Pin It

On top of the barrage of legitimate email I receive each day there is an even larger volume of spam.  I finally invested in a spam filter that works with the two mail programs I use, and it has done an amazing job of filtering most of the spam.  I have it set to put mail in a spam folder so I can review it before deleting, just in case legitimate email had become ensnared in the filter.  I rarely even review it any more, the program is so good.  So imagine my horror when I recognized one of my passwords in an extortion email just before hitting the delete key!

The email, in broken English, was brief and to the point.  It revealed a password I frequently use to 'prove' the sender had hacked my computer, which presumably meant he had all my private information and most importantly, my contacts list.  He claimed that a porn site I visited had malware installed that used my own computer's camera to record me enjoying a pornographic video, and threatened to send a video he had cobbed together -- that first showed the porn video, and then showed me enjoying it -- to everyone in my contacts list if I didn't send him $7,000 in bitcoin.

I went cold.  Did I visit a porn site?  Was my computer hacked?  What would happen if everyone in my contacts list -- business associates, friends, family members -- received the blackmail video?  How the heck do you even get Bitcoin?  And $7K is a lot of money...

Then I thought it through.  The likelihood that my computer had been hacked was slim given various precautions I take (not that any computer on the Internet is 100% safe).  The idea that he had one of my actual passwords was very concerning, but what if that was all he had?  An email address and password are often all you need to log into a Web site.  If a phishing site I tried to log into were hacked (more likely) that would be all the blackmailer would actually have. Phishing is creating a phony copy of a legitimate site so people will log in, thus revealing their username and password to the scammer, who then uses it to log into the real site to steal your stuff.

That's why you NEVER click on email links.  Repeat after me: NEVER.  You always type in the address of your banking (or whatever) site manually before logging in.

I deleted the email and kept watch on my spam folder for any followups -- there have been none.

A week or so later I read a Business Insider article that confirmed my suspicions.  It's called a 'sextortion' scam.  And it's a scam with a twist -- many scams attempt to get your passwords so the scammers can log in as you and steal your identity, your bank account, or use your email account to send more spam.  This scam already has your password and uses that to extort cold cash (is bitcoin cold?  I've never felt it...).

In my case I wasn't using that password for much any more, but there was one active important account I did still use it on.  I immediately changed it.

I also use a password safe app called Enpass -- I use a master password that I have memorized to open the app and it has all my other passwords so I don't have to remember them.  There are many other good ones out there.  I even wrote one myself in my software development days.  It was called 'Darn Passwords' because it remembered all your darn passwords for you so you didn't have to.

Another thing -- when you're not using your web cam (or the little camera built in to your computer) place a little post-it note over it.  Your camera probably hasn't been hacked, but covering it up 100% guarantees that you're not being watched while you enjoy endless cat videos on Facebook.  Sometimes the simplest solutions to the thorniest technical problems are the most effective ones.

The point is that you can have unique, strong passwords for everything you do and you don't have to remember them.  The password safe is easy enough to use that you can always log into whatever you have an account for.  The one I use has a phone app so I have full access to my passwords wherever I go.

Some things to remember when you get an email that produces that sinking feeling that you have stumbled into a virtual disaster... first, to quote Douglas Adams' 'The Hitchhiker's Guide to the Galaxy', "don't panic!"  (And make sure you always have your towel, "about the most massively useful thing an interstellar hitchhiker can have," with you.)

Second, don't take it personally.  The article I read quotes security expert Brian Krebs' article on sextortion in which he says these scam emails are probably automated and so not actually personally targeting you, and notes that the hacker most likely came from an old hack that could be a decade old.

"My guess is that the perpetrator has created some kind of script that draws directly from the usernames and passwords from a given data breach at a popular Web site that happened more than a decade ago, and that every victim who had their password compromised as part of that breach is getting this same email at the address used to sign up at that hacked Web site," Krebs writes.

Third, if you haven't taken the admonitions seriously to use those crazy passwords like "$skceSwp[r3Bwu3ZSX$\_i8u" for any sites you log in to, take them seriously now.  Get a password safe program and use it.  They make it not matter how crazy your password is.  Then make up crazy passwords for the few sites you use all the time that you can memorize.

Here's a great way to do it.  Take a line from a poem or a famous quote that you love.  For example, if you are a Lady Clairol fan, "If I've only one life, let me live it as a blonde."  Now make up a rule.  Like all Ls are replaced by 1s (ones).  Every third word is a capital letter if it doesn't get transformed to a number.  Os (ohs) become 0s (zeros).  Taking the first letter of each word, your password becomes; ii001,1m1IaaB  Now add a number like your mother's birth year.  Now you have ii001,1m1IaaB1928 (my mother turns 90 next week).  That's a pretty good password -- long, not obvious, numbers and letters and 'special symbols'.  (Plus nobody would guess the quote in my case, as one needs hair to have blond hair.)

Third, Douglas Adams had it right... don't panic.  Just like the infamous Nigerian scam which leads one to say "if it looks too good to be true, it is"... if it looks too bad to not be true, it probably isn't true.

Finally, heed you mother's advice from when she said, "Be careful."  Just because you are sitting at your favorite computer in the comfort of your own home doesn't mean you are safe.  The cyber world can be as dangerous, with real world hazards, as the so-called real world.

I say 'so-called' because of all the news coming out of Washington, DC these days.  Surely our world isn't real.  We have it on the highest authority (the President of the United States) that our news isn't.

Pin It