I’ve been hearing chatter about a new email scam that’s been hitting inboxes. It finally hit mine. In the scam, an email alerts you that “your account has been hacked.” It says that they have all of your social media info plus your porn browsing history. All of this, it threatens, will go to your “contacts” unless you send them some Bitcoin.
Update: Bottom line up-front. Don’t freak out about this, it’s a scam. You can safely ignore the email for the most part. If the login credentials they send you are ones you use on multiple sites, you are still vulnerable, so you might want to read further.
I’m going to walk through what may or may not be true in the email and give some tips on how to protect yourself.
It starts out cordially:
Hello!
I'm a member of an international hacker group.
This is true. They are not in the US and they are using an email stolen from somewhere, so this is no lie. The term “international hacker group” does not, however, mean that they are powerful and sophisticated. In fact, when scrutinized, they are pretty lame.
As you could probably have guessed, your account dogecoin@[redacted] was hacked, because I sent message you from it.
First things first, “I sent message you from it” is a complete lie. I looked at the email headers:
Received: from [41.57.6.107] (unknown [41.57.6.107]) by [my mail server] (Postfix) with ESMTP id 4921CFC003 for dogecoin@[redacted]; Wed, 3 Oct 2018 14:12:29 +0000 (UTC)
This email was sent directly to my mail server from some address in Jo’berg South Africa. Another one, I’d gotten earlier came from Brazil.
Your email software should provide a way for you to see these, and with a little study, you can learn to spot fakes. One useful, but not perfect, indicator of authentic email is DKIM. Some email clients provide an helpful check on DKIM and SPF headers. Needless to say, there was no DKIM information for these emails because they would have had to come from my outgoing mail server — and they did not. This is something you should definitely check immediately if you get a message from “your own account.”
The real reason I knew that this didn’t come from my “account” is that there is no “account” for that email address. As I mentioned in a previous post, I can create one-time-use email addresses whenever I need them. When a site requires me to sign up with an email address, I just make a new one. This address was used some years ago when I decided to try mining DogeCoin for fun. I got into a mining pool and needed to set up my identity in the pool via an email address and a password. A few months ago, I began getting spam to that email address which told me that the site I’d used it on had been hacked.
Why did I start getting this blackmail spam? Chances are that the hackers got the email addresses and a "hash" of my password. The password cannot be recovered from the “hash” value directly. Mathematically, recovering a password from a hash is like trying to rebuild an egg from an omelette. Good luck with that.
You can try to guess a password that “cooks” into the same hash. Given enough time, a computer program can search the space of all possible passwords looking for the right guess. The password I’d used was 8 lower-case letters and numbers. It was “medium” strength. A few months is about the right amount of time for it to be cracked. I know they cracked the password because they sent it to me:
Now I have access to you accounts!
For example, your password for dogecoin@[redacted] is [redacted, correct password]
The password they sent me is one I re-use for “don’t care” cases. I knew it could be cracked, so I only use it when I don’t care if it’s cracked. You should never reuse passwords. I only do it because I always have unique email addresses. As a result, the combined email/password credentials are unique. It’s not strong security, but it’s OK for low-risk cases.
So far, we have access to your messages, social media accounts, and messengers.
Moreover, we've gotten full damps of these data.
This is not true for me, but there might be a question whether or not it was true for you. Once hackers have obtained a set of credentials, there are scripts that will run through the gamut of popular social media, email, and financial sites to see if the credentials unlock other accounts. The automated script will blaze through hundreds of sites, so don’t think that yours is “too obscure.” I know they are lying because even though they obtained a real email and a real password, those credentials don’t unlock any account other than the one they were stolen from.
If you get this email and you reused those credentials, you actually might have to worry. So don’t reuse passwords. I do not reuse passwords on any important accounts (e.g. social media, email, or finance). You should never reuse passwords. I am going to repeat this again. Sorry, but I’m trying to make it clear that you should never reuse passwords.
The email is frighteningly manipulative, claiming:
We saw and recorded your doings on porn websites. Your tastes are so weird, you know..
My tastes are embarrassing only because they are so vanilla and boring.
This was a nice, creepy, touch:
But the key thing is that sometimes we recorded you with your webcam, syncing the recordings with what you watched!
If you have a PC with a webcam, cover it, and avoid doing anything embarrassing in front of it. My laptop webcam is disabled at the BIOS level. None of my regular systems have webcams at all.
Finally, the blackmail request:
Transfer $800 to our Bitcoin wallet: 1CMQMKmvT4hz2k2ijyxVxN7fHS62K7uQ7z
The blockchain — the ledger that tracks Bitcoin “wallet” balances — is 100% public. There’s no way to identify who owns that wallet, but we can see the transactions. As of this writing, the scammers have gotten 5 payments, worth about $3000 at today’s price. The first scammers that wrote me are already up to 10. They’ve netted a only $4900 because they only for $700.
They explain:
If you don't know about Bitcoin please input in Google "buy BTC". It's really easy.
Buying Bitcoin isn’t really that easy. Most legitimate Bitcoin exchanges will make you go through a vetting process similar to setting up an online stock trading account. That takes a few days. The emails threaten you with a 48-hour deadline which might not be enough time to get your account set up to buy Bitcoin.
An alternative is to use a Bitcoin ATM. This is a machine that allows you to stuff in real money and have it put an equivalent amount of Bitcoin (minus a steep transaction fee) into your Bitcoin wallet. Depending on where you live, there may be one near you. I was surprised to discover how many are in my small, Midwestern city.
They ended with some friendly advice:
You should always think about your security.
We hope this case will teach you to keep secrets.
Take care of yourself.
Good advice. So how do you do this?
Don’t Reuse Passwords
Most sites require passwords that meet some standard. This makes the passwords difficult to remember. There are secure ways to store these, but the most secure storage is in your memory.
One trick is to start with a strong password that you can remember with a trick. For example, 4audtB4u! could be remembered with the phrase “For all you do, this Bud’s for you!” Then, for each individual site, tack on something unique to that site. Thus, your Facebook password might be 4audtB4u!FB, whereas your Daily Kos password would be 4audtB4u!DK. If your Facebook credentials are stolen (more likely than Kos), the automated scan will not be able to guess your corresponding Daily Kos password or any other for that matter. The script is looking for easy targets, so a human isn’t going to try to figure out your pattern. (This advice is void if an actual human is targeting you specifically.)
Some sites no long place any restrictions on password content because the original concept of “strong password” turns out to be bullshit. For those sites, use a series of words separated by spaces. In the example at the link, they use “correct horse battery staple”. Anything 14 characters or longer is good (with respect to current technology).
Me? I go nuts. My Google password is a movie quote that’s over 50 characters long. Even if you know my favorite movies, good luck cracking it — even with software designed to crack passwords that are movie quotes. This is especially true of my Google password because I…
Use Two-Factor Authentication
A password is “something you know.” You can add an additional authentication factor: something you have. These days, that’s often your phone. Some sites will send you an additional code in a text message. Other sites use an “authenticator app” which will generate a one-time six-digit code. All of the authenticator apps use the same algorithm (OATH TOTP) so it doesn’t matter which one you use. I use Yubico Authenticator, which requires that you tap a Yubikey on your phone before it will give up the codes. That way, if someone steals my phone, but not my keys, the thief cannot use my authenticator app. (Note: Android phones only. Sorry, iPhone users.)
What is a Yubikey? This is a brand of "Universal 2nd Factor" (U2F) token. You need to insert this token into a USB port on your PC to use it. The more advanced Yubikeys also have NFC features that allows you to tap them on your phone. Google and Facebook both support U2F tokens and they are much more secure than authenticator apps.
Addendum: At this point, I’ve gotten a third email. I’m wondering how many of the poor schmucks who paid off the other scammers who emailed me were then hit by subsequent emails. How many will they pay off?