Being on the receiving end of malicious emails is never fun. A new wave of extortion emails takes it to a new level, though.
We’ve seen multiple emails recently claiming to have compromising video of the receiver and demanding payment. What makes these emails especially scary is that they include the recipient’s real username and password.
Here are a couple examples we’ve seen (Click to expand--warning: these get a little explicit and extremely creepy):
These are different emails to different people from different senders. But both follow a similar pattern:
In both cases, the sender put the real username and password in the subject line and in the first line of the email (we blocked these out for privacy reasons). That’s going to be inciting enough for most people to open the email and keep reading—which is the point of doing that.
Both senders claim to have access to the recipient’s computer, along with their browsing history and potentially embarrassing video. They threaten to send the video if the recipient doesn’t pay them several thousand dollars in untraceable cryptocurrency.
How they get your information
What makes these emails so scary is the inclusion of real usernames and passwords. Even if it’s literally impossible for the sender to have the videos they claim to have, the real details still make it scary.
Here’s the thing: you don’t need access to someone’s computer to get their username, password, and email if that information has been part of a massive data breach. Most people have had credentials for at least one account stolen in a data breach, like the Yahoo or LinkedIn breaches a few years ago. This information is available on the dark web (If you’re a PTG customer and want us to run a dark web scan for you, talk to your account manager).
That’s where they’re getting the information and that’s who they’re targeting. The cybercriminals don’t actually have video of you. It’s very, very unlikely they have access to your computer. They are specifically going after people whose information they’ve found in one of these massive data dumps—because that’s who they can scare.
What to Do
Unfortunately, filters are unlikely to stop these emails. While they’re frightening, they don’t contain anything malicious in the filter’s eyes, like a link to ransomware.
If you get one of these emails, do NOT pay the fee. If the password in the email is the password, you still use for any account, change it ASAP. If the password you use is anything similar (like Password2 instead of Password1), go ahead and change that, too. That’s a common pattern and makes your password pretty easy to guess (more on that here).
If you’re worried about the sender potentially having access to your account, you can get your IT team to check for any suspicious activity. After that, your best bet is to delete the email and move on. These emails are intended to scare you into paying. There isn’t much actually much substance behind the threat.