Sextortion scam knows your password, but don’t fall for it

Someone has been sending sextortion scam e-mails with a new twist – one aimed at making it more likely you’ll be duped into paying a blackmail fee.

The e-mail claims to have compromising images of the recipient and goes on to ask for payment in order to stop the images being released publicly.  Attempting to manipulate victims by claiming to have compromising images of them is known as sextortion, and its been used for years.  What makes this scam different is that it’s added something extra: it contains a real password used by the victim.

The e-mail reads:

The power of a password

Many people, even those who feel as though they could have been seen in a compromising position, would normally be too jaded to fall for a sextortion scam with no evidence.  Including a real password makes it seem more convincing, though, which might be enough to fool some people.

Several people mailed me copies that they had received of this mail, and in all cases the passwords were old. How did they get the passwords?

There are several ways:

• There are nefarious online lookup services that will grab this data for you.
• The other option is that the scammer has access to a list of compromised passwords from one of the many data breaches that have occurred within the last decade.

Websites must not store passwords in plain text but, sadly, some still do and ten years ago it was common.

Even when sites store your passwords securely, crooks who have a list of password hashes can run what’s known as a dictionary attack against the stolen list, trying millions of the most likely passwords for each user in the hope of getting a match.

If you’ve changed your password before the crooks get round to cracking it, then you win – the old, stolen password can’t login any more – but if you didn’t know (or weren’t told) there was a breach, the crooks might still get lucky.

Even if the crooks can’t login with your password by the time they crack it, they still know what is used to be, which is why you should never use the same, or even similar passwords, on different sites.

As this scam shows, even an old and retired password has scare tactic value to the crooks – the fact that they know what one of your passwords used to be is unsettling, to say the least.

People are being taken in by this scam.  Be vigilant.