Friday 23 November 2018

Hackers blackmail victims

The hacker employs a Phishing” scam using the victim’s old passwords from data breaches to extort relatively small amounts of money. In his message to one of his victims, he wrote; “Pay $657 in Bitcoin or your secret ife goes public. The hacker demands Bitcoin because it can’t be traced.

A nameless, faceless hacker is extorting his victims after downloading videos and screenshots from your "dark secret life" — plus the browsing history on your phone, tablet and computer  and threatens the vitim that the pictures or writings  will be shared with the victim’s family, friends and the world.

"You are not my only victim," the hacker writes. "I usually lock devices and ask for a ransom. But I was struck by the sites of intimate content that you very often visit."

Several near identical versions of this "phishing" email have been sent out to hundreds of thousands of people in North America over the last few months.

Known by cybersecurity experts as "spray-and-pray" attacks, they are ultimately empty (just don't click on any attached links) but surprisingly successful threats, say security consultants and police. On Monday, Peel police released a warning to the public about these and other scams.

To make your heart race faster, this wannabe extortionist — he or she identifies as a "programmer" that includes what can be a shocking bit of detail: A password you have used in the past and may still be using. The hacker also claims to have "uploaded malicious code" to your operating system and has "a complete history of visits" you have made to various internet sites.

Here is another chilling element: the threat you just received appears to have come from your own email address.

Attacks like this are on the rise as hackers, stymied by increasingly stronger corporate security, are turning more and more to individuals, who are viewed as much easier marks.

At our core, human beings are not very complicated. We are motivated by hunger, fear, greed, money and sex," said Eldon Sprickerhoff, founder of Cambridge-based cybersecurity company.

These hackers throw as many baited hooks out as they can and a steady, though small, percentage of people actually pay the extortionist.      

A recent research report by Microsoft said these so-called "phishing" attacks now dominate the cybersecurity landscape. That's because corporate security is improving, making it harder to crack into a company's system. Microsoft estimates that 53 per cent of cyber attacks today are "phishing" expeditions, in which a hacker is trying to fool a person or company into paying money or providing credentials or banking information.

Cyber experts say there is no firm number on how many phishing attacks occur in Canada or the United States in a given year, although a conservative estimate suggests hundreds of thousands are received by individuals and companies.

There are two types of phishing: the so-called "spray and pray," and the targeted type referred to as "spear phishing." In the latter, a hacker masquerades as a company's president or chief financial officer and emails a junior accounting executive at the same firm, directing them to transfer, for example, $50,000 to a company as part of a "special project.

The hacker might say he is giving the victim  a deal and it will not be announced until next week," explained Brian Bourne, co-founder of Black Arts Illuminated, an organization that brings information technology security specialists in Canada together to share findings and discuss strategies to defeat hackers. "The person in accounting, who is three levels down, would think, well, it is my boss's boss, so I had better do it.”

Here's the anatomy of a recent spray-and-pray attack, and how the anonymous emailers most likely obtained the passwords of their targets. After receiving a few of these emails, I took an interest.

There are an estimated 5 billion email accounts in the world today, each with a password chosen by the account holder. From time to time, widely used applications with poor security have been hacked and emails and passwords suddenly became vulnerable. One of the biggest known breaches ever was of the networking site LinkedIn in 2012. The email credentials of 167 million people were stolen and now trade on the dark web, a part of the World Wide Web only accessible using special software. Alongside the hacked LinkedIn accounts are the stolen credentials from many others, including MySpace, which was hit by a hack that exposed 360 million user accounts in 2013, and Ashley Madison, which suffered a breach of 30 million emails and passwords.

Those email addresses and passwords remain out there on the dark web. You can check if your information is among them at Have I Been Pwned, a free service maintained by Australian web security expert Troy Hunt.
In their response to the public back then, LinkedIn and other sites boosted security protocols, and instituted a mandatory reset of compromised accounts. The problem is, according to security experts, many people reuse the same password for other sites. Enter our hacker, who had an old password of yours.

Security experts warn that you should take care to use only one password per site, change it frequently and do not make it obvious — don't use your dog's name, for example.

One experts said, “A message in your rmail may start with the word, “Hello.” Then it will say. "I'm a hacker who cracked your email and device a few months ago. You entered a password on one of the sites you visited, and I intercepted it. Of course you will change it, or already changed it. But it doesn't matter, my malware updated it every time."

The address the hacker had sent his email from appeared to be my own email address. Except it was not, it just looked that way. This is called "spoofing."

My hacker was interested in only a modest payment of $857. He provided helpful instructions on how to use Google to learn how to make a payment to a Bitcoin "wallet" he provided.

"I give you 48 hours to make a payment. If this does not happen, all your contacts will get crazy shots from your dark, secret life," the hacker wrote.

The hacker made a series of claims, all bogus as it turned out. One was that he had uploaded "malicious code to your Operation System" — untrue, our security techs at the Toronto Star say.

Experts in cybersecurity say that although people do pay this ransom, these hackers actually do not have access to your account, the camera on your phone or your browsing history (although clicking on links in the email could upload malware to your device).

What is most likely to have happened is that my hacker purchased a portion of the LinkedIn data from the dark web — perhaps for as little as $2,000, experts say — and then went "phishing."

The best advice cyber experts have is to use unique passwords, never re-use them, and change them often. The data is still out there, hundreds of millions of emails and passwords being traded on the dark Web.

"Every time any website gets knocked over, whether it is a car forum or LinkedIn or Uber or Ashley Madison or insert breach of the day, those credentials get posted on the dark web and are scraped by unsavoury individuals," said Bourne. "At that point, it is pretty much public domain, your user name and what password you used."

As to how many people ate bitten by a phishing attack and pay, there is no reliable data, since people who pay do not generally come forward. Few arrests are ever made. The Royal Canadian Mounted Police (Canada’s federal police)  did lay charges this year against Jordan Evan Bloom, 27, of Thornhill, who they say operated a database of 3 billion email credentials and sold them on the dark web. Police alleged that he earned $247,000 selling the passwords. The case remains before the court.

Years ago, while addressing a United Nations crime conference, I suggested that very heavy sentences should be given to hackers. I also said that if the hackers are causing problems worldwide, they should be sentenced to life in prison. Society has a right to be protected from this kind of scum.

No comments: