A former colleague of mine recently shared an email she received from a purported hacker:
The picture is a bit grainy, so here’s what it says (censored for obvious reasons; poor grammar left intact for hilarity):
I’m a hacker who cracked your email and device a few months ago. You entered a password on one of the sites you visited, and I intercepted it.
This is your password from XXXXX@XXXXX.com on the moment of hack: XXXXXXXXXX
Of course you can will change it, or already changed it. But it doesn’t matter, my malware updated it every time.
Do not try to contact me or find me, it is impossible, since I sent you an email from your account.
Through your email, I uploaded malicious code to your Operation System. I saved all of your contacts with friends, colleagues, relatives, and a complete history of visits to the internet resources. Also I installed a Trojan on your device and long tome spying for you.
You are not my only victim, I usually lock computers and ask for a ransom. But I was struck by the sites of intimate content that you often visit.
I am in shock of your fantasies! I’ve never seen anything like this!
So, when you had fun on piquant sites (you know what I mean) I made screenshot with using my program from your camera of yours device. After that, I combined them to the content of the currently viewed site.
There will be laughter when I send these photos to your contacts! BUT I’m sure you don’t want it.
Therefore, I expect payment from you for my silence. I think $833 is an acceptable price for it!
Pay with Bitcoin.
There’s a lot to unpack in this message, but the important takeaway is that my friend wasn’t actually hacked. Poor grammar aside, the attacker has executed a believable social engineering campaign that sadly many people may fall for.
Let’s take a few minutes to dissect this attack and discuss some strategies to keep yourself protected.
Why is this attack believable?
Legitimate “From” Email Address
Although I cropped this part out of the original picture, this message was, in fact, “sent” from my friend’s email address. The message would have you believe that her computer and email account have been compromised — and that’s why she’s receiving the message.
In reality, it’s really easy to send an email using any “from address”. It’s just as easy as sending mail via the USPS and using a spoofed “return address” in the upper-left corner of the envelope.
Legitimate “Hacked” Password
Next, the email contained a password that my friend had indeed used at some point in the past. The fact that it’s a real password that the recipient would recognize makes this attack very believable.
In reality, my friend had an account involved in an unrelated cyber breach — meaning some other company was hacked, and the password she used on that company’s website is what is seen here in the email.
Effective Social Engineering
Ransomware is a thing that many people fall victim to, and it’s constantly in the news. People know about it, which is another reason this attack sounds believable. Other cybersecurity buzz words also lend credibility to the message: “cracked”, “malicious code”, “Trojan”, and “malware”.
Moreover, the real attack vector in this message is blackmail.
Many, many people love their porn — and as the author of this message would have you believe, my friend allegedly visited some “piquant sites” with “intimate content”. She didn’t actually, which is why she knew this message was fake, but enough people do that social engineering attacks like this are highly successful.
Can you protect yourself?
Simply being aware that social engineering attacks are common is a good first step to protecting yourself. Messages like the one above can be very convincing, but you should always be suspicious whenever you receive a message like this.
The number of data breaches every year (4.5B in the first half of 2018 alone!) makes it difficult to keep your personal data from being used in a social engineering attack. Limiting the amount of personal data you put online is always a good idea, but sadly this problem is only going to get worse — being aware of the tactics is ultimately the best way to keep yourself safe.
Another security best practice (and perhaps the most important thing you can do to protect yourself against attacks like this) is to practice good password hygiene. Never use the same password on multiple websites — either you’ll actually get hacked, or you’ll fall victim to a social engineering attack like the message above.
You should also keep your antivirus software up-to-date, your computer’s firewall (or other defensive software) turned on, and take advantage of your email provider’s anti-phishing features.
Social engineering attacks can be incredibly convincing and difficult to defend against. The message above tried to convince my friend she was being blackmailed as a result of being hacked — would you fall for a similar message?