I got an email a week ago with "I know An4th3m4" in the subject. It was an extortion email asking me to pay up or otherwise have a compromising video of me shared with my friends and family. An4th3m4 is a password I use and so I knew something was wrong. You might have gotten something like it too and if you did, this is what I think happened.
Here is the email body:
I know that, An4th3m4 is one of your personal password and now Let me get straight to the point. You do not know anything about me however I know you very well and you must be wondering why are you getting this e mail, right?I do watch porn but the chances of something like this happening weren't that high. The line about web browsers opening up an RDP backdoor sounded far fetched. But I am pretty sure access to webcams can be obtained, maybe even by just making a user click on a bad link. This probably is possible on tablets or phones too. But I guessed that it was just one of the websites that I had an account on that got hacked.
I placed malware on adult videos (adult porn) and you know what, you visited this adult website to experience fun (you get my drift). When you were watching videos, your internet browser initiated working as a RDP (Remote Desktop Protocol) having a backdoor which gave me accessibility to your display screen and also your webcam controls. Right after that, my software gathered all of your contacts from your messenger, social networks, and e-mail.
What I want? It's just your misfortune that I stumbled across your misadventures. After that I put in more days than I probably should have investigating into your data and generated a double display video. 1st half displays the recording you had been viewing and second half displays the video of your webcam (it is someone doing nasty things). Honestly, I am ready to delete details about you and let you move on with your daily life. And my goal is to offer you two options that may accomplish your freedom. These two choices are either to ignore this letter (not recommended), or pay me $ 1300 to finish this mattter forever.
What can you do? Let’s investigate above 2 options in more details. Option 1 is to turn a deaf ear this e mail. Let me tell you what will happen if you opt this option. I will, no doubt send your videotape to all of your contacts including members of your family, coworkers, and so on. It won't help you avoid the humiliation you and your family will ought to feel when relatives and buddies learn your sordid video. Option 2 is to make the payment of $ 1300. We will call it my “confidentiality fee”. Lets discuss what happens if you pick this choice. Your secret remains your secret. I will keep my mouth shut. After you make the payment, You can freely keep your daily life and family that none of this ever occurred. You'll make the payment by Bitcoin (if you do not know how all you need to do is search "how to buy bitcoins" on search engine)
My BTC Address: 1HJZsSit1r7G4fDbWFEwbU2RUyaSKdDaL6 (It is case sensitive, copy and paste it carefully)
Important: You have one day in order to make the payment. (I've a unique pixel in this email message, and now I know that you've read this e-mail). DO NOT TELL anybody what will you be utilizing the Bitcoins for or they possibly will not give it to you. The process to acquire bitcoin usually takes a day or two so do not wait. If I don't receive the Bitcoin, I will definately send out your videotape to all of your contacts including family members, colleagues, and so forth. however, if I do get paid, I'll destroy the videotape immediately. If you want to have proof, reply with "yes!" and I will certainly send out your video recording to your 15 friends. It is a non negotiable offer, so kindly do not waste my time & yours by responding to this email.
I could guess that because I use a different password for almost all my web accounts. If you do that, and if one of your passwords get compromised, you only need to worry about one thing. If you use the same password across all your accounts, a compromise of one account will result in all your other accounts also being compromised. I don't re-use passwords much because I use a password manager called LastPass, and I would definitely recommend you get one too. So I opened up LastPass and searched for all the websites that I have on it that had An4th3m4 as password. There were two websites (canadavisa.com and jenkins.io) and I guessed that one of them had been hacked. From the website hack, the hacker would have got my email address and my password. S(he) would have immediately tried to get into my email account and if s(he) had been successful, that would have been a lot of trouble for me. Your email account is probably the most important account, because it can be used to know what other websites you have registered with, and then also be used to reset the passwords on those websites. This is where 2-factor authentication helps. Even if a password reset request for a website account can be triggered and then handled by using the email account, the password reset using a link in the email will then require another thing (like a code which is sent by other means other than the email account, like say SMS). But thankfully, I had only used that password on the two low risk websites. jenkins.io had changed their login system - so my account was not active - maybe it was the one that was compromised. And I changed my password on canadavisa.com even though I haven't used it in years. Those were really old accounts which I had before I started using LastPass - my passwords these days look something like 5Rno5BUSxQ8GT6ii. I just generated that using LastPass. I don't type passwords in anymore. LastPass stores them for me and feeds them in for me when I get to login pages, whether in a browser on my PC or laptop or phone or tablet. It does so even in apps on my phone or tablet, but that is a paid feature - its just $24 for a year and worth it.
There are other password managers out there too, but you have to be careful when you pick one. The risk with using a password manager is that with it, all your passwords are stored in one place, and so suppose the password manager gets compromised, then all accounts you have stored credentials for using it are compromised. LastPass has had some problems but they are big enough that they seem to have good security. 2-factor authentication works here too though. For example I have enabled 2-factor authentication for my Google account. So Google will ask anybody who tries to log into my account on a machine other than my PC, phone, or table to enter a code sent via SMS to my phone number. So even if Last Pass account was compromised, a hacker would need to also get access to one of my computers, or my phone, to login to my Google account. So if you haven't enabled 2-factor authentication for your email account and other accounts that support it, definitely do so.
That is probably the farthest the hacker got and thus could only attempt at trying to scare me into paying up. Since I don't re-use passwords (well, much), I am fairly certain this was just a scare. But if you do see a video of me getting happy watching porn, do let me know.
Comments