SEARCH
diglloydTools™
Beware of Phishing Based on Fear of Secret Porn Behavior and Real Password Compromise
Related: backup, cyber social engineering, passphrase, phishing, security
See previous security tips and previous phishing posts.
Check if you have an account that has been compromised in a data breach at https://haveibeenpwned.com.
I’ve been getting variants of this email for months, as has my wife.
First email can be spoofed (“sent you an email from your account”) looks that way, but email was designed in an age of naiveté and is easily spoofed. Don’t fall for that claim.
The initial email was specific including a real, legitimate password* that I used 8 or 9 years ago. That the password was real raised a real fear in the instant I saw it—the fear of a real compromise to my computer. But since I use unique passwords for every web site, I was not concerned, just annoyed (you do use unique passwords for EVERY different web site, right?).
Over the ensuing two months, I have received perhaps 30 variants of this email. This latest one lacks the specifics of the original.
* How was that password obtained? By a compromise of a major internet service provider whose incompetence in storing cleartext passwords merits the corporate death penalty along with prison time for the executives.
The hacker was even smart enough to custom-tailor the phishing email with the brand of my router (Cisco). Very scary for the non-expert—how many people have paid up out of fear?
Since it was an old/unused password having nothing to do with my email and since I do not visit porn sites (a very good way to acquire malware) and because I also tape over the security-hazard camera on my Macs, it was clear that the email was extortion with no possibility of harm to me. Still, the specificity was chilling—it was a valid password I had once used at a certain photography site (FredMiranda.com, for not aleshame on themrting me).
The phishing email is a curious mix of helpful suggestions (“change your password”) with amusement (“big delight”), and threats (sending screen shots and videos to everyone) and rationalization for low-life scum behavior (“we all have to make a living”).
The hacker expects you to NOT notice missing details and pay up out of fear. If the compromise were real: (1) which OS?, (2) why not place a new file on the computer, proving its compromise or just encrypt everything (ransomware), (3) which porn site(s) exactly?, (4) no “sampler” screen shots. It’s all bogus—there is zero evidence of any actual compromise.
Don’t fall for it. And since a compromise could happen one day, always backup in triplicate. Not one, not two, at least three (3) backups.
Best practices follow.
Best practices follow
This is not an exhaustive list.
- NEVER use the same password for more than one web site or anything. Nor similar variants, e.g. MyDogEatsCats and MyDogEatsCats2 are (excuse me for being blunt) idiotic choices. NEVER. It’s just too huge a liability. [Aside: thank you Apple for making it a hassle to enter strong passwords on iOS].
- A password of “me1234” or whatever might be easy to enter and is a strong tempation on an iPhone, but it sucks. Don’t do it. Use a mix of letters and numbers and punctuation at least 12 characters long and/or use a password manager so you don’t even have to know what the password is (have it generate 30 or 40 character random passwords for most things).
- Don’t visit porn sites. Besides the obvious, they are magnets for malware.
- Do not downoad “free” copies of commercial software. You’re a thief if you do, and you’re likely to get a well-deserved malware with it.
- Backup in triplicate (at least) and keep at least two of these backups offline, not connected to the computer.
- Don’t run Windoze unless it’s the latest and battened-down with anti-virus.
