Well, it’s been a hot summer and I can’t imagine how much hotter it can get…I hope you are all enjoying some level of cool comfort!
Blackmail Scams – Really?
On a Friday in July, I started getting emails from clients with phone calls, “Scott, someone wants me to send them $4,000.00 or they will send nasty pics of me to my contacts…”
All of the letters had the person’s first name and a password in the top of the email. Embedded into the letter was also a Bitcoin address for payment to the blackmailer.
I also got one. My first name and an old password. My stomach tightened up and I needed to stop sweating…
The blackmailer stated they wanted $7,000.00 to their Bitcoin address OR some videos of me would me would be made public and sent to my contacts on Facebook and other social media. Since I do NOT have a webcam or any other such material, I knew it was a scam. (I was going to suggest that he send it to some of my female contacts, maybe I’d get a date….mom would be thrilled!)
The blackmailer also stated that he got this information through a keylogger that was planted on my computer.
Even though I suspected it was a scam, I immediately WIPED out my drive three times and reloaded (and am still reloading) almost all of the software that I need for production of videos, photos and my comedy stuff and my daily business affairs.
With 24TB of drives, I have spent the week scanning one drive at a time to make sure they were clean…and they were. I doubt that the keylogger was placed, but for safety’s sake…you get the picture…well hopefully not, but you know what I am getting at!
What I realized is that the major data breached over the years from Yahoo! (3 Billion users 2016), Target, eBay, Anthem, Home Depot, Sony’s Playstation Network, Equifax, Ashley Madison, and Equifax (all in the millions since 2006) netted many email address and passwords for sale on the Dark Web.
The passwords that were stored on their servers were easily decoded in the data breaches due to an old encryption method. For the tech details: when a password is stored, it is made secret by using a method so that it is not readable without that specific decoding method so that the site can check to ensure it is the correct password when you login.
What is scary is that some of these passwords might still be in use.
I got locked out of one of my health accounts even though it was not the password that the blackmailer had emailed to me. Somehow it was hacked and the secret questions were changed. (Maybe I should go into Abacus consulting? Much safer…)
What these scammers and blackmailers do is run a program that plugs an email address and some known passwords into the site over and over to gain access to that site. Once a positive hit is made, the information is recorded and the accounts changed so that we are locked out, including security questions that would allow us to regain control of the account.
This also happened on one of my Instagram accounts and I was fast enough to get it back. Suddenly I see a request for a password reset to my main email account. I realized what was happening and immediately took action.
The biggest issues we face now are: 1) how to track and manage multitudes of passwords; 2)make sure that they remain safe; 3) can be recalled so normal life can continue and 4) making sure that everyone has gone to their major accounts and changed their passwords to a more secure one. DO IT NOW!!
You can go to a site and enter your email, then click the “Forgot Password” link and hopefully it will email you a link to reset it. If you can, set up Two-Factor Authentication as well when you change it. This might be in account settings.
Don’t use kids, dogs, cats, or anything that is easily guessed.
Why?
When I was at Viacom, I would occasionally have to handle a call to someone’s office even though I was on the phone support desk. If the computer was locked, I would look around the office for family pics and many times I would be handed the password when they named the subjects in the photo. Oy!
There are also brute-force password crackers that first use English language words with letters and numbers to try and break into a site. A good hacker can write that code faster than I can type this email up…
Most sites have the coding built in to lock an account after only a few times of the wrong password being entered. Umm, that’s why I can’t get into one of my health accounts.
Sheesh.
Some still are vulnerable. The hacker can keep guessing the password using software and it might actually turn up a login!
I have setup two-factor authentication for most of the sites I need to get into, and I have the touch ID on my iPhone as well for sites. Two-factor authentication sends a code to my cell phone that is then entered into the website, ensuring that I am who I say I am.
Another issue has been for those of us who use online services for games, like the Sony PS4 and the Xbox line.
Hackers have been able to trace back IP address. (That’s the address your internet service assigns to the box you get service on from them.) They then send thousands of digital signals to try and disconnect players in games so they can win. It’s happened to me and it’s called DDOSing.
Can someone guess who I am from the IP address? I am pretty sure a savvy hacker can match my IP to records and figure it out, but most can’t do that, yet.
So let me sum up the gist of this:
1) If you got one of the scam/blackmail emails, see what password they sent;
2) Immediately change passwords on any site that MIGHT have that old password;
3) Use a digital password manager (I use one – email me back and I will send a link for you) to handle the myriads of logins;
4) Reboot your router/cable modem/FIOS device ASAP and change those passwords as well (https://mac-pc-assist.com/reset-that-router/);
5) While I have not yet signed up, I am considering an account on LifeLock. I might soon be one of their authorized partners – email me back if interested. Hopefully by then they will have finished our agreement.
I also recommend having computers scanned regularly for any malware. As of now, I am an authorized partner for MalwareBytes and Sophos.
On my site are some webinars available for replay from Sophos and have many topics that you can watch when you want. (https://mac-pc-assist.com/top-threats-todays-malware/)
Call me if you want me to drop by and scan your systems, install Sophos or MalwareBytes, setup a password management system and of course, check your routers for malware as well. (760) 550-9496
Trying to stay cool,
Scott