It seems the cryptocurrency community is under threat of a new blackmail tactic, so take caution.
Cornell University computer science professor Emin Gün Sirer has shared an email that appears to leverage leaked passwords to swindle Bitcoin out of unsuspecting victims, demanding they pay a ransom.
After weaving an obviously fake, but plausible, scenario describing the Mr Robot-esque ability to record your screen and webcam output during some, uh, private meditation – the email threatens to send recordings of you getting down with ya big bad self to friends and family.
Here's a new form of cryptoblackmail. A friend received this out of the blue. Presumably, it's getting sent to everyone on the haveibeenpwnd list.
Be careful out there, never pay, never negotiate. pic.twitter.com/VFl5s1duCe
— Emin Gün Sirer (@el33th4xor) July 11, 2018
Apparently, the scheme doesn’t just play on the idea of everyone knowing you get off to pornography (shame!) – but more precisely – that sharing what you really look at when running incognito mode is enough to push you over the edge and cave to their demands.
So, taking all precautions: if you receive this email, it’s imperative that you simply ignore it and do not respond. Regardless of recognizing the password shown – it can’t be stressed enough that by simply receiving it, the the odds are that your credentials are already sitting somewhere in a dark web database are significantly increased.
Those affected should change all passwords to preferably ones quite complex.
It is not clear how many users have fallen for the scam so far, but we reviewed the Bitcoin address included in the blackmail email and it appears it has received over 2.8 BTC (approximately $17,000) in the last couple of days.
HaveIBeenPwned is great tool to determine if your account information has been compromised. Established in the wake of Adobe’s mishandling of data relating to 38 million of its users in 2013, it now lists almost 300 websites culpable to one or more data breaches.
Sirer has suggested the leaked passwords match HaveIBeenPwned’s database (and are being sent to some users on its list), but founder Troy Hunt has since clarified there are no signs to suggest this is the case.
Yeah, how is the conclusion being drawn that it’s related to @haveibeenpwned? I can’t see anything to indicate that.
— Troy Hunt (@troyhunt) July 11, 2018
Typically, passwords and other data are shared in pastes – online text editors like Pastebin. Hackers have favored services like these for almost a decade, mostly due to their simplicity and anonymous nature. They are often the first places stolen data is shared.
So if your email addresses are returned using this search – don’t panic. Yeah, your data has been leaked. It’s okay. Your account is really just joining the five billion other ones in being completely unsafe to use, so you’re definitely not alone.
For those still not feeling safe enough – we recently reported on some measures you can take to further protect your online privacy.
And, maybe, just to be thorough – throw some tape over your webcam next time you get some alone time. They’re totally bluffing about having those recordings, though (probably).
It’s worth pointing out that a similar tactic was recently employed in another string of attempted Bitcoin ransoms not so long ago.