So you have just received an email that threatens to expose you for an embarassing activity and they have sent you a copy of your password to further “prove” their case. Now the cyber criminals may very well have proof of you doing something potentially embarrassing if your password is current. The question is how did they get it and a little tip it was no accident. In this article here are some of the plausible causes for the email and as Douglas Adams once wrote Don’t Panic. This article will explore the avenues for causality and possible remedy you can undertake.
It should be noted that this threat/scam/cybercrime is an advanced form of social engineering commonly called phishing (pronounced the same way as the ones that swim). Social engineering essentially attempts to exploit human weaknesses or foibles (willingness to please, greed, fear, lying etc) to cause a defeat in your interpretative mechanisms or induce a panic to make you do what they need to further their aims.
The initial thing you can do is change the offending password immediately using strong, robust password practices.
1 – Patch it
Lets think calmly about this for a moment. On any given day now, in excess of 50% of the worlds population access the Internet or 3.5 billion devices/people. Now the often portrayed uber-cybercriminal did not magically target you and compromise your device or did they? Well chances are your device is not running the latest patches or has been the victim of a zero-day (cyber way of say not previously detected or identified exploit/weakness). These exploits can allow “admin” or “root” access to your device, this type of access is equivalent to “god mode” you can read anything, modify files, write new files basically do anything you like on that device. So an automated part of the exploit code would extract your browsing history, run it against a known set of “embarassing” sites and there you are. Also it would be able to access your real current password.
The cure: make sure you update your operating system and application software IMMEDIATELY. NB if its a zero day it make take a few days to get patches released. Also check ASD cyber advisories (hyperlink to https://www.cyber.gov.au/acsc/view-all-content/advisories) on what to do or updates on the zero day
Prevention: Ensure your system automatically installs updates. You need to check they are enabled on your devices and enable them.
2 – Breached Accounts
If you follow the extremely bad practice of the same passwords or a “smeagol” password using “the precious” over and over again sooner or later it will be exposed. So if you are doing that please just own it and stop it. By doing this you are being part of the problem, there are very few patches for bad user choices. So if this is the potential case go to have haveibeenpwned.com and check to see if your emails are listed. If the emails are listed there is a good to absolute chance the cyber criminal has used this as their one of their information sources. A note that the haveibeenpwned.com site is the literal tip of the iceberg for this type of data. Cyber criminals earn money by selling validated credentials within their criminal networks. If your credentials are validated i.e they work they attract a premium price sometimes 10x to 500x the cost of a random credential when associated with say a banking account.
The cure: Use unique, strong passwords that way only one account should be compromised. Enable where possible multi-factor authentication (MFA, 2FA) on your accounts.
Prevention: If you have a repeated password or weak passwords then IMMEDIATELY setup and use a password manager and invoke long passwords i.e at least 50 long and complex. Relax you only have to remember 1 password right? Well no, do not relax generate yourself a complex password and where possible enable multi-factor authentication (MFA, 2FA) to access your password manager making your password not the only credential needed to access your account.
3 – Block Access to the Camera and Microphone
A lot can be gained by the use of some adhesive tape and some folded cardboard. Place it over the lens of the camera, might note look nerd chic but it works, this protects against zero days for imagery. Do not rely on your operating system or programs to control via software. Cyber criminals can bypass this or sadly someone with access to credit can buy the software to compromise/”hack” your camera or microphone.
Microphones a little harder to accomplish with physical barriers but not impossible. If you use a headset on a PC or phone …simple unplug your headset once finished with or get one that has a tactile switch to mute/turn it off and on. If its an embedded microphone use the BIOS to turn it off and purchase a USB based replacement with toggle switch.
The cure: Cover up, switch (toggle) off or disconnect your devices when not in active use.
Prevention: Changing your use behaviours. As the saying goes just because you are paranoid does not mean they are not out to get you!
A final note if the email is threatening your life or making threats against you or your loved ones and its a known person to you or from an Australian email address then report that to law enforcement authorities via your local cyber crime unit in the police and also to https://www.cyber.gov.au/acsc/report
The only way evil continues to grow is because good people remain silent!