A nameless, faceless hacker is extorting you. Pay $857 in Bitcoin or videos and screenshots from your “dark secret life” — plus the browsing history on your phone, tablet and computer — will be shared with family, friends and the world.
“You are not my only victim,” the hacker writes. “I usually lock devices and ask for a ransom. But I was struck by the sites of intimate content that you very often visit.”
Several near identical versions of this “phishing” email have been sent out to hundreds of thousands of people in North America over the last few months.
Known by cybersecurity experts as “spray-and-pray” attacks, they are ultimately empty (just don’t click on any attached links) but surprisingly successful threats, say security consultants and police. On Monday, Peel police released a warning to the public about these and other scams.
To make your heart race faster, this wannabe extortionist — he or she identifies as a “programmer” — includes what can be a shocking bit of detail: A password you have used in the past and may still be using. The hacker also claims to have “uploaded malicious code” to your operating system and has “a complete history of visits” you have made to various internet sites.
Oh, and one other chilling element: the threat you just received appears to have come from your own email address.
Attacks like this are on the rise as hackers, stymied by increasingly stronger corporate security, are turning more and more to individuals, who are viewed as much easier marks.
“At our core, human beings are not very complicated. We are motivated by hunger, fear, greed, money and sex,” said Eldon Sprickerhoff, founder of Cambridge-based cybersecurity company eSentire.
“These people throw as many baited hooks out as they can and a steady, though small, percentage of people pay.”
A recent research report by Microsoft said these so-called “phishing” attacks now dominate the cybersecurity landscape. That’s because corporate security is improving, making it harder to crack into a company’s system. Microsoft estimates that 53 per cent of cyber attacks today are “phishing” expeditions, in which a hacker is trying to fool a person or company into paying money or providing credentials or banking information.
Cyber experts say there is no firm number on how many phishing attacks occur in Canada or the United States in a given year, although a conservative estimate suggests hundreds of thousands are received by individuals and companies.
There are two types of phishing: the so-called “spray and pray,” and the targeted type referred to as “spear phishing.” In the latter, a hacker masquerades as a company’s president or chief financial officer and emails a junior accounting executive at the same firm, directing them to transfer, for example, $50,000 to a company as part of a “special project.”
“The person might say we are doing a deal and it will not be announced until next week,” explained Brian Bourne, co-founder of Black Arts Illuminated, an organization that brings information technology security specialists in Canada together to share findings and discuss strategies to defeat hackers. “The person in accounting, who is three levels down, would think, well, it is my boss’s boss, so I had better do it.”
It is actually very simple to make an email appear as if it is came from a known and trusted source. That’s because few safeguards were built in when the simple mail transfer protocol (SMTP) that everyone sending regular emails now uses was set up in the 1970s — and it would take a co-ordinated world wide effort to do so now.
Here’s the anatomy of a recent spray-and-pray attack, and how the anonymous e-mailers most likely obtained the passwords of their targets. After receiving a few of these emails, I took an interest.
There are an estimated 5 billion email accounts in the world today, each with a password chosen by the account holder. From time to time, widely used applications with poor security have been hacked and emails and passwords suddenly became vulnerable. One of the biggest known breaches ever was of the networking site LinkedIn in 2012. The email credentials of 167 million people were stolen and now trade on the dark web, a part of the World Wide Web only accessible using special software. Alongside the hacked LinkedIn accounts are the stolen credentials from many others, including MySpace, which was hit by a hack that exposed 360 million user accounts in 2013, and Ashley Madison, which suffered a breach of 30 million emails and passwords
(Those email addresses and passwords remain out there on the dark web. You can check if your information is among them at Have I Been Pwned, a free service maintained by Australian web security expert Troy Hunt.)
In their response to the public back then, LinkedIn and other sites boosted security protocols, and instituted a mandatory reset of compromised accounts. The problem is, according to security experts, many people reuse the same password for other sites.
Enter our hacker, who had an old password of mine.
When I received the hacker’s email, I recalled the particular password he boasted he had “cracked” was one I had used once, many years ago, to join LinkedIn. Others who received the same email have similar recollections. Security experts warn that you should take care to use only one password per site, change it frequently and do not make it obvious — don’t use your dog’s name, for example.
“Hello!” was the introduction line on the hacker’s email, which popped into my inbox on a Monday evening in October. Seemed like a friendly enough fellow.
“I’m a hacker who cracked your email and device a few months ago. You entered a password on one of the sites you visited, and I intercepted it. Of course you will change it, or already changed it. But it doesn’t matter, my malware updated it every time.”
The address the hacker had sent his email from appeared to be my own email address. Except it was not, it just looked that way. This is called “spoofing.”
My hacker was interested in only a modest payment of $857. He provided helpful instructions on how to use Google to learn how to make a payment to a Bitcoin “wallet” he provided.
“I give you 48 hours to make a payment. If this does not happen, all your contacts will get crazy shots from your dark, secret life,” the hacker wrote.
The hacker made a series of claims, all bogus as it turned out. One was that he had uploaded “malicious code to your Operation System” — untrue, our security techs at the Star say.
Experts in cybersecurity say that although people do pay this ransom, these hackers actually do not have access to your account, the camera on your phone or your browsing history (although clicking on links in the email could upload malware to your device).
What is most likely to have happened is that my hacker purchased a portion of the LinkedIn data from the dark web — perhaps for as little as $2,000, experts say — and then went “phishing.”
The best advice cyber experts have is to use unique passwords, never re-use them, and change them often. The data is still out there, hundreds of millions of emails and passwords being traded on the dark web.
“Every time any website gets knocked over, whether it is a car forum or LinkedIn or Uber or Ashley Madison or insert breach of the day, those credentials get posted on the dark web and are scraped by unsavoury individuals,” said Bourne. “At that point, it is pretty much public domain, your user name and what password you used.”
As to how many people bite on a phishing attack and pay, there is no reliable data, since people who pay do not generally come forward. Few arrests are ever made. The RCMP did lay charges this year against Jordan Evan Bloom, 27, of Thornhill, who they say operated a database of 3 billion email credentials and sold them on the dark web. Police alleged that he earned $247,000 selling the passwords. The case remains before the court.
And proof that Canada is a bilingual country came this past weekend: the same email from a hacker — but in French.
Text of the first hacker email:
I’m a hacker who cracked your email and device a few months ago.
You entered a password on one of the sites you visited, and I intercepted it.
This is your password on moment of hack: (removed)
Of course you can will change it, or already changed it.
But it doesn’t matter, my malware updated it every time.
Do not try to contact me or find me, it is impossible, since I sent you an email from your account.
Through your email, I uploaded malicious code to your Operation System.
I saved all of your contacts with friends, colleagues, relatives and a complete history of visits to the internet resources.
Also I installed a Trojan on your device and long tome spying for you.
You are not my only victim, I usually lock computers and ask for a ransom.
But I was struck by the sites of intimate content that you often visit.
I am in shock of your fantasies! I’ve never seen anything like this!
So, when you had fun on piquant sites (you know what I mean!)
I made screenshot with using my program from your camera of yours device.
After that, I combined them to the content of the currently viewed site.
There will be laughter when I send these photos to your contacts!
BUT I’m sure you don’t want it.
Therefore, I expect payment from you for my silence.
I think $857 is an acceptable price for it!
Pay with Bitcoin.
My BTC wallet: (removed)
If you do not know how to do this — enter into Google “how to transfer money to a bitcoin wallet”. It is not difficult.
After receiving the specified amount, all your data will be immediately destroyed automatically. My virus will also remove itself from your operating system.
My Trojan have auto alert, after this email is read, I will be know it!
I give you 2 days (48 hours) to make a payment.
If this does not happen — all your contacts will get crazy shots from your dark secret life!
And so that you do not obstruct, your device will be blocked (also after 48 hours)
Do not be silly!
Police or friends won’t help you for sure …
p.s. I can give you advice for the future. Do not enter your passwords on unsafe sites.
I hope for your prudence.
Kevin Donovan is the Toronto Star’s Chief Investigative Reporter. He can be reached at 416-312-3503 or firstname.lastname@example.org. Follow him at @_kevindonovan