The "Your Password" Email extortion scam
If you have received an email with the subject line "Your password" followed by a password that you used in the past or are still using, you may wonder whether the allegations made in the email are true and whether you should pay the sender money.
The email claims that the sender set up malware on adult video sites that you visited to gain access to the computer, screen and webcam. The cam was used to record a video of your activities while being on the adult video site, and other software was used to obtain lists of contacts from Facebook, email and other places.
The sender asks for a sum in Bitcoin and wants it sent to an address within one day. Failure to comply to the demand will lead to the publication of the video and the informing of all contacts about it.
Fact is: the password is correct and that may be a shock to you depending on whether you still use the password or not. From what I could gather, it appears that the revealed passwords are quite old and may not be in use anymore. The rest of the email is very generic and contains no personal information.
If you received such an email, you may want to think logically about it. If you don't visit adult sites or don't have a webcam, then it is obviously fake.
The most likely scenario is that the sender used password leak databases for the scam. It is easy enough to break weak passwords using today's computers and that is probably what happened here as well.
What you should do
If you received such an email, ignore it and don't send any money to the sender. You may want to make sure that you don't use the password anywhere anymore.
It is probably a good idea to start using a password manager, KeePass if you want to keep things on the local device, or an online password manager like Dashlane, LastPass, or 1Password.
Make sure you change any account password that uses the revealed password. If you use a password manager you may use the built-in functionality to create unique strong passwords for your accounts.
Another thing that you may want to consider is putting tape over your webcam if you never use it, or one of these protectors if you do use them.
What you should not do
You should not pay or reply to the email.
Here is the actual email:
It seems that, [password], is your password. You may not know me and you are probably wondering why you are getting this e mail, right?
actually, I setup a malware on the adult vids (porno) web-site and guess what, you visited this site to have fun (you know what I mean). While you were watching videos, your internet browser started out functioning as a RDP (Remote Desktop) having a keylogger which gave me accessibility to your screen and web cam. after that, my software program obtained all of your contacts from your Messenger, FB, as well as email.
What did I do?
I created a double-screen video. 1st part shows the video you were watching (you've got a good taste haha . . .), and 2nd part shows the recording of your web cam.
exactly what should you do?
Well, in my opinion, $1000 is a fair price for our little secret. You'll make the payment by Bitcoin (if you do not know this, search "how to buy bitcoin" in Google).
BTC Address:
[...]
(It is cAsE sensitive, so copy and paste it)
Important:
You have one day in order to make the payment. (I've a unique pixel in this e mail, and at this moment I know that you have read through this email message). If I do not get the BitCoins, I will certainly send out your video recording to all of your contacts including relatives, coworkers, and so on. Having said that, if I receive the payment, I'll destroy the video immidiately. If you need evidence, reply with "Yes!" and I will certainly send out your video recording to your 6 contacts. It is a non-negotiable offer, that being said don't waste my personal time and yours by responding to this message.
You can’t film me because I got tape on my cam when not in use (always…) and everybody that’s concerned already knows which porn I watch because I am not ashamed of anything. Try again, good night.
Bad scams!
This is just the start of a Black Mirror episode…. ‘Shut Up and Dance’.
The sad part is, there will be people falling for it. Not because it’s true but because 70% of the people who use the Internet are ignorant and believe what people say and do. Just like those scam sites that are on Facebook that redirects you to a page that says “Your computer is infected with a virus, do not shut it down or you will lose all data. Please call this number to have it removed.” They do call that number and get extorted out of $250-$900. I’ve seen it happen (because they give their computer to work AFTER they paid them for that).
I’ve seen it on Mac and Windows computers and all it takes is just 1 or 2 people to make their efforts worth it.
People should be more worried about Mark Suckerberg trying to get their bank account numbers in their back.
Firefox users can click on the small circled “i” in the address bar to set permissions for websites (I think Martin had an article on that). It makes it easy to shut down webcams and microphones for individual websites through the browser. I’m still using FFv.54 so Mozilla may have changed that feature.
I also use a dark stickers on my Mac’s cameras and shut down my computers microphones by restricting sound input to “line in” (I have older Macs, I don’t think newer Macs allow microphones to be controlled that way, just volumed down).
Porn sites? No. I just don’t want people to see and hear me blubbering in the mornings before I’ve had my coffee.
Yeah, I got one of these. I’m 74 and haven’t visited a porn site in a long while, I’m sorry to say, but even if they have what they say they have I frankly don’t give a damn if they send it to my contacts.
@Don Gateley: “even if they have what they say they have I frankly don’t give a damn if they send it to my contacts.”
This was my thought as well. Such a video would hardly be so damaging that I’d be willing to pay money to keep it from being distributed. If anyone gave me crap about it, all I’d have to say is “what, like _you_ don’t masturbate?”
I am not aware of this ever having happened to me
most emails I receive of this kind always end up in the spam folder, I have never been addressed through more personal details aside from my name and email address
There used to be a sucker born every minute. Now, it’s more like every second…
Most posters don’t seem to understand the business model at work here. Ask your favourite politician…
If I send 1K e-mails a day and manage to elicit just one positive response, my day is made!
If this scammer ever contacted *me*, I’d tell him the same thing I told those cannibals I ran into in the remote highlands of Papua New Guinea: “Why, *thank* you! I’d like to think I *do* have a good taste!”
Apart from that, I’d be disappointed to learn that it actually *was* a scam. It would be fun to watch a split-screen video with a shot of a tiny kitten climbing into a shoe and falling asleep on one side, a shot of the inside of a binder clip on the other side, and an audio track of me going, “Awwwww!”
Sadly, I will never get the chance because Gmail, for all its user-tracking and data-mining, has *superb* spam, scam, and phishing filters. I never see stuff like this in the first place.
On a more serious note, Purism is on the right track in offering laptops with “hardware kill switches” for webcams and microphones (and Bluetooth and WiFi). Non-physical controls *can* be remotely hacked.
I’ve got 3 different versions of this.
https://pastebin.com/8HezJ2f8
I think it’s hilarious even if it were true because:
1. I don’t own any webcam or mic. Never did and never will.
2. I don’t have any email contacts on the PC; if he’d miraculously get the 4 people from my FB account – they know I’m single and kinda expect that i beat it every day like it owes me money.
Most likely I’d tell him to enjoy himself while watching me or ask for a copy of the recording like an Indonesian ex-president did to CIA at a blackmail attempt.
Well, if you’re single, get a webcam and let the hackers do the rest. When they spread the “recording” around, you might get some interesting proposals from potential partners who see it. And let me know if it worked. ;-)
OK I’m in the middle of a heat wave and I’ll shut up now.
I’ve received four of these (one for each identity I use on the internet), each specifying a password I stopped using about five years ago. About 80% of my friends have received one of these as well. There’s a different, less unique, form that’s used if they don’t have a password for you. The message is the same, but it offers no login id or password as “proof”.
The funny thing is that, aside from the use of an antique password, the claims of video evidence is stupid. Not only because I’m one of the 2% of the internet that doesn’t use porn sites, but because there is no camera attached to my computer.
I guess they just shoot blindly when they lack “evidence”. I received at one time a forged ‘Bank Of Scotland’ email (only foreign bank) as well as from forged French banks. Like ads, sometimes targeted otherwise at a stroke of luck.
Never trust anyone who cannot spell. :-)
“Having said that, if I receive the payment, I’ll destroy the video immidiately.”
Does anyone know where can I buy the webcam recording of Martin while he’s watching porn ?
More seriously, your proposed solution of storing passwords online to reduce the chance of password leaks sounds… paradoxical.
What sites has Martin been surfing? :)
I got the email too, I checked and it turned out to be my MySpace password. MySpace got hacked in 2016 but I haven’t been there for much longer, so I don’t care. (S)he asked for 7000 Euro – worth more than my apartment, haha. I was bored and replied that I don’t have a webcam, use Linux, and block 3rd party stuff with uMatrix, and asked if they can send me a few hundred euros as I need a new guitar… Didn’t get a reply. Very rude. :-(
It was my Myspace.com password as well… well either that or namesecure.com, but that was for another email address long since disappeared.
-D
@MdN
I advise against replying to these (or any spam) emails. All it does is confirm to the sender that the email address they use is a live one, and so that address can be sold to others at a higher price.
LOL!
Things ain’t what they used to be, crooks were civilized then, crooks but sympathetic, never rude.
Side-note : I remember my mother getting her handbag stolen in a department store in NY, that was in the early sixties. Well, they kept the money but sent back the handbag with IDs, papers etc … and I can still remember my mom’s face, she was bothered because of the money yet a smile of joy, because of the papers but also, as she told me, she was so happy of such an attitude ; “They didn’t have to do it so you see Michel no one is entirely bad”.
Anyway…
@Tom: As a 40+ year old, I can confirm (hopefully it’s not just selective memory) that “back in the day” crooks indeed had some class. Even the language they used was nicer than how some people, considered to be role models, speak today.
@John: Good point, this was just once as I was bored and amused. Thanks!
While this is indeed an amateurish extortion scheme, the problem doesn’t lie with the criminal(s).
I get loads of these, listing a password for an old internet shop account. Since I no longer use it, I just mailed the shop warning them they were hacked. They claim they know of no intrusion and therefor will not take action.
The real problem with our data online lies with idiots like that – they have our address data, passwords, shopping data, possibly even financial/credit card data, and they are completely incompetent to be trusted with those. And if they get caught, there’s no legal repercussions to speak of. Just put some prison time on losing people’s data, let’s see if they will still be as cavalier with our data.
@ shiro,
It depends on which country you live in which determines what action you can take in case like this. In Europe we now have the GDPR which allows you to send a business a request to determine what data they hold on you for example and to have it erased. If they refuse to cooperate, or if they simply ignore you, you can file a complaint with your country’s data retention authority. The authority has the right to impose substantial fines of up to 20 million (euros, Pounds etc.) or 4% of worldwide turnover (whichever is greater).
If you live in the UK, you can use the example letters on this site: https://gdprletters.com/ (links on there take you to the https://ico.org.uk depending on which letter you choose).
In the Netherlands, the AVG (Authoriteit Persoonsgegevens) has a number of example letters written in Dutch which achieve the same thing: https://autoriteitpersoonsgegevens.nl/nl/zelf-doen/voorbeeldbrieven
Of course your passwords are all different, no duplicates I imagine because otherwise how to know what shop got hacked, not to mention a very seldom scenario where a password is sent/confirmed vi email (the ultimate of idiocy though I’ve experienced — excessively few — businesses practicing this aberration).
As for the irresponsibility of certain online shops and businesses, this is so true and I’ve even been told of worse : zataz.com checks companies’ security and if they find a problem they notify the company’s Web admin… and it happened that a company warned by zataz complained and even brought zataz to court for intrusion in its servers! So, yes, dishonesty as honesty is everywhere.
I would add Roboform to the list of password management tools too, it is excellent.
“you visited this site to have fun (you know what I mean)”
“Well, in my opinion, $1000 is a fair price for our little secret.”
Sounds like a cheap little rascal’s wording. IMO the clown is a kid.
Anyway, of course, NEVER pay.
“NEVER pay” is a point valid for any kind of scam or ransomware. In the case of ransomware you have no guarantee you’ll be given the decryption key, and you will just encourage this bad practice even further. In the unfortunate case this happens and you have no backups this should be taken as a life lesson so it won’t happen again. And it’s better to end up with your data lost and your money in your pocket than no data and no money.
>if you do not know this, search “how to buy bitcoin” in Google
They are so lazy, they don’t even give you the instructions on how to buy bitcoin. Hahahah At least put some effort in your bait and provide clear instructions.
Someone who is techno-illiterate enough to fall for this joke (browser turns into RDP, magic pixel in the mail) can in no way obtain bitcoins and send them within a day. No way.
I assume you have the original address of the scammer/jokester?
Can you check if he has received any payments yet?
(Or maybe he has created multiple wallets and doesn’t send the same one to every victim)
“pixel in the mail” is not magic but very common practice to know when you read the email, by loading remote content. It’s used by lots of businesses to track people.
That’s why you should never enable the display of remote content in emails.
As for browser exploits that allow to gain wider access to a computer, I don’t see either why you consider them impossible. Look at the list of browser security holes that need to be closed at every update, that’s scary, and that’s only the ones that are known.
I agree the email isn’t very credible, but not for the reasons you gave.