If you are one of the thousands of people who received an email claiming that some bad guy has hacked your computer and has video of you watching porn so you better send bitcoin, I have good news. You most likely haven't been hacked. This post is a (hopefully) easy to find answer to this situation. So what's going on?
Over the last several years there have been a number of very large data breaches impacting credit agencies, hotel reservation systems and lots of others. From these breaches, a common result is a large set of email addresses with a password that was used in the system compromised. The bad guys have recently started sending the previously mentioned email to the addresses they have passwords for. It's guess work, since they have no real way of knowing if the email address is active or who might be reading it. They send potentially millions of these messages hoping for only a few dozen to actually send bitcoin. It can provide a very solid return on invested effort.
Of course, there's no guarantee you haven't actually had someone hack into your personal machine, install a RAT and watch you watch porn. It's just very unlikely. You'll find out if/when they follow up, since the in scam I'm referring to, we've never seen that happen.
If you get one of these emails, the advice isn't complicated. First delete the email, you'll never want to reply. Next, DO NOT send bitcoin. Change all your passwords, even if they're already different from the one in the email. Never use a password for more than one site unless you really don't care about those accounts. If the only computer you use is at home, you can write your passwords on a piece of paper, just keep it out of sight and never let it leave the house. Otherwise, a password manager is probably a better choice. There's a large amount of not-quite-agreement in this area, about which approach is best. Also, there are lots of really good guides on better passwords, I'll leave that for the reader to chase down. I like what XKCD has to say on the matter, but YMMV.
I generally advise changing the password for your primary email (the one you have password recovery emails sent to) first. If I were a bad guy with access to a target's accounts, at the first sign of response, I'd seize that email account first by changing the password to lock the original owner out. Then I can recover all the other accounts at my leisure. I assume actual bad guys would do this. It's quite unlikely (as mentioned) that the bad guys are actually in your accounts, but why take unnecessary risks?
Finally, who am I to provide this advice? I'm currently the senior information security technologist at a large post-secondary institution somewhere in Canada. I learned information warfare and op-sec in the Canadian Forces some time back. This is the same advice we've been giving faculty and students. As always, your decisions are yours, my advice is free and potentially worth exactly what you paid.
No comments:
Post a Comment