e-mail scam

[Firthy]

Just thought I'd mention it on here as this is one of the few websites I use the password for.

I received a scam e-mail saying my e-mail account had been hacked and it looked like the e-mail had been sent from my own account to myself. It said I'd been on porn sites and a trojan had been downloaded activating my laptop camera and he had videos of me doing sexual acts of self gratification and threatening to pst it on media sites unless I paid him. Made me laugh as I'm 65 years old and well past anything like that. I also keep my protection updated and run regular scans and never had a virus of any sort on my laptop.

He said he knew my password but the pasword he quoted is completely different to the one on my e-mail account but the password he quoted is the one I use for this forum and a couple of other sites. Obviously going to change some of my passwords but it is quite scarey where he got my password from.

Anyway, just mentioning it in case anyone else has had the same thing.

[LeadBelly]

I'm 65 years old and well past anything like that

Good of you to send out a warning here.

I'm 68 and I'm not past anything like that. I dont have a camera on my PC though so the e-world can never see.

[Imploding Turtle]

Just thought I'd mention it on here as this is one of the few websites I use the password for.

...

Get Last Pass and stop using the same password for multiple websites.

https://www.lastpass.com/" onclick="window.open(this.href);return false;

[lesxdp]

:DWell past it at 65???? Don't give up so easy

[Ashingtonclaret46]

Firthy --I have also received a similar email and the password quoted is one that I have not used for a couple of years on any website.
I'm 71 and still going strong!

[Firthy]

I'm not saying I'm past it and that I'm not sexually active just that I don't toss off on porn websites

[JohnMac]

I'm not saying I'm past it and that I'm not sexually active just that I don't toss off on porn websites

Well, not until the scammer confirms the address of said porn websites anyway

[brexit]

Get Last Pass and stop using the same password for multiple websites.

https://www.lastpass.com/" onclick="window.open(this.href);return false;

Of course IT
https://www.zdnet.com/article/lastpass- ... abilities/" onclick="window.open(this.href);return false;

[FactualFrank]

Once upon a time, writing down your passwords in a notepad was deemed foolish. But now I'd say it's safer than saving them to your pc/app.

[Loyalclaret]

Aggi flag this email scam up on here previously I believe. Better than the Nigerian 2billion$ email for sure.

[Vintage Claret]

Don't fall for it, I paid up and the **** still posted it on my Facebook account, it did get over 50 likes though so it's not all bad

[joey13]

Glad you are still using protection

[Goobs]

I always thought that pop up for mature sex sites was nothing to do with this forum but reading this post I'm now not so sure.

[Imploding Turtle]

Of course IT
https://www.zdnet.com/article/lastpass- ... abilities/" onclick="window.open(this.href);return false;

OK mate. You carry on using the same password for everything because a password manager patched a vulnerability a year and a half ago.

[kentonclaret]

How did they know your password was BURNLEY?

[houseboy]

I couldn't give a damn. If someone wants to spend the time and effort watching me having a full on then good luck to 'em, I personally wouldn't advise it though.

By the way as far as being past it at 64 I thought that at our age that was the only way forward. I must be doing something wrong.

[JPS71]

I got this email recently as well.
I asked them for a copy of the video still not received it

[Rodleydave]

65... the new 95

[PhilC]

Check where your details have been compromised on this website

http://www.haveibeenpwned.com" onclick="window.open(this.href);return false;

You can also set an alert if you email is found in a hack going forward.

Also, there is a section there to see if your password has ever been found in a hack, whether it was you or someone else with the same password.

[Sausage]

Check where your details have been compromised on this website

http://www.haveibeenpwned.com" onclick="window.open(this.href);return false;

You can also set an alert if you email is found in a hack going forward.

Also, there is a section there to see if your password has ever been found in a hack, whether it was you or someone else with the same password.

Not being funny, but you enter your email (i.e. some personal info) to see if they have your personal info?

[PhilC]

Have I Been Pwned (HIBP) have your information as your details have been stolen and somebody else has them through a compromise of another IT system.

HIBP do not store any other details apart from email addresses and passwords (which are not linked to each other in any way and is in a separate database).

It's honestly a fantastic service to check if your details have been stolen or if your password has ever been seen in a compromise. If the password you use is in the asswprd database I would strongly recommend changing your passwords. HIBP is safe and should be used with confidence that there are no other repurcusions.

[Jel]

Here's a report I came across from exponential adviser I've tried to copy


Having trouble viewing this email? View in browser

Exponential Investor

HARRY HAMBURG | 25 OCTOBER 2018


The anatomy of a near-perfect internet scam – which you’ve likely been targeted by


Dear Subscriber,

Over the last week or so, a particularly clever scam email has been circulating.

There’s a good chance you or someone you know has had this exact email in the last few weeks, or some variation of it.

The email is no more dangerous or truthful than the “Nigerian prince” and “lottery” scams that were popular a decade or so ago. But it doesn’t feel that way when you get it.

That’s because it tells you just enough information about yourself to make you believe it.

It basically tells you you’ve been hacked. It either comes from your own email or from a “darknet” hacker with some random username.

The reason many people end up believing it is because it usually lists your own password in the email.

Then it tells you the hacker has installed malware on to your computer and has been watching you on your webcam.

The hacker has access to all you files, all your contacts and numerous videos of you “enjoying yourself” while visiting various internet sites.

The hacker also has screen captures of all the sites you’ve been visiting and all the conversations you’ve been having with all your contacts.

Basically, it covers many bases of possible embracement and is sure to hit home on at least one.

And what is the hacker planning to do with these videos, photos and message logs?

Send them to all of your contacts, of course… unless you pay them a ransom in bitcoin.

Here’s a screenshot of one of the emails sent to my friend over the weekend:


Pretty unnerving, right?

The key to why this scam is so successful is because it gives you information the scammer couldn’t possibly have unless they had all the things on you they said they do.

The truth is, they don’t actually have any of these things. If they did, they’d also include one of the screenshots or message logs they claim to have.

However, if you get one of these emails do not ask for proof. If you do the scammer will simply attach a real malware program that will be able to do all the things they claim to have already done.

Never open email attachments from people you don’t know. Don’t even open attachments from people you do know if you weren’t expecting them to send you something.

So, if they don’t have the things on you they claim to, how do they have one of your passwords? Or how did they send the email to you from your own address?

Let’s take a look.

You may be interested in
Your FREE e-book Is on Hold...

A FREE copy of the most valuable investing book in Britain is waiting with your name on it.

Claim it here now.

As soon as you give me the go-ahead, we'll send you a copy.

Claim your copy now to avoid disappointment.


The three main ways you can get hacked
There are four main ways you can get hacked:

Someone physically steals your equipment and logs in
You download some malware
A company or service you use gets hacked
You fall for a phishing scam.
Route one is usually the most distressing. But, at least you know it has happened instantly and you can take the necessary precautions.

If someone steals your phone or laptop, you know you need to change all your passwords as soon as physically possible.

And there’s a good chance you’ll be able your remotely log in to your equipment and remotely wipe it.

Route two is the most insidious and usually the most dangerous. There really is malware out there that can do all the things that scam email claims to have done.

And it is easy for even novices to use. The “hacker” wouldn’t really have to have any programming knowledge to use it.

They simply buy the script from a real hacker and start getting people to download it. Hence the computer term “script kiddie” for these type of hackers.

The thing is they have to get you to download their malware script in the first place. As long as you are careful about the files you download and the email attachments you open this shouldn’t be a problem.

Your virus scanner should also pick up on any malware you’ve been unfortunate enough to download. However, the quality of virus scanners varies greatly. And the most expensive ones aren’t necessarily the best.

It’s a good idea to download the free Malware Bytes scanner and run it if you think you might have downloaded anything suspicious. It’s free to use if you don’t need it running all the time.

I have no affiliation with Malware Bytes. I just know it is widely regarded a one of the best in the business.

Most people get hacked through no fault of their own
Now this brings us on to route three.

This is how most people get hacked. They get hacked entirely through no fault of their own and there was nothing extra they could have done to prevent it.

Almost every company and service on the internet now requires you to make an account, giving them your email address and creating a password.

It makes a lot of sense to use throwaway passwords for sites you don’t really trust. You could use a less complicated password for sites and services that don’t store much private information on you.

The more private information a service has on you the stronger and more unique your password should be.

At the top of the pile here is the login to your email address. If hackers get this, they can usually get access to everything else via lost password forms.

So make sure to use a completely unique password for your email login, and if you can, use two-factor authentication as well (2FA).

With 2FA on, if someone tries to login from a different device or location to where you usually do, you’ll have to verify it with a short code.

This code is usually either sent to you via text, or it can be set up in an app that continuously cycles codes based on an algorithm.

I don’t really have space to get into the ins and outs of 2FA here. Other than to say, if you have the option of using it, you probably should be.

But if 2FA and the technology behind it would be something you’d like to know more about send me an email: harry@southbankresearch.com and if I get a few responses I’ll write an Exponential Investor all about it.

So, let’s say a website you use gets hacked: Twitter, LinkedIn, Ticketmaster, Adobe, British Airways… they have all been breached over the last few years.

The chances are at least one website you gave an account with has been hacked.

You can type your email address into haveIbeenPwned.com to check (I wrote an issue about that service a few months ago. You can read it here).

How I got hacked
When a big company hack happens, the hackers will often upload a massive list of all the login details of the users somewhere on the internet.

This is called a “paste” because they are copying and pasting the list of users’ accounts.

If you use that email address and password combination for more than one service, changes are you are now going to get anything that uses it hacked.

This happened to me earlier this year. My account was included in a paste of Ticketmaster accounts.

I used the same email and password for my Zipcar account as I did for Ticketmaster. Within a day or two of the Ticketmaster hack I had people logging into my Zipcar account and hiring cars under my name.

That’s how easy it is to get your account hacked. You don’t even have to do anything wrong yourself.

A lot of the time these massive company hacks don’t get reported until months later.

The hackers won’t initially just paste the users’ details on to the internet for free. They’ll sell them on a few times first. They are usually in this to make money, after all.

And that brings us on to route four: phishing scams.

These are the most common ones people fall for. And they are usually powered by route three hacks.

Here’s a good definition of phishing from our friend Wikipedia:

Phishing is the fraudulent attempt to obtain sensitive information such as usernames, passwords and credit card details, often for malicious reasons, by disguising as a trustworthy entity in an electronic communication.

Basically hackers go on a “fishing trip”. They give you some information and see if you’ll bite.

Phishing scams are wide ranging and come in many, many different varieties: fake websites, fake login screens, fake ads, call or emails from “your bank”, etc.

The scam I opened with today is a classic phishing scam. Here’s how it works.

The scammers obtain a paste of a company hack. They then use a program to scrape the email addresses and password combinations from this paste and send out thousands of emails to these names.

The email is a template.

The things that will change are the hacker’s “darknet name”. The victim’s name and password. And, if the scammers are clever, the bitcoin address to send the money to.

(Although if they were really clever, they wouldn’t be using bitcoin at all as it is not anonymous. They would be much better using Monero. I have written about this before here.)

Some of the recipients will be using the same password for their email as they were for whatever service it was that was hacked. If they are this will make them much more likely to send the scammers money.

This is just one reason why it’s so important to keep your email address password separate from all your other accounts. Your email account is like the gatekeeper to all your other accounts. I can’t stress this enough.

“90% isn’t very sure, Harry!”
My friend who got this email over the weekend pointed out the password the email listed was not their email address password. But it was a password they used for other services from time to time.

Even though they knew this meant the scammer was lying, they still felt very unnerved by it. I mean, you would, wouldn’t you?

I looked into it for them and said I was 90% sure the email was a scam and they had nothing to worry about. But that they should run Malwarebytes anyway, just to be safe.

Their message came back: 90% isn’t very sure, Harry!

To be fair, it really isn’t. I had another look around and saw this same email was being posted around the web with many people asking about it.

After that I told them I was 99% sure it was a scam. I mean, you can never be 100% sure of anything, can you?

That was on Saturday. At the time only a few, more underground places were reporting on this new scam. By yesterday, it had already appeared in The Daily Mail.

So if you get a similar email. You can be pretty certain it is a scam.

The reason why this scam seems to have exploded this week is probably due to a big company hack that we’re not yet aware of.

I asked my friend to check their email address on Have I Been Pwned, and nothing recent came up.

They had been victim of some older company hacks. Most people have. But the amount of people now getting this specific email tells me we’re about to see another major company hack surface in the news over the next few weeks or months.

I don’t know which company it is yet, but I have a feeling it will be a big one.

And the way to solve problems like this? Yes, you guessed it, crypto.

If companies switched to a blockchain or crypto based-approach, there would be no user details to hack. The company would never store them in the first place.

This would mean any company could be hacked and YOU would not have to pay the price for its incompetence.

The current model, whereby each company keeps a centralised database of user details, is really a terrible model.

It creates a massive honeypot for hackers to target. Hack one computer at one company and you can get access to potentially millions of user logins.

If these systems were crypto or blockchain based, each user would keep their own data and only give the company access to it when it was needed.

This is another great example of why crypto is so important. It’s not about magic internet money, it’s about building a better computer infrastructure.

Until next time,

Harry Hamburg
Editor, Exponential Investor

RELATED ARTICLES...
HARRY HAMBURG | 23.10.18


Driverless taxis are coming to the London in 2021
Fleets of driverless taxis will be ferrying people around London in less than three years. And the company coming out with the service first isn’t Uber, or Google or even Tesla. No. It’s private-hire taxi company Addison Lee. From Tech Crunch: After undertaking a year-long investigation with Ford and four…



READ FULL ARTICLE
HARRY HAMBURG | 22.10.18


The big fat recycling lie
Where does all your recycling go? We are led to believe that all the plastics we carefully sort out and dispose of separately is taken to hi-tech recycling plants and turned back into reusable material. But it turns out that is a big fat lie. On Friday, news emerged that…



READ FULL ARTICLE
Exponential Investor is an unregulated product published by Southbank Investment Research Ltd. It is for general information only and is not intended to be relied upon by individual readers in making (or not making) specific investment decisions. Appropriate independent advice should be obtained before making any such decision.

From time to time we may tell you about regulated products issued by Southbank Investment Research Limited. With these products your capital is at risk. You can lose some or all of your investment, so never risk more than you can afford to lose. Seek independent advice if you are unsure of the suitability of any investment.

Southbank Investment Research Limited is authorised and regulated by the Financial Conduct Authority. FCA No 706697. https://register.fca.org.uk/" onclick="window.open(this.href);return false;.

ISSN 2398-7189.

Contact Us

To contact customer services, please click here. Alternatively, telephone us on 020 7633 3615, Monday to Friday, 9.00am - 5.30pm.

Email Reference: EXIED01

To unsubscribe from Exponential Investor please click here

© 2018 Southbank Investment Research Ltd. Registered in England and Wales No 9539630. VAT No GB629 7287 94. Registered Office: 2nd Floor, Crowne House, 56-58 Southwark Street, London, SE1 1UN.

[PhilC]

When I present at conventions on Information Security I usually use 1 or both of these clips to show how easy it is to gather personal information and passwords.

https://youtu.be/_YRs28yBYuI" onclick="window.open(this.href);return false;

https://youtu.be/opRMrEfAIiI" onclick="window.open(this.href);return false;

[aggi]

This site would be quite a target for passwords being compromised though due to the refusal to use HTTPS for some weird reason.