A scam mail has been posted and discussed for days/weeks? on forums, but it needs more appreciation around the web and on facebook. No TL;DR here.
With the popularity of Zoom and similar services (with their many security flaws *, and I don’t mean to single out just one service % – but this one has caught on like the virus we are all avoiding, they claim to have “patched” some things AFTER a lot of negative publicity, take that with a grain of salt though) forcing us to use them for work or private digital-social purposes (companies and individuals that jump on the newest shiniest platform without doing their due diligence must either be reprimanded or politely advised to be more cautious and embrace open source secure technologies that use End2End Encryption + 2FactorAuthentication!), security has taken a back seat (which, honestly, it never had first priority in most peoples lives – for no fault of their own – digital literacy and privacy issues are not given the same priority, even amongst global colleagues working for securing basic human rights. Let us remember that rights in the digital sphere are as important, especially now that data has become a commodity and our lives are intrinsically interlinked to the web whether we opt for it or not; even those not online have shadow/phantom online profiles made of them by data hungry companies – but this is not the purpose of this post otherwise it would be longer than the longness of this post, but please read on!).#
Plenty of “hackers” (term used loosely and for colloquial purposes) or scammers are now confined with even less (more?) to do than before (or in their eyes all the resources of the digital world are easily accessible at their fingertips without them having to do much, due to the fact that most of the world is on lockdown and confined to their computers and mobiles). This is ripe time to implement their acquired knowledge of tech for selfish means, and that knowledge is being put to the lowest form of abuse humanely possible – that of hacking and ransoming money from common folk, small companies, etc. who are already in dire straits financially, mentally, physically and emotionally from the upheaval in our lives.
Many folk will receive emails like this [see attached photo], or Something Similar. First of all don’t worry and do NOT be embarrassed. The use of blackmail with just the tiniest hint of an implication towards sex and sexuality has been happening since time-immemorial. It’s a tactic to scare you. You may never have visited an adult website, but just the threat of this coupled with the gravity of seeing your password in plain text in your email subject header is enough to give anyone a shock – and this is targeted towards those less technically inclined – the elderly, the common folk who have no time for keeping up with advances in security tech, and run of the mill people who just want to access their online life – and haven’t put much thought in security or passwords. They are the ones that will fall prey and give money to scammers for no reason, even though they are not in any real danger. Think of the age old “Exotic Prince” email scam, but more personal as your password is given in plain site.
Our advice is:
1) Do NOT panic. Do NOT give any money. Put your card away and maybe use it instead to buy groceries for those less financially solvent, or donate to your favourite organization/food-bank.
2) Change your passwords immediately (you should have done this yesterday, as a matter of practice) but fret not.
Use a password manager**.
You can use BitWarden, KeePass, TeamPass, or a plethora of other services – JUST MAKE SURE THEY ARE OPEN SOURCE (not Proprietary – which means owned by a company that will not disclose their source code – so you do not know what they do with your information, and if they give it to other companies – for ad revenue or to do with as they please, OR if they give access to State and Non-State Actors – very important globally for companies with business plans/emails, activists, lawyers, corporations, schools, etc.)
The beautiful thing about password managers is they generate random passwords that look like gibberish to most (i.e., “A*&^fi3#lejk” – you can choose how long you want the password to be – longer the better) or they generate passphrases (i.e., Pu1k3et-I5-Anincompoop – once again you can choose how long the phrase will be). You yourself will not remember any of these passwords, which is the point.
You should generate a new password for every single digital account you have. You will ONLY have to remember ONE password. That ONE password you will HAVE to remember will be your single point of access to your password manager – so make sure to remember this safely. This is what you will use to access your databank of passwords that is safely encrypted inside your service of choice. This database is SECURE. The services I recommend themselves (the company/people running it) can not see your passwords, so no potential thief or hacker will be able to see it, UNLESS they know your ONE password – which honestly, if they did with or without a password manager – you would be in for an unfortunate time either way.
Commit that ONE password to memory and write down on a post-it and stick it behind your shovel in the garage, in that loose bathroom tile you always said you will fix, in your dogs collar, or tattoo it in a most discreet place (latter not really recommended; You should ideally update that one password periodically too, if just to keep your brains memory cells active and alive) – that choice is up to you. Just put it somewhere no one can access it. But ideally you should commit this and ONLY this one password to your memory – you can even use the password generator feature in the service of your choice to create a NEW password or passphrase! (and remembering one password is easier than remembering all passwords for all your different accounts, OR WORSE reusing the same one for all your accounts).
I say generate a new random password because a lot of “hacking/phishing/scamming” is done through social engineering – which is using context clues about your person to guess your password or your security question. This means all the grandparents using their children or grandchildrens names, people using their boyfriend/girlfriends names, anniversaries, etc, and all of you who fill out these social media questionnaires are basically giving out clues to potential hackers. They don’t even have to know you or speak your language to be able to guess your security answers and passwords from just your digital presence, and a little bit of social engineering (think of people calling you up and pretending to be the bank and asking for your account details, except you’ve already posted your favorite information about yourselves online!). So if you generate a random new password and commit that to memory no one will be able to guess it by your family names or your favorite old password, or the street you grew up on.
3) Check your email at https://haveibeenpwned.com to see if your personal data has been compromised.
4) Report them to your local Cyber Crimes division (use DuckDuckGo as a google alternative to search for your local state/district/country)
OR FBI https://www.fbi.gov/investigate/cyber for Internet Crime Complaint Center or IC3, if you did give any money and CONTACT YOUR BANK asap.
Report to https://www.bitcoinabuse.com
4) Share this
6) PROFIT!!!! (no profit for scammers, your profit is your digital security)