Are Blackmail Spam Emails The New Trend?
We are seeing an interesting new spam trend: Blackmail.
While most of us would simply delete such spam emails without a second thought, these have a very compelling hook. The subject line and message body includes a password you’ve actually used as proof that the hackers have compromised your computer. Now, they have your attention. The password gives the blackmail message teeth.
How can they have your password? Wouldn’t that require hacking your computer?
Actually, this appears to be a spam campaign leveraging social engineering and passwords (yes, your passwords) that were stolen from other companies long ago.
For one blackmailed client, we leveraged the www.HaveIBeenPwned.com website, which was created by the Microsoft Regional Director, Troy Hunt. When large companies, such as LinkedIn or Yahoo, are hacked, they publish lists of those accounts that were compromised. That way, people can go online to search and see if they were a victim. The www.HaveIBeenPwned.com website collects these lists together so that people can search, in one place, to see if their sensitive data has been stolen and is available on the Dark Web.
The like more than 100 million other people, our client’s email address, and password had been stolen during the 2012 LinkedIn hack. This information, it is estimated, has been combined with data collected from other hacks and sold on the dark web. Our client confirmed that the password was a very old one that she had used, often, in the distant past. Her situation is far from unique.
We believe that the spammers used the list of stolen email addresses in conjunction with the associated stolen passwords to make their blackmail messages more credible. As scary as the email was, she had not actually experienced a recent security breach and had not just been hacked. She had, however, had sensitive information, including an old password, stolen 6 or so years ago, and spammers were leveraging that information to scare her.
So, what should you do if you get one of these emails?
Delete it. If the password in the email is or was used on any site today, change it. We also strongly recommend enabling 2-factor authentication on any site that supports it. This is especially true on any website containing personal or sensitive information, such as banking sites. Lastly, visit the www.HaveIBeenPwned.com website and see if any other sensitive information has been listed as stolen.
Cybercriminals are getting better at using psychology to trick people into making bad decisions. Don’t be afraid, but do stay vigilant!