All Posts by Date or last 15, 30, 90 or 180 days.
also by Lloyd: diglloyd.com photography and WindInMyFace.com
Thank you for purchasing through links and ads on this site.
OWC / MacSales.com...
diglloyd Deal Finder...
Buy other stuff at Amazon.com...
Upgrade the memory of your 2018 Mac mini up to 64GB

Beware of Phishing Based on Fear of Secret Porn Behavior and Real Password Compromise

See previous security tips and previous phishing posts.

Check if you have an account that has been compromised in a data breach at https://haveibeenpwned.com.

I’ve been getting variants of this email for months, as has my wife.

First email can be spoofed (“sent you an email from your account”) looks that way, but email was designed in an age of naiveté and is easily spoofed. Don’t fall for that claim.

The initial email was specific including a real, legitimate password* that I used 8 or 9 years ago. That the password was real raised a real fear in the instant I saw it—the fear of a real compromise to my computer. But since I use unique passwords for every web site, I was not concerned, just annoyed (you do use unique passwords for EVERY different web site, right?).

Over the ensuing two months, I have received perhaps 30 variants of this email. This latest one lacks the specifics of the original.

* How was that password obtained? By a compromise of a major internet service provider whose incompetence in storing cleartext passwords merits the corporate death penalty along with prison time for the executives.

The hacker was even smart enough to custom-tailor the phishing email with the brand of my router (Cisco). Very scary for the non-expert—how many people have paid up out of fear?

Since it was an old/unused password having nothing to do with my email and since I do not visit porn sites (a very good way to acquire malware) and because I also tape over the security-hazard camera on my Macs, it was clear that the email was extortion with no possibility of harm to me. Still, the specificity was chilling—it was a valid password I had once used at a certain photography site (FredMiranda.com, for not aleshame on themrting me).

The phishing email is a curious mix of helpful suggestions (“change your password”) with amusement (“big delight”), and threats (sending screen shots and videos to everyone) and rationalization for low-life scum behavior (“we all have to make a living”).

The hacker expects you to NOT notice missing details and pay up out of fear. If the compromise were real: (1) which OS?, (2) why not place a new file on the computer, proving its compromise or just encrypt everything (ransomware), (3) which porn site(s) exactly?, (4) no “sampler” screen shots. It’s all bogus—there is zero evidence of any actual compromise.

Don’t fall for it. And since a compromise could happen one day, always backup in triplicate. Not one, not two, at least three (3) backups.

Best practices follow.

Phishing email exploiting a compromised password (a legitimate one)

Best practices follow

This is not an exhaustive list.

  • NEVER use the same password for more than one web site or anything. Nor similar variants, e.g. MyDogEatsCats and MyDogEatsCats2 are (excuse me for being blunt) idiotic choices. NEVER. It’s just too huge a liability. [Aside: thank you Apple for making it a hassle to enter strong passwords on iOS].
  • A password of “me1234” or whatever might be easy to enter and is a strong tempation on an iPhone, but it sucks. Don’t do it. Use a mix of letters and numbers and punctuation at least 12 characters long and/or use a password manager so you don’t even have to know what the password is (have it generate 30 or 40 character random passwords for most things).
  • Don’t visit porn sites. Besides the obvious, they are magnets for malware.
  • Do not downoad “free” copies of commercial software. You’re a thief if you do, and you’re likely to get a well-deserved malware with it.
  • Backup in triplicate (at least) and keep at least two of these backups offline, not connected to the computer.
  • Don’t run Windoze unless it’s the latest and battened-down with anti-virus.

B&H Deal ZoneDeals by Brand/Category/Savings
Deals expire in 22 hours unless noted. Certain deals may last longer.
$3199 SAVE $200 = 5.0% $99 FREE ITEMS Canon EOS R Mirrorless with 24-105mm in Cameras: Mirrorless
$1632 SAVE $700 = 28.0% $165 GIFT CARD LG C8PUA 55" Class HDR UHD Smart OLED TV in Electronics: Televisions
$3097 SAVE $200 = 6.0% $78 FREE ITEMS Nikon D850 DSLR in Cameras: DSLR
$1797 SAVE $200 = 10.0% Pentax K-1 Mark II DSLR in Cameras: DSLR
$998 SAVE $400 = 28.0% Sony a7 II Mirrorless in Cameras: Mirrorless
$1798 SAVE $200 = 10.0% Sony a7R II Mirrorless in Cameras: Mirrorless
$3998 SAVE $500 = 11.0% Sony a9 Mirrorless in Cameras: Mirrorless
$5987 SAVE $1839 = 23.0% ZEISS Loxia 5-Lens Bundle in Lenses: Mirrorless
$11594 SAVE $3157 = 21.0% ZEISS Otus ZF.2 3-Lens Bundle in Lenses: DSLR

diglloyd.com | Terms of Use | PRIVACY POLICY
Contact | About Lloyd Chambers | Consulting | Photo Tours
Mailing Lists | RSS Feeds | Twitter
Copyright © 2019 diglloyd Inc, all rights reserved.
Display info: __RETINA_INFO_STATUS__