As of June 1, 2024, Vestige Digital Investigations is part of ArcherHall, a leading digital forensics, e-discovery, and cybersecurity service provider.
The Vestige team that you know and trust will continue to serve you at ArcherHall. Our expanded team, capabilities, and infrastructure will allow us to serve you and your clients even better.

I Have Your Password, Pay Me Now

Articles

I Have Your Password, Pay Me Now

Author photo
Senior Director, Digital Forensic & E-Discovery
BS, EnCE, DFCP

A recent phishing scam is all the rage on the Internet.  People are getting emails from someone claiming to be a hacker but here is the key, the email includes their password which the hacker of course now has.  The hacker claims that they installed specialized software on pornographic websites and that is how they got your password.  They ask you for money, payable via Bitcoin.  The hacker also states that if you ignore their request that the hacker will expose your activity on these pornographic sites. Continue reading our password protection tips below to learn how to avoid email phishing scams.

What to do?

First, you can panic a bit, but not too much.  The email is a hoax but what isn’t a hoax is that the hacker has your email address and a password.  Maybe not the password for your email, but it is a password you have used before.  You need to change that password anywhere it is used or risk the hacker gaining access to an account of yours.

Second, they didn’t get this information from your visit to a pornographic website.  Instead the hackers probably harvested this information from one of the various data breaches which resulted in the exposure of email addresses and password.  Target, Yahoo?

Third, if upon opening the email you are prompted to show any pictures which were automatically downloaded, DON’T DO IT.  If the hacker’s campaign is sophisticated, it is the rendering of that picture which will signal to the hacker that you opened the email which will just be an invitation to follow-up harassing emails.

PASSWORD PROTECTION TIPS TO HELP YOU MITIGATE THESE SITUATIONS:

  1. Do not use the same password for more than one site. That way if one password is compromised, all other accounts should be fine, except in the situation of a compromised email account.  Which brings me to tip #2…
  1. Whatever email address you are using for communication on important accounts (such as banking) should be guarded with your life. Why?  If a hacker truly gains control of your email, they can very easily access the “Forgot your Password?” features for other accounts and then use your compromised email account to gain access to all the others.
  1. Use long passwords. Think of a phrase, saying, jingle, whatever and use the first letters of each word.  Mix in a number or two, add something like #,$ or !.  Can’t remember all these passwords?  Use a password manager and store them in there.  The inconvenience of needing your password manager is well worth the utter disaster of having your checking account drained or having to deal with a stolen identity.
  1. For the best way to secure your accounts, use Two Factor Authentication (2FA). That process usually involves getting a text to your phone after entering in a password.  This process provides two forms of protections.  First, it will prevent a hacker with a compromised password from gaining access to your account.  Second, if you get a text out of the blue with a PIN, you now know someone has attempted to compromise that account.

Now that you’ve read our password protection tips to avoid phishing scams, we hope you’ll take the steps to start making these changes today!

by Greg Kelley, EnCE, DFCP,
Chief Technology Officer at Vestige Digital Investigations
For more information CONTACT US.