Several friends and professional contacts phoned me this summer saying they had received e-mails from a shady entity claiming to have hacked their computer webcams while they were viewing adult websites. The intruders have threatened to send video clips of these people by doing – well, you can guess – to all their contacts unless they pay a ransom.
Should they pay? Should they burn their electronics? How to buy $ 1,900 in Bitcoins?
Normally, one could ignore requests from a random stranger who makes outrageous claims on the Internet. But these messages bore some disturbing information, something that immediately set their goals to the limit. "I am aware, [redacted], it's your order, "the notes began, precisely.
Imagine you find it in your inbox. Thematic line: "[your name] – [one of your passwords]. "Try not to attract attention.
Here's what I advised everyone to do. First of all, calm down; to breathe. Secondly, check if the accounts associated with that password appear in I've been bogged down, a searchable database that identifies what personal information could be leaked as a result of various online violations. If any accounts that once used that password were opened, then the extortioner probably scraped all the information from one of these data dumps. Translation: The scammer has not monitored every touch of the keyboard, screenshots and webcam image. Rather, the delinquent is frightening the appalling unsuspecting victims in bifurcating on the cryptocurrency.
In any case I met, Have I Been Pwned showed the passwords to be paid as part of a data set that originated in a 2012 LinkedIn violation, a relief. So I advised my counselors to take a few steps. Change the password for any account that still uses the password exposed. Download a secure password manager to keep track of new (stronger, I hope) passwords. Apply two-factor authentication, an additional security measure, where possible, preferably using apps that offer single-use codes over SMS. While you're at it, go ahead and hide that webcam. (Brian Krebs, another journalist who investigated the scam, has other suggestions here as well as an investigation into who might be behind it).
Ryan Kalember, senior vice president of Proofpoint, a cybersecurity company, shared my instincts. When I sent him an email for his opinion, he advised me, as a first course of action, to check if I had been pwned. "If you show up there, you're probably fine – this campaign looks highly automated, with enough tweaking to overcome most spam filters and email gateways," Kalember said. But: "If the password does not appear there, it's more troubling, and you should be sure if you've recently clicked on a phishing link for the account where you used that password, or if your computer was compromised with the theft of malware credentials. "
None of the people who looked for my lawyer ended up paying the ransom, as far as I know. And none of them, I'm happy to report, has suffered consequences accordingly, as far as I know. Surely I have not received any salacious material with their private deeds. Thank God.
If anyone ever tries to scare you or intimidate you to take any action, like paying a ransom, always treat the threat with an extra exam. Criminals are generally not an honest group.
If you've been the target of a similar scam, I'd like to hear from you. Give me a line. And stay safe out there.
This article appeared for the first time on Cyber Saturday, the weekend edition of the technical sheet, Fortune daily newsletter on the main technological innovations. To receive it delivered to your mailbox, register here.