A particular type of scam email spam has become quite prevalent in later years, colloquially called a "sextortion" scam.
How it works is pretty simple: You receive an email that alleges to be from a hacker who has allegedly hacked your PC and installed a rootkit/backdoor that allows him total covert control of your PC. Invariably the email will claim that he has taken footage through your webcam of you "pleasuring yourself" to some pornographic videos or websites, and that he will post these videos to all your social media profiles and contacts unless you send an exorbitant sum of money (often in the thousands of dollars) to some bitcoin wallet.
Sometimes that's it. However, in many cases the email will actually start by having one of your passwords to some online website (or at least allegedly so).
I have so far received three different such emails containing a password, and quite curiously said password has never been one I have ever used anywhere. (I'll speculate later why that is.) However, in some cases it may well be the recipient's actual password to some website. How is this possible? I'll explain that below, but before that, let me analyze these emails in more detail.
As said, the email will start with the sender claiming to be a hacker that has hacked your computer, and will often (although not always) quote a password of the recipient. This may grab the attention of the recipient of the email, especially if the password is actually one that he uses somewhere.
However, other than this, these emails are always extremely vague and lacking in specific detail. While the email claims that the "hacker" has full access to your computer and can see everything in it, has a full list of contacts, has access to all your social media accounts, and has all passwords you have ever written... it never actually gives any proof that's actually the case. The email never mentions a single person's name (not yours or anybody else's), not a single website which you use, not a single account name, and no details about your computer (not even if you are using Windows or something else).
Moreover, while the email claims that the "hacker" has footage taken through your webcam (even if you don't even own a webcam, of course), no particular details of this will ever be given. Absolutely no proof of that having happened. No screenshot, no descriptions, and if the email claims that it was taken while you were watching a video or browsing a website, absolutely no details about it. It's always extremely vague and generic.
This is, of course, because it's an automatically generated spam email. The exact same email is sent to literally millions of people through an automated process, with the script that sends the email only changing that password in the email (if it has any), and nothing else. It's vague and generic on purpose, because it tries to convince as many people as possible. No details are given because the "hacker" has no details whatsoever to give.
But sometimes the password mentioned in the email is an actual password of the recipient, and this is how so many people are fooled into thinking that the email, and the threat it gives, is real. How is that possible?
There are lists of literally (and without exaggeration) hundreds of millions of emails and passwords circulating the dark web. Hackers (actual hackers, not these wannabe "hackers" that are sending these scam emails) are hacking websites all the time, exploiting security holes in order to get access to files stored in their servers. Many websites use extraordinarily lousy and insecure methods for storing people's account information, sometimes even storing passwords in plaintext, sometimes using some kind of lousy reversible "pseudo-encryption". Not a week passes by without yet another website announcing that their systems have been hacked and millions of passwords stolen.
(This is actually quite aggravating, given that we have known for at least 40 years, even longer, how to store passwords securely using one-way irreversible hashing, which only allows checking if a password matches, but doesn't allow reversing the original password from the hash. This technology is very simple, and has been known for half a century. Yet many websites still use completely insecure ways of storing passwords, oftentimes even in just plaintext, which is insane.)
So what's happening is that these scammers are simply taking these lists of hundreds of millions of email addresses, and sending the same spam email to all of them, just adding the password mentioned in the list to it. The scammer obviously has no access to that person's computer, and doesn't even know that computer's IP address or anything. The only thing the scammer has is an email address and some password, and that's it. Curiously these scam emails never even say which site the password is for.
Ironically, if you know all this, such an email, if it actually contains one of your actual real passwords, is actually beneficial: It's telling you to go and change that password, and quickly! The website you used that password in has been compromised and your email and password leaked.
Anyway, why have I so far received three such emails, with three different passwords, none of which I have ever used anywhere, ever? How does that happen?
What I think is happening is that I have a gmail address with a very common name. I was lucky enough to get a gmail address almost at the beginning, and the address with my name was still not taken, so I got it for myself. As I have written previously here, this often causes me to semi-regularly get emails sent to the wrong person (probably because the actual person may have, for example, told his email address via phone and the person on the other end mistyped it eg. by omitting a number or something.)
I sometimes get emails from some random website to confirm the creation of a new account, which I haven't done myself. It's probable that someone (who has a similar gmail name as me) mistyped the email address by accident, which is why the confirmation email was sent to me. It might also be that some people are trying to create fake accounts using other people's email addresses, hoping that the website doesn't send a confirmation email, or that the person with that address foolishly clicks on the confirmation link.
So what I think has happened here is that some people have created accounts on some websites (perhaps pornographic in nature) with my email address, either accidentally (due to a typo) or deliberately, and what these scam emails are showing is those passwords, which I did not create.
How it works is pretty simple: You receive an email that alleges to be from a hacker who has allegedly hacked your PC and installed a rootkit/backdoor that allows him total covert control of your PC. Invariably the email will claim that he has taken footage through your webcam of you "pleasuring yourself" to some pornographic videos or websites, and that he will post these videos to all your social media profiles and contacts unless you send an exorbitant sum of money (often in the thousands of dollars) to some bitcoin wallet.
Sometimes that's it. However, in many cases the email will actually start by having one of your passwords to some online website (or at least allegedly so).
I have so far received three different such emails containing a password, and quite curiously said password has never been one I have ever used anywhere. (I'll speculate later why that is.) However, in some cases it may well be the recipient's actual password to some website. How is this possible? I'll explain that below, but before that, let me analyze these emails in more detail.
As said, the email will start with the sender claiming to be a hacker that has hacked your computer, and will often (although not always) quote a password of the recipient. This may grab the attention of the recipient of the email, especially if the password is actually one that he uses somewhere.
However, other than this, these emails are always extremely vague and lacking in specific detail. While the email claims that the "hacker" has full access to your computer and can see everything in it, has a full list of contacts, has access to all your social media accounts, and has all passwords you have ever written... it never actually gives any proof that's actually the case. The email never mentions a single person's name (not yours or anybody else's), not a single website which you use, not a single account name, and no details about your computer (not even if you are using Windows or something else).
Moreover, while the email claims that the "hacker" has footage taken through your webcam (even if you don't even own a webcam, of course), no particular details of this will ever be given. Absolutely no proof of that having happened. No screenshot, no descriptions, and if the email claims that it was taken while you were watching a video or browsing a website, absolutely no details about it. It's always extremely vague and generic.
This is, of course, because it's an automatically generated spam email. The exact same email is sent to literally millions of people through an automated process, with the script that sends the email only changing that password in the email (if it has any), and nothing else. It's vague and generic on purpose, because it tries to convince as many people as possible. No details are given because the "hacker" has no details whatsoever to give.
But sometimes the password mentioned in the email is an actual password of the recipient, and this is how so many people are fooled into thinking that the email, and the threat it gives, is real. How is that possible?
There are lists of literally (and without exaggeration) hundreds of millions of emails and passwords circulating the dark web. Hackers (actual hackers, not these wannabe "hackers" that are sending these scam emails) are hacking websites all the time, exploiting security holes in order to get access to files stored in their servers. Many websites use extraordinarily lousy and insecure methods for storing people's account information, sometimes even storing passwords in plaintext, sometimes using some kind of lousy reversible "pseudo-encryption". Not a week passes by without yet another website announcing that their systems have been hacked and millions of passwords stolen.
(This is actually quite aggravating, given that we have known for at least 40 years, even longer, how to store passwords securely using one-way irreversible hashing, which only allows checking if a password matches, but doesn't allow reversing the original password from the hash. This technology is very simple, and has been known for half a century. Yet many websites still use completely insecure ways of storing passwords, oftentimes even in just plaintext, which is insane.)
So what's happening is that these scammers are simply taking these lists of hundreds of millions of email addresses, and sending the same spam email to all of them, just adding the password mentioned in the list to it. The scammer obviously has no access to that person's computer, and doesn't even know that computer's IP address or anything. The only thing the scammer has is an email address and some password, and that's it. Curiously these scam emails never even say which site the password is for.
Ironically, if you know all this, such an email, if it actually contains one of your actual real passwords, is actually beneficial: It's telling you to go and change that password, and quickly! The website you used that password in has been compromised and your email and password leaked.
Anyway, why have I so far received three such emails, with three different passwords, none of which I have ever used anywhere, ever? How does that happen?
What I think is happening is that I have a gmail address with a very common name. I was lucky enough to get a gmail address almost at the beginning, and the address with my name was still not taken, so I got it for myself. As I have written previously here, this often causes me to semi-regularly get emails sent to the wrong person (probably because the actual person may have, for example, told his email address via phone and the person on the other end mistyped it eg. by omitting a number or something.)
I sometimes get emails from some random website to confirm the creation of a new account, which I haven't done myself. It's probable that someone (who has a similar gmail name as me) mistyped the email address by accident, which is why the confirmation email was sent to me. It might also be that some people are trying to create fake accounts using other people's email addresses, hoping that the website doesn't send a confirmation email, or that the person with that address foolishly clicks on the confirmation link.
So what I think has happened here is that some people have created accounts on some websites (perhaps pornographic in nature) with my email address, either accidentally (due to a typo) or deliberately, and what these scam emails are showing is those passwords, which I did not create.
Comments
Post a Comment