Personalized Email Scams With Stolen Passwords
Email and phone scams are as old as time. There’s the classic “Nigerian Prince Scam” that we’re sure we’ve all gotten at some point in time. And believe it or not, that scam still exists must still work sometimes. If it didn’t work, the bad guys wouldn’t try it anymore.
Then there’s the “sextortion”/blackmail email scam that goes a little something like this (and we’re paraphrasing):
“I’m a hacker, I broke into your computer and caught you browsing pornography (or stole nude photos of you). Pay me X amount of dollars in Bitcoin (or some other untraceable means of payment) within X amount of time or I’m going to reveal your dirty little secret to everyone you know….”
Obviously, the bad guys are using fear tactics here, and it’s worked for them at some point in time or again, they wouldn’t try it.
However, in the past year we’ve seen an exponential increase in more personalized email scams (and not exclusive to the sextortion/blackmail scam) wherein the bad guys will reference either some current password you use. Or some password you’ve used in the past.
Another paraphrased example would be:
“I’m a hacker. I broke into your computer, caught you doing something bad, and you know that I’m for real because your password is XYZ1234. Pay me money and I’ll go away…”
“XYZ1234” being a password you’ve used in the past, or even a password you use currently. Hopefully that’s not literally one of your passwords, but we digress.
So how do they know your current or past password you’ve used? Simple, there’s a long list of breached websites and online services where databases containing various personal information such as email addresses, usernames, and passwords haven been stolen.
These databases then get sold on the “Dark Web” or even shared freely. The bad guys even take these disparate hacked databases, combine them into one mega database of stolen credentials, and again sell or even distribute freely on the Dark Web.
Subsequently, the bad guys behind these personalized email scams then draw email address and password combinations from these stolen databases to perform their own nefarious actions. Such as some sort of personalized email extortion/blackmail scam where they then share your past or current password in the email to be that much more convincing.
Haveibeenpwned.com is a safe way to check to see if you’ve had a password compromised, pulling from about 341 different breaches at the time of writing this article.