Did you receive an email with your password and a bitcoin ransom request?

In these days, many users (one of the first was my friend Stefano Capaccioli, whom I’d like to thank) report having received an email with the subject … their password. Not a fake password, but one currently in use or used in the past. The mail continues explaining that, being aware of the password, the author was able to access our PC through an RDP system that allowed him to observe the monitor and the webcam while the user was watching pornographic movies. Not a new story, which recalls the episode of Black Mirror in which the protagonists are actually blackmailed by those who have had access to the webcam of their PC recording scenes then object of extortion).

Does anyone have a video of my PC and my webcam?

One who can begin to define delinquents adds that he has taken both the video to pornographic content and us while we were about to watch it, activating without our knowledge the PC webcam. Having then acquired via keylogger and remote desktop all the data including the contacts of Messenger, Facebook and e-mail – continues the attacker – it takes little to spread the video, unless you pay a ransom – at this point it is clear that extortion – of $ 1,900  o 2,900 USD in bitcoins to a BTC address specified in the email.

The text then states that there is only one day to pay from when the message is read and that the author – thanks to a pixel inserted in the message itself – will know exactly when we have read his missive. Spent the day, in the absence of payment, it will not remain to the hacker who divulge the movie to our family, friends and relatives. If instead the ransom will be paid, the video will be deleted immediately and we will be quiet.

If you want to have a proof of the existence of this video? You will only have to reply to the message – instead of paying – and the delinquent will send a copy directly to eight contacts – note well, not to us. In essence, no one will try to get a proof of the video, just because it would already disclose it.

The original message with the ransom note
This is the text of the original message, the real password has been replaced with “qwerty123”:

From: __________ <_________ @ outlook.com>
Date: 10 July 2018 12:53:32 CEST
To: “__________” <_________ @ gmail.com>
Object: qwerty123

I am aware, qwerty123, is your pass word. you may not know me and you’re most likely thinking why you are getting this e-mail, right?

Let me tell you, I placed a malware on the adult videos (pornography) and you know what, you visited this web site to experience fun (you know what I mean). When you were watching videos, your internet browser began working as a Rdp (Remote desktop) having a keylogger which gave me access to your display and also webcam. After that, my software obtained your complete contacts from messenger, fb, as well as email.

What did I do?
I created a double-screen video. 1st part displays the video you were viewing (you’ve got a nice taste rofl), and second part displays the recording of your cam.

Exactly what should you do?
Well, honestly, $1900 is a fair price for our little secret. You’ll make the payment through Bitcoin (if you do not know this, search “how to buy bitcoin” in google).

BTC ADDRESS: _____________________________
(It is CASE sensitive, so copy and paste it)

Note:
You now have one day in order to make the payment. (I have a special pixel within this email message, and now I know that you have read through this message). If I do not get the BitCoin, I definitely will send out your video recording to all of your contacts including members of your family, colleagues, and many others. nonetheless, if I receive the payment, I’ll erase the video immediately. If you want to have evidence, reply with “yes!” and I will send your video recording to your 8 contacts. It is a non negotiable offer, thus don’t waste my personal time & yours by responding to this email.

How did they get my password

The password – as you have noticed who received the message – is correct and, if not current, it is still a password used in the past. The criminals have collected millions of passwords exploiting the various leaks released online, in the dark web, on Torrent, which contain data stolen from giants like Dropbox, Linkedin in recent years.

Obviously if you have not changed the password, run immediately to do it, especially because maybe you have changed the service on which the leak was reported but not on others where – what not to do absolutely – you have used the same credentials.

A test that anyone can do is to enter the email on which you received the request for redemption in the service Have I Been Pwned, which lets you know if our address is included in the various lists of passwords and credentials released in the dark web.

Do they really have a video of my webcam?

No, they do not have it, they pretend to have it in the hope that the victim will pay, feeling in default (perhaps because some pornographic video has actually looked at it) and inculcating the fear of spreading compromising images. Generally, when extortion forms are initiated – in the sextortion style – the blackmailer shows the victim the swag, the material that will threaten to divulge in case of non-payment. The fact of not showing it is often an indication of a mere attempt to deceive the victim hoping that he is convinced of being really blackmailed. In doubt, do you need to pay the ransom? Paying the ransom is never the solution.

Or rather, in some cases – es. numerous ransomware – actually allows you to get your own data, but at the expense of a favor to criminals who will increase their destructive power by creating more and more performing extortion systems. In the case of blackmail with the e-mail containing our password, paying the ransom does not serve any purpose, since the blackmailer does not have our data (unless of course the password was not the current one and may not have gone to download the content of our e-mail box). Then there are cases of sextortion in which paying the ransom has started an impossible mechanism to stop, made of continuous requests for payment, usually through western union, much more rarely in bitcoins.

Searching on the net you can find references to the bitcoin address 1Dvd7Wb72JBTbAcfTrxSJCZZuf4tsT8V72 on which the victims are asked to pay the ransom, address among other things that actually received money. Other reports show different addresses, never used, so it is not clear if the criminals use a set of addresses to rotate among the victims, or there are more criminal organizations to make use of this system of extortion, each with a different BTC address. What can I do to prevent this kind of problem? First of all, never use the same password on more than one service. Use one for Facebook, one for email, one for Twitter, one for Linkedin and so on. Change them occasionally but especially when leaks come out that involve services where we have registered.

To stay up to date on password leaks, you can subscribe to HaveIBeenPwned’s Notify Me service, which will allow us to receive a free e-mail as soon as the password lists appear, where our e-mail address is also present. Secondly, always set the services where we are registered with the security protection called “two-factor authentication”, which means that to access our account from a new PC it is necessary to enter not only the password but also a code that we will receive on our phone number or we will display on our smartphone.

Finally, as it may seem an urban legend, badly does not cover the webcam when you do not use it: not all notebooks or PCs have the LED that tells us the activation of the webcam and it seems that anyway even that is deceiving. For those who have Mac OS, a good software that prevents the unintentional activation of audio or video is OverSight, developed to alert the user when some process – unbeknownst to everyone – is activating the microphone or recording video from the webcam.

Questo articolo è disponibile anche in: Italian