. I hate that.

The FBI is so overloaded with foreign fraud that they won’t even talk to you if it doesn’t approach over $1M.

But a cautionary tale nonetheless. The best medicine is prevention.

This reminds me of getting a call from the enterprise IT Security folks about one of my users, who was using a personal VPN, and logging into our systems from all over the world. Had to gently advise the user to not use the VPN when logging into our systems. (Sometimes our individual precautions snarl things a bit, though I’d much rather have users who are aware and taking precautions than the good people who click on everything that comes in front of them. The biggest part of IT Sec is ongoing & effective education. Some of the most common victims we have are MDs, who can be rapid-fire multi-taskers. Can’t really blame them - it’s a team effort, good & bad.)

In the realm of hacking & what a big business it has become, this is a fascinating read: The Confessions of Marcus Hutchins, the Hacker Who Saved the Internet | WIRED

1 Like

Awesome, I’ll check it out. And to be fair, when you have good IT policy and set up the security right through Microsoft it is great - and will catch the stuff I’ve described.

It’s been a lot of years since my very outdated infsec classes I took at the U, so I’m very out of the realm of cybersecurity - but I’ve loved my touchID and fingerprint scanners on my computers (and hate when I don’t have them). What is your take on them as an actual security measure. I don’t know if you ever saw the movie, “The Big Sick” but there is a scene where the boyfriend takes his girlfriend’s finger, who is in an induced coma, and unlocks her phone so he call notify her parents while saying, “I’m so sorry…”

I remembered the debate of the day being, “What do you do if you lose control of your fingerprint?” to the shortfalls of that security method.

Oh and I forgot - a key point you bring up. If they really had access to my computer they would have exploited it with real ransomware that would encrypt my computer or valuable information and forced me to pay. This was the play of a small time guy (attacking another small time guy) and pretending like he had an upper-hand he/she doesn’t.

I’ve had that one a few times. I mostly found it funny because I don’t even have a webcam hooked up to my home PC. There’s one on my work laptop, but the “threat” was sent to my person email. I just ignored it, nothing happened (that I’m aware of, anyways).

I do try and keep distinct, unique passwords for everything. Fingers crossed that keep the lowlifes at bay.

I think I got that one about a year ago. I really liked the implication of how they’d been watching me in compromising activity. I laughed.

The last few months I’ve been periodically watching a guy on YouTube, “Pierogi,” who has a channel called, “Scammer Payback.” He reverse hacks these call centers in India, get victim info to try to help them stop the hack or get money back, deletes files on the hackers computer, etc. He calls out supervisors in these centers by name, tells them their exact location, and other stuff that really pisses them off. Kind of fun.

2 Likes

Bio-auth is good, especially the finger print readers. If wearables can get a decent look at Oxygen saturation levels, the finger print scanners can be made more secure to deal with the scary movie scenario. Along with iris scanners & facial recognition, there are some privacy concerns if the provider is compromised, but for low-risk applications, I’d say they’re fine.

Passwords alone are a big, big issue. MFA - or at least 2nd auths - help protect passwords. But try to avoid SMS texts, which have lousy security… it was never designed with security in mind. Google’s authenticator, the MS authenticator… they’re fine. When my enterprise applied DUO to its email system the number of hacked email accounts dropped to essentially zero. (And the IT Sec folks can now look for signs DUO gets hacked, which is far less stressful than tracking down 10-20 users a week who’ve been compromised.)

I know Apple & MS are working toward a password free world, but while we have passwords, gotta protect them with a 2nd auth. Even SMS is better than nothing.

One pretty klunky but pretty damn good security system is the government’s treasurydirect.gov site where you can buy i-Bonds. They use a combination of controls, but the one I get a kick out of is you can’t use physical keyboards or password managers to enter passwords - it’s all onscreen, all upper case (which is kind of funny). If you forget your password it’s a real pain in the butt, but I can deal with that. Those folks take things seriously, which is appreciated.

EDIT - I remember a couple years ago LA was asking about Proton mail as an alternative. Read the other day they got hacked, or at least some of their users got revealed, part of the Russia / Ukraine conflict.

“Zero Trust” - that is the operating mode IT Sec folks are driving toward. Gotta be that way.

It might be 10 years ago now, but our work systems got compromised via a LinkedIn email hack. First, a cute woman in a blue dress in her profile pic claiming to be a Propulsion engineer from Northrop Grumman started getting networked around to a bunch of people, including me. I’d looked at who else she was connected to, marketing guys, directors, even VPs, and thought it was fine. That year, about Christmas, a whole bunch of Orbital ATK people got a well spoofed “company” email in their personal emails saying they were giving us all a thank you gift and to provide your login to claim it. My BS meter went off so I quickly logged on to my known company site and changed my password just to be safe. Six people across the corporation, including my boss, fell for the email, providing these guys the keys to the computer network. Over the next two weeks there were three or four scam emails, each with more crude login spoofing graphics. The poor IT folks at corporate spent all the holiday season trying to put the genie back in the bottle and we ended up getting rid of remote access in non-company equipment. To my knowledge the six who blew it got no consequences.

3 Likes

But if they would have found porn on their PC’s they would have been fired.

1 Like

Yeah. As we also know you can be a designated future star, yet paint government property pink because you think it would look like a penis and be really funny, and pay little career wise for that too. Strange standards at times out there.

1 Like

I kind of remember that the pink paint didn’t go over really well. The person responsible was relegated to a cubicle.

They are now back on the star list and a PM. Go figure.

They did, however, have to be mentored by our old pal Eddie B. Perhaps management thought that was a fate worse than termination. :joy:

1 Like

I have to say that is seems once Obama declared our national Intel would no longer stand by as critical organizations & infrastructure were hacked, circa 2015, the overall picture has not included too many seriously bad, widespread hacks - infrastructure, air traffic control, banks, card commerce, traffic lights, etc.

This continued under Krebs, seems to have continued the last 18 months.

A few years ago among IT Sec thinkers there was serious concern we might see situations where people couldn’t buy gasoline or food with their cards, commerce might be held hostage, traffic held up, etc.

We seem to have found a good balance between the NSA, CIA, FBI protecting us, and not having to reveal their cyber capabilities, too much. We got through the Snowden disclosure “OK”.

When you think about it, phishing emails are a royal PITA, but it could be far, far worse.

3 Likes

We just added DUO to all of our systems, email, VPN, etc. It’s a pain, but well worth it.
Also, we started using a company called KnowB4 for phishing training and scamming. It works very well. If someone clicks on a KnowB4 phishing email, they get directed to our training site and they must watch a 10 minute video and pass a test, before they can use their system again.

Works great.

1 Like

The KnowB4 is pretty good training.

But I’ve gotten so many emails from users asking me if it’s phishing email, the invite for training.

Sigh…

It’s very true that the most important part of IT Security is users.

1 Like