Hackers
blackmail victims
The
hacker employs a Phishing” scam using the victim’s old passwords from data
breaches to extort relatively small amounts of money. In his message to one of
his victims, he wrote; “Pay $657 in Bitcoin or your secret ife goes public. The
hacker demands Bitcoin because it can’t be traced.
A nameless, faceless hacker is extorting his
victims after downloading videos and screenshots from your "dark secret
life" — plus the browsing history on your phone, tablet and computer and threatens the vitim that the pictures or
writings will be shared with the
victim’s family, friends and the world.
"You are not my only victim," the hacker
writes. "I usually lock devices and ask for a ransom. But I was struck by
the sites of intimate content that you very often visit."
Several near identical versions of this
"phishing" email have been sent out to hundreds of thousands of
people in North America over the last few months.
Known by cybersecurity experts as
"spray-and-pray" attacks, they are ultimately empty (just don't click
on any attached links) but surprisingly successful threats, say security
consultants and police. On Monday, Peel police released a warning to the public
about these and other scams.
To make your heart race faster, this wannabe
extortionist — he or she identifies as a "programmer" that includes
what can be a shocking bit of detail: A password you have used in the past and
may still be using. The hacker also claims to have "uploaded malicious
code" to your operating system and has "a complete history of
visits" you have made to various internet sites.
Here is another chilling element: the threat you
just received appears to have come from your own email address.
Attacks like this are on the rise as hackers,
stymied by increasingly stronger corporate security, are turning more and more
to individuals, who are viewed as much easier marks.
At our core, human beings are not very complicated.
We are motivated by hunger, fear, greed, money and sex," said Eldon
Sprickerhoff, founder of Cambridge-based cybersecurity company.
These hackers throw as many baited hooks out as
they can and a steady, though small, percentage of people actually pay the
extortionist.
A recent research report by Microsoft said these
so-called "phishing" attacks now dominate the cybersecurity
landscape. That's because corporate security is improving, making it harder to
crack into a company's system. Microsoft estimates that 53 per cent of cyber
attacks today are "phishing" expeditions, in which a hacker is trying
to fool a person or company into paying money or providing credentials or
banking information.
Cyber experts say there is no firm number on how
many phishing attacks occur in Canada or the United States in a given year,
although a conservative estimate suggests hundreds of thousands are received by
individuals and companies.
There are two types of phishing: the so-called
"spray and pray," and the targeted type referred to as "spear
phishing." In the latter, a hacker masquerades as a company's president or
chief financial officer and emails a junior accounting executive at the same
firm, directing them to transfer, for example, $50,000 to a company as part of
a "special project.
The hacker might say he is giving the victim a deal and it will not be announced until
next week," explained Brian Bourne, co-founder of Black Arts Illuminated, an organization that brings information
technology security specialists in Canada together to share findings and
discuss strategies to defeat hackers. "The person in accounting, who is
three levels down, would think, well, it is my boss's boss, so I had better do
it.”
Here's the anatomy of a recent spray-and-pray
attack, and how the anonymous emailers most likely obtained the passwords of
their targets. After receiving a few of these emails, I took an interest.
There are an estimated 5 billion email accounts in
the world today, each with a password chosen by the account holder. From time
to time, widely used applications with poor security have been hacked and emails
and passwords suddenly became vulnerable. One of the biggest known breaches
ever was of the networking site LinkedIn in
2012. The email credentials of 167 million people were stolen and now trade on
the dark web, a part of the World Wide
Web only accessible using special software. Alongside the hacked LinkedIn accounts are the stolen
credentials from many others, including MySpace,
which was hit by a hack that exposed 360 million user accounts in 2013, and Ashley Madison, which suffered a breach
of 30 million emails and passwords.
Those email addresses and passwords remain out
there on the dark web. You can check if your information is among them at Have I Been
Pwned, a free service maintained by Australian web security
expert Troy Hunt.
In their response to the public back then, LinkedIn and other sites boosted
security protocols, and instituted a mandatory reset of compromised accounts.
The problem is, according to security experts, many people reuse the same
password for other sites. Enter our hacker, who had an old password of yours.
Security experts warn that you should take care to
use only one password per site, change it frequently and do not make it obvious
— don't use your dog's name, for example.
One experts said, “A message in your rmail may
start with the word, “Hello.” Then it will say. "I'm a hacker who cracked
your email and device a few months ago. You entered a password on one of the
sites you visited, and I intercepted it. Of course you will change it, or
already changed it. But it doesn't matter, my malware updated it every
time."
The address the hacker had sent his email from
appeared to be my own email address. Except it was not, it just looked that
way. This is called "spoofing."
My hacker was interested in only a modest payment
of $857. He provided helpful instructions on how to use Google to learn how to
make a payment to a Bitcoin "wallet" he provided.
"I give you 48 hours to make a payment. If
this does not happen, all your contacts will get crazy shots from your dark,
secret life," the hacker wrote.
The hacker made a series of claims, all bogus as it
turned out. One was that he had uploaded "malicious code to your Operation
System" — untrue, our security techs at the Toronto Star say.
Experts in cybersecurity say that although people
do pay this ransom, these hackers actually do not have access to your account,
the camera on your phone or your browsing history (although clicking on links
in the email could upload malware to your device).
What is most likely to have happened is that my
hacker purchased a portion of the LinkedIn data from the dark web — perhaps for
as little as $2,000, experts say — and then went "phishing."
The best advice cyber experts have is to use unique
passwords, never re-use them, and change them often. The data is still out
there, hundreds of millions of emails and passwords being traded on the dark
Web.
"Every time any website gets knocked over,
whether it is a car forum or LinkedIn
or Uber or Ashley Madison or insert breach of the day, those credentials get
posted on the dark web and are scraped by unsavoury individuals," said
Bourne. "At that point, it is pretty much public domain, your user name
and what password you used."
As to how many people ate bitten by a phishing
attack and pay, there is no reliable data, since people who pay do not
generally come forward. Few arrests are ever made. The Royal Canadian Mounted
Police (Canada’s federal police) did lay
charges this year against Jordan Evan Bloom, 27, of Thornhill, who they say
operated a database of 3 billion email credentials and sold them on the dark
web. Police alleged that he earned $247,000 selling the passwords. The case
remains before the court.
Years ago, while addressing a United Nations crime conference,
I suggested that very heavy sentences should be given to hackers. I also said
that if the hackers are causing problems worldwide, they should be sentenced to
life in prison. Society has a right to be protected from this kind of scum.
No comments:
Post a Comment