I Know What You Did Last Summer — Dark Web Extortion
Recently I received what amounts to an extortion email from someone claiming to be on “the dark web.” I’ll give you a minute to get past your shivering. I listed the full text of the email, minus the sensitive parts, at the end of this post.
It appears to be true. Well, part of it is true. I researched the password they referenced in the email, and it was to a website where I used the email they referenced to login. That means when they compromised that website they retrieved my plain text username and password. A quick trip to HaveIBeenPwned and it was confirmed.
As I was reading that information, I noticed that HaveIBeenPwned added some useful information below the breach notification. I realize there is a partnership between HaveIBeenPwned.com and 1Password, but it’s good advice whether or not you use that combination.
This type of phishing attempt only highlights the idea that a password manager is a required part of daily life. There was a time, albeit long ago, that I used the same password for everything electronic in my life. When I say everything, I do mean everything. Banking, email, work, personal, and even the login to my computer. There are those of you that still do this, and you know who you are. Since I’ve verified that this ‘person’ had my legitimate password, had I still been using the same one for everything, it would have meant I had already been screwed and they could have used that to connect to every facet of my existence. Granted they would have to have more information to determine where I had accounts, but I had my credit card and shipping information saved on the website they hacked, and they already had my email address. That means a simple stroll through my settings and account information on that website they would know where I lived and what credit card I had. That’s all it takes to send a damned convincing phishing email listing my credit card, home address, and preferences asking for ‘confirmation’ of other information. The phishing monster is a mean one. Do not underestimate it.
The sender of the email continued to talk about all the access they had to my personal information. They also threaten to send some screenshots they collected from my “device” to everyone in my contacts list. Except for my phone, I have no cameras that aren’t covered. Even my work laptop has a cover, and I don’t use it for personal stuff. Also notice the generalized reference to “your device” and “the intimate content sites that you occasionally visit”. While I realize they are trying to cast as large a net as possible, with as little effort as necessary, it would be much more alarming if, since they say they have all the information, they included some of the links and maybe a photo. They said they have them, right? If they can’t pair your data with your email address, how are they going to know what to delete if you pay them?
I’m throwing the BS flag on this email. But, what could you do to prevent, or at least limit, damage from a data breach on a website you frequent? I’m going to try to give you a nudge in the right direction.
Use a Password Manager
This is the single most important thing you can do. There are countless blogs available that review the strengths and weaknesses of individual password managers. I believe it is a wholly personal decision based on your preferences and how comfortable you are with your tools. What is not debatable is the importance of using one. Any one. I use 1Password from AgileBits. Why? Let me count the ways:
- Cross-platform
- Fast and secure
- Integrates with services such as HaveIBeenPwned
Cross-Platform
Cross-platform simply means that it will run on multiple operating systems and devices. 1Password runs on Windows, Mac, iOS, and Android devices. There is also a browser extension you can use to access your password vault either on Linux or any other machine on which you can’t install a client. There are browser extensions for Safari, Chrome and Chrome-based browsers (including Brave browser, which you should try out), Firefox, Opera, and Microsoft’s Edge.
Fast and Secure
Face it, no matter how good an application is, if it’s not fast enough to do its thing and get out of your way, you’ll get tired of it. On the other hand, if it’s extremely fast, but isn’t secure, then there is no reason to put it in the middle of your workflow. No sense in adding an extra step if there is no benefit. For those interested, you can read about 1Password’s security features here.
Integrates with services such as HaveIBeenPwned
If you recall (I am fluent in ramble), I checked the email address referenced in the extortion email on HaveIBeenPwned. The method by which 1Password integrates with Pwned Passwords is described here so I won’t go into detail. Suffice it to say, they use the HaveIBeenPwned service to determine if your information, including passwords and email accounts, have been compromised and alert you from within 1Password itself. It’s pretty slick.
There are many more features within 1Password itself, all of which you can read about on their website. When I started this post, it was most definitely not to write a sales pitch for 1Password. There are many other password managers out there, such as (in no particular order):
That is by no means an exhaustive list. The bottom line of the password manager discussion is, I don’t care which one you use, just make sure it is a legitimate application and use it religiously. So, on to step 2.
Enable 2-Factor Authentication
According to TechTarget.com, two-factor authentication (2FA), sometimes referred to as two-step verification or dual factor authentication, is a security process in which the user provides two different authentication factors to verify themselves to better protect both the user’s credentials and the resources the user can access. Normally, this consists of one of two methods:
- The site to which you are connecting sends a text message to your mobile device containing 4–6 numbers. The site requires you to type these numbers into a prompt, after you enter your username and password, to gain access to their content.
- An app installed on a device you own provides you with the additional authentication information required to satisfy #1 above.
Should you go with step #2, countless applications can generate these additional codes. I won’t go into those apps here other than to say many of the password managers listed above (including 1Password) provide this functionality. 1Password will even let you know if you don’t have2-Factor Authentication enabled on a site that supports it. Essentially, if an attacker had both your username and password, but not your second-factor authentication information, they would be unable to login to your account. Pretty neat, huh?
Subscribe to an Alerting Service
I am in no way associated with HaveIBeenPwned or 1Password other than the fact that I use their services every day. There are many services available that can alert you to security breaches. Find one you like and subscribe. I get my alerts from 1Password, through the Watch Tower functionality, and HaveIBeenPwned, through a subscription. Now, before you run off, I’m not talking about a paid subscription to HaveIBeenPwned. You simply go here and enter your email address. Should that email address show up in a breach, HaveIBeenPwned sends you a notification. Easy peasy.
Conclusion
While the email I received was more of a shotgun-style attempt to see who would bite, there are many more that people all over the world have received that are much more personal and have consequences for not responding (see Ransomware).
There are sites you can visit to read more about things you can do and find more secure versions of services to protect yourself. Please check out Privacy Tools, PRISM Break, Privacy Pack, and Surveillance Self-Defense to name a few.
There is no magic bullet to give yourself guaranteed immunity to these attacks. However, if you focus on the basics and approach it one step at a time, you can cobble together a pretty good defense. Had I not used a separate password on every site, and used features like 2-Factor authentication, this person could have gained access to a good part of my life and made it a living hell for a while.
Now for the email:
Hello!
My nickname in darknet is xxxx. I hacked this mailbox more than six months ago, through it I infected your operating system with a virus (trojan) created by me and have been monitoring you for a long time.
So, your password from xxx@xxxxx.com is xxxxxxxxxxxx
Even if you changed the password after that — it does not matter, my virus intercepted all the caching data on your computer and automatically saved access for me.
I have access to all your accounts, social networks, email, browsing history. Accordingly, I have the data of all your contacts, files from your computer, photos and videos.
I was most struck by the intimate content sites that you occasionally visit. You have a very wild imagination, I tell you!
During your pastime and entertainment there, I took screenshot through the camera of your device, synchronizing with what you are watching. Oh my god! You are so funny and excited!
I think that you do not want all your contacts to get these files, right? If you are of the same opinion, then I think that $835 is quite a fair price to destroy the dirt I created.
Send the above amount on my BTC wallet (bitcoin): xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx As soon as the above amount is received, I guarantee that the data will be deleted, I do not need it.
Otherwise, these files and history of visiting sites will get all your contacts from your device. Also, I’ll send to everyone your contact access to your email and access logs, I have carefully saved it!
Since reading this letter you have 48 hours! After your reading this message, I’ll receive an automatic notification that you have seen the letter.
I hope I taught you a good lesson. Do not be so nonchalant, please visit only to proven resources, and don’t enter your passwords anywhere! Good luck!
