It's always nice to be one of the cool kids. On July 13th, I read Naked Security's post on a new sextortion email scam in which the email sender references a real password of the recipient to make the threat more believable.
A couple of days later, I received such an email. It was (appropriately) in my spam filter, but it caught my attention immediately because the subject line was simply a password that I used many years ago, and which I always assumed had been compromised somewhere along the way.
The email, which was smarmy in tone, said that the author had placed malware on my machine which recorded me watching adult pornography and harvested all of my contacts. It then required a $3200 payment in bitcoin to keep "our little secret." It gave me one day to make the payment or the author would send out the video to all my contacts.
While the use of a genuine (if old) password caught my attention, I really didn't have much to worry about since I am not in the habit of visiting pornography sites. Several people (and there are probably more than that) are known to have made the payment. I guess they had reason to worry about such a video – and not too many folks who paid are likely to come forward and say that they did so. Doh.
Getting an old password from online lists of compromised passwords isn't hard. And there are services on the Dark Web that will help you out too. One obvious lesson here is not to re-use passwords everywhere, but users seem deaf to that advice. And staying away from pornography sites is a good idea on many levels.
Glad to be leading such a boring life . . . but nice to get the email myself so I have a good story for my cybersecurity training presentations.
E-mail: email@example.com Phone: 703-359-0700
Digital Forensics/Information Security/Information Technology