There is a new Blackmail Scam campaign currently in progress targeting Australian’s.  This new campaign has been very effective as it presents the user with some personal detail, normally an old password, in either the subject line or body of the email.  This appears to give the email and its claim some credibility.

The email (there are several variants) generally claims that your PC and/or Network has been hacked for the password obtained and of course, you should send them some bitcoin or they will expose your naughty web history, company secrets etc.  They usually also give some vague but technically detailed explanation of how the the hack was excecuted, for example; they infected your router with a well known vulnerability, intercepting logon details, after which they were able to access all your systems and install monitoring software.  This information appears to lend more credibility because it is a method hackers use to gain access to networks.

But, how did they get my password, you might ask. What they are actually doing is using publicly available email addresses and passwords obtained from data breaches over the years, for example Facebook, Adobe,  Sony or Instagram.  In the past 10 years, there have been some very serious data breaches exposing email addresses, usernames and passwords of millions of users.  Typically, to prove a point, once the hackers have done the hack they dump all the information on the web for anyone to see and use.  The scammers are exploiting the fact that most people don’t change their passwords as often as they should, so by presenting you with a password from a few years ago, there is a good chance you will recognize it, or perhaps even still use it, lending their email even more credibility.

This email scam is an important lesson in password security. Unfortunately too many people still use the same password for everything from their corporate domain and email logon, banking logon to their social media and even worse have used the same password for years.  This means that if any of these services has a data breach, someone has access to most of your life, this is obviously not a good idea.  

So how to protect yourself.  Firstly, there is a website called “Have I been Pwned” (for those not up to date with internet lingo, Pawned means to be defeated or owned, often in a humiliating fashion) https://haveibeenpwned.com/.   Simply enter in your email address and it will tell you if your information has been exposed in a publicly dumped breach.  This site does not list your passwords, it just tells you which breaches contain your data.  It was scary to see how many in our own office had our usernames and passwords exposed by various breaches.

The last thing to do is to implement that new personal password policy you have been putting off since you created your first password.  At the very least you should keep work, banking and social media passwords different from each other.  Using the same password for everything is just asking to have all your bank accounts emptied and sent to untraceable bitcoin.  To help you keep track of your passwords, use a password manager, that way you only have to remember one strong password (to open the manger) and it will remember the rest for you.  There are hundreds of password managers on the market, some are free, most have a small fee, do some research into one that suits your needs.  A popular choice around our office is LastPass (https://www.lastpass.com) , its free to test and is only $24 a year.   For $48 you can even get a family addition that allows up to 6 users so Mum Dad and the kids can all use it.  It has some really cool features like auto-entering your username and passwords into popular sites (Facebook, Instagram etc) and you can install it on all your devices from your phone to your home PC.

And lastly, regularly change your passwords.  Often companies, even ones as large as Adobe and Facebook, are completely unaware that they have been hacked until the data is dumped on the internet for all to see and use.  Sometimes 6 to 12 months can go by between the actual breach and the public dumping.  Inbetween, hackers will be selling off your details all over the dark web.  Regularly changing your passwords and ultimately having a unique password for each site is the best protection you can get.