A scam that sounds very convincing

by
Print Friendly, PDF & Email
Play

If you read this blog or listen to my podcast regularly, you should probably by now be pretty good at spotting a scam. Or at least being suspicious enough to investigate further. But what if the scammer shows that he has your actual password?

 

This is one that I get calls about pretty regularly. Many of my long-term clients and readers of this blog or listeners to the podcast can catch when a scam is fairly obvious, but this one makes them think twice. Or in some cases, they believe that the message that they received is actually true (it isn’t).

Here’s the email that usually gets sent (for this example, we’ll assume that the recipient of the email has used the word “pineapple89” as one of their passwords, either in the past or currently):

From: scammer@email.com
Sent: Monday, July 20, 2020
To: recipient@email.com
Subject: Your password pineapple89

Your password is pineapple89. I know a lot more things about you than that.

How?

I placed a malware on the porn website and guess what, you visited this website to have fun (you know what I mean). While you were watching the video, your web browser acted as an RDP (Remote Desktop) and a keylogger, which provided me access to your display screen and webcam. Right after that, my software gathered all your contacts from your Messenger, Facebook account, and email account.

What exactly did I do?

I made a split-screen video. The first part recorded the video you were viewing (you’ve got an exceptional taste haha), and the next part recorded your webcam (Yep! It’s you doing nasty things!).

What should you do?

Well, I believe $4900 is a fair price for our little secret. You’ll make the payment via Bitcoin to the below address (if you don’t know this, search “how to buy Bitcoin” in Google).

Bitcoin Address:

gb399Hi492hEN7Gvq99jum4WMt4956PcG
(it is cAsE sensitive, so copy and paste it)

Important: You have 24 hours to make the payment. (I have a unique pixel within this email message, and right now I know that you have read this email). If I don’t get the payment, I will send your video to all of your contacts, including relatives, co-workers, and so forth. Nonetheless, if I do get paid, I will erase the video immediately. If you want evidence, reply with “Yes!” and I will send your video recording to your five friends. This is a non-negotiable offer, so don’t waste my time and yours by replying to this email.

 

Some observations about that email message:

First, if you suspected this was a scam, what would be the first thing you would want? Proof that they have this alleged video. So they knock down that objection right in the message. You want evidence, ok – we’ll send the video to five of your friends. Of course the victim does not want that to happen.

Second, payment is requested to be made by Bitcoin. This way, the scammers can get the money and still remain anonymous.

Third, what is the real kicker that makes some recipients think it might be real? The fact that the scammer has the actual, legitimate password that the recipient has used in the past, or might still be using on some accounts currently. How is that possible?

You’ve probably heard of the massive data breaches, like the ones that happened at Target, or the multiple times Yahoo! has gotten hacked into. There are lots of other companies that have had this happen.

When the hackers get this data, they are holding in their hands a large database of customer information. In a lot of cases, each record includes the email address for the customer, as well as the password connected with that email address. This information is sold on the black market to scammers.

So the scammers have that list of email addresses, most of which are still actively being used. And they have a password that was also used for that account, whether it was with Yahoo! or whatever the online account was.

And the scammers know one very important fact: many people use the same password for all of their accounts.

So they know that when they send out that email to hundreds or thousands of people, a LOT of those recipients are going to see that password right there, and think, “Oh no – this must be for real”. But of course there is no video, and the whole thing is a bluff.

Many people will read it and ignore it, but if the scammer sends out 1000 of those emails, and just 1/100th of a percent of the recipients fall for it and pay, that’s still a $4900 payday. And if 2 or 3 of those pay, that’s a ridiculous payoff.

What should you do if you get one of these scam emails?

The one thing you should do right away is to change your password for any accounts that still have that password. One of the things scammers are known to do is to try that email and password to log in to bank accounts, Paypal accounts, email accounts, anything that could potentially have value for them. So change that password and never use it again, anywhere.

And more fundamentally – don’t use the same password on more than one account. If you use a password (or a slight variation of that same password), it’s likely you’ll regret it some day.

listen to my podcast in Apple Podcasts

 

https://www.welivesecurity.com/2020/04/30/new-sextortion-scam-claims-know-your-password/

Share this post