Over the last week or so, a particularly clever scam email has been circulating.
There’s a good chance you or someone you know has had this exact email in the last few weeks, or some variation of it.
The email is no more dangerous or truthful than the “Nigerian prince” and “lottery” scams that were popular a decade or so ago. But it doesn’t feel that way when you get it.
That’s because it tells you just enough information about yourself to make you believe it.
It basically tells you you’ve been hacked. It either comes from your own email or from a “darknet” hacker with some random username.
The reason many people end up believing it is because it usually lists your own password in the email.
Then it tells you the hacker has installed malware on to your computer and has been watching you on your webcam.
The hacker has access to all you files, all your contacts and numerous videos of you “enjoying yourself” while visiting various internet sites.
The hacker also has screen captures of all the sites you’ve been visiting and all the conversations you’ve been having with all your contacts.
Basically, it covers many bases of possible embracement and is sure to hit home on at least one.
And what is the hacker planning to do with these videos, photos and message logs?
Send them to all of your contacts, of course… unless you pay them a ransom in bitcoin.
Here’s a screenshot of one of the emails sent to my friend over the weekend:
Pretty unnerving, right?
The key to why this scam is so successful is because it gives you information the scammer couldn’t possibly have unless they had all the things on you they said they do.
The truth is, they don’t actually have any of these things. If they did, they’d also include one of the screenshots or message logs they claim to have.
However, if you get one of these emails do not ask for proof. If you do the scammer will simply attach a real malware program that will be able to do all the things they claim to have already done.
Never open email attachments from people you don’t know. Don’t even open attachments from people you do know if you weren’t expecting them to send you something.
So, if they don’t have the things on you they claim to, how do they have one of your passwords? Or how did they send the email to you from your own address?
Let’s take a look.
PS Have you ever wondered which Southbank Investment Research service is making our subscribers the most money? My Colleague Chris did. So he set out to investigate. He’s published his finding in this report, which he’s making free to all paid-up subscribers like you.
So, if you ever wondered which of our investment services is the best, you can find out here.
The three main ways you can get hacked
There are four main ways you can get hacked:
- Someone physically steals your equipment and logs in
- You download some malware
- A company or service you use gets hacked
- You fall for a phishing scam.
Route one is usually the most distressing. But, at least you know it has happened instantly and you can take the necessary precautions.
If someone steals your phone or laptop, you know you need to change all your passwords as soon as physically possible.
And there’s a good chance you’ll be able your remotely log in to your equipment and remotely wipe it.
Route two is the most insidious and usually the most dangerous. There really is malware out there that can do all the things that scam email claims to have done.
And it is easy for even novices to use. The “hacker” wouldn’t really have to have any programming knowledge to use it.
They simply buy the script from a real hacker and start getting people to download it. Hence the computer term “script kiddie” for these type of hackers.
The thing is they have to get you to download their malware script in the first place. As long as you are careful about the files you download and the email attachments you open this shouldn’t be a problem.
Your virus scanner should also pick up on any malware you’ve been unfortunate enough to download. However, the quality of virus scanners varies greatly. And the most expensive ones aren’t necessarily the best.
It’s a good idea to download the free Malware Bytes scanner and run it if you think you might have downloaded anything suspicious. It’s free to use if you don’t need it running all the time.
I have no affiliation with Malware Bytes. I just know it is widely regarded a one of the best in the business.
Most people get hacked through no fault of their own
Now this brings us on to route three.
This is how most people get hacked. They get hacked entirely through no fault of their own and there was nothing extra they could have done to prevent it.
Almost every company and service on the internet now requires you to make an account, giving them your email address and creating a password.
It makes a lot of sense to use throwaway passwords for sites you don’t really trust. You could use a less complicated password for sites and services that don’t store much private information on you.
The more private information a service has on you the stronger and more unique your password should be.
At the top of the pile here is the login to your email address. If hackers get this, they can usually get access to everything else via lost password forms.
So make sure to use a completely unique password for your email login, and if you can, use two-factor authentication as well (2FA).
With 2FA on, if someone tries to login from a different device or location to where you usually do, you’ll have to verify it with a short code.
This code is usually either sent to you via text, or it can be set up in an app that continuously cycles codes based on an algorithm.
I don’t really have space to get into the ins and outs of 2FA here. Other than to say, if you have the option of using it, you probably should be.
But if 2FA and the technology behind it would be something you’d like to know more about send me an email: firstname.lastname@example.org and if I get a few responses I’ll write an Exponential Investor all about it.
So, let’s say a website you use gets hacked: Twitter, LinkedIn, Ticketmaster, Adobe, British Airways… they have all been breached over the last few years.
The chances are at least one website you gave an account with has been hacked.
How I got hacked
When a big company hack happens, the hackers will often upload a massive list of all the login details of the users somewhere on the internet.
This is called a “paste” because they are copying and pasting the list of users’ accounts.
If you use that email address and password combination for more than one service, changes are you are now going to get anything that uses it hacked.
This happened to me earlier this year. My account was included in a paste of Ticketmaster accounts.
I used the same email and password for my Zipcar account as I did for Ticketmaster. Within a day or two of the Ticketmaster hack I had people logging into my Zipcar account and hiring cars under my name.
That’s how easy it is to get your account hacked. You don’t even have to do anything wrong yourself.
A lot of the time these massive company hacks don’t get reported until months later.
The hackers won’t initially just paste the users’ details on to the internet for free. They’ll sell them on a few times first. They are usually in this to make money, after all.
And that brings us on to route four: phishing scams.
These are the most common ones people fall for. And they are usually powered by route three hacks.
Here’s a good definition of phishing from our friend Wikipedia:
Phishing is the fraudulent attempt to obtain sensitive information such as usernames, passwords and credit card details, often for malicious reasons, by disguising as a trustworthy entity in an electronic communication.
Basically hackers go on a “fishing trip”. They give you some information and see if you’ll bite.
Phishing scams are wide ranging and come in many, many different varieties: fake websites, fake login screens, fake ads, call or emails from “your bank”, etc.
The scam I opened with today is a classic phishing scam. Here’s how it works.
The scammers obtain a paste of a company hack. They then use a program to scrape the email addresses and password combinations from this paste and send out thousands of emails to these names.
The email is a template.
The things that will change are the hacker’s “darknet name”. The victim’s name and password. And, if the scammers are clever, the bitcoin address to send the money to.
(Although if they were really clever, they wouldn’t be using bitcoin at all as it is not anonymous. They would be much better using Monero. I have written about this before here.)
Some of the recipients will be using the same password for their email as they were for whatever service it was that was hacked. If they are this will make them much more likely to send the scammers money.
This is just one reason why it’s so important to keep your email address password separate from all your other accounts. Your email account is like the gatekeeper to all your other accounts. I can’t stress this enough.
“90% isn’t very sure, Harry!”
My friend who got this email over the weekend pointed out the password the email listed was not their email address password. But it was a password they used for other services from time to time.
Even though they knew this meant the scammer was lying, they still felt very unnerved by it. I mean, you would, wouldn’t you?
I looked into it for them and said I was 90% sure the email was a scam and they had nothing to worry about. But that they should run Malwarebytes anyway, just to be safe.
Their message came back: 90% isn’t very sure, Harry!
To be fair, it really isn’t. I had another look around and saw this same email was being posted around the web with many people asking about it.
After that I told them I was 99% sure it was a scam. I mean, you can never be 100% sure of anything, can you?
That was on Saturday. At the time only a few, more underground places were reporting on this new scam. By yesterday, it had already appeared in The Daily Mail.
So if you get a similar email. You can be pretty certain it is a scam.
The reason why this scam seems to have exploded this week is probably due to a big company hack that we’re not yet aware of.
I asked my friend to check their email address on Have I Been Pwned, and nothing recent came up.
They had been victim of some older company hacks. Most people have. But the amount of people now getting this specific email tells me we’re about to see another major company hack surface in the news over the next few weeks or months.
I don’t know which company it is yet, but I have a feeling it will be a big one.
And the way to solve problems like this? Yes, you guessed it, crypto.
If companies switched to a blockchain or crypto based-approach, there would be no user details to hack. The company would never store them in the first place.
This would mean any company could be hacked and YOU would not have to pay the price for its incompetence.
The current model, whereby each company keeps a centralised database of user details, is really a terrible model.
It creates a massive honeypot for hackers to target. Hack one computer at one company and you can get access to potentially millions of user logins.
If these systems were crypto or blockchain based, each user would keep their own data and only give the company access to it when it was needed.
This is another great example of why crypto is so important. It’s not about magic internet money, it’s about building a better computer infrastructure.
Until next time,
Editor, Exponential Investor