All Posts by Date or last 15, 30, 90 or 180 days.
also by Lloyd: diglloyd.com photography and WindInMyFace.com
Thank you for purchasing through links and ads on this site.
OWC / MacSales.com...
diglloyd Deal Finder...
Buy other stuff at Amazon.com...
Upgrade the memory of your 2018 Mac mini up to 64GB
Small Business Tax Write-Off?
Now is the time to purchase computer or photo gear for 2018 federal tax write-off. Consult with Lloyd.

Beware of Phishing Based on Fear of Secret Porn Behavior and Real Password Compromise

See previous security tips and previous phishing posts.

Check if you have an account that has been compromised in a data breach at https://haveibeenpwned.com.

I’ve been getting variants of this email for months, as has my wife.

First email can be spoofed (“sent you an email from your account”) looks that way, but email was designed in an age of naiveté and is easily spoofed. Don’t fall for that claim.

The initial email was specific including a real, legitimate password* that I used 8 or 9 years ago. That the password was real raised a real fear in the instant I saw it—the fear of a real compromise to my computer. But since I use unique passwords for every web site, I was not concerned, just annoyed (you do use unique passwords for EVERY different web site, right?).

Over the ensuing two months, I have received perhaps 30 variants of this email. This latest one lacks the specifics of the original.

* How was that password obtained? By a compromise of a major internet service provider whose incompetence in storing cleartext passwords merits the corporate death penalty along with prison time for the executives.

The hacker was even smart enough to custom-tailor the phishing email with the brand of my router (Cisco). Very scary for the non-expert—how many people have paid up out of fear?

Since it was an old/unused password having nothing to do with my email and since I do not visit porn sites (a very good way to acquire malware) and because I also tape over the security-hazard camera on my Macs, it was clear that the email was extortion with no possibility of harm to me. Still, the specificity was chilling—it was a valid password I had once used at a certain photography site (FredMiranda.com, for not aleshame on themrting me).

The phishing email is a curious mix of helpful suggestions (“change your password”) with amusement (“big delight”), and threats (sending screen shots and videos to everyone) and rationalization for low-life scum behavior (“we all have to make a living”).

The hacker expects you to NOT notice missing details and pay up out of fear. If the compromise were real: (1) which OS?, (2) why not place a new file on the computer, proving its compromise or just encrypt everything (ransomware), (3) which porn site(s) exactly?, (4) no “sampler” screen shots. It’s all bogus—there is zero evidence of any actual compromise.

Don’t fall for it. And since a compromise could happen one day, always backup in triplicate. Not one, not two, at least three (3) backups.

Best practices follow.

Phishing email exploiting a compromised password (a legitimate one)

Best practices follow

This is not an exhaustive list.

  • NEVER use the same password for more than one web site or anything. Nor similar variants, e.g. MyDogEatsCats and MyDogEatsCats2 are (excuse me for being blunt) idiotic choices. NEVER. It’s just too huge a liability. [Aside: thank you Apple for making it a hassle to enter strong passwords on iOS].
  • A password of “me1234” or whatever might be easy to enter and is a strong tempation on an iPhone, but it sucks. Don’t do it. Use a mix of letters and numbers and punctuation at least 12 characters long and/or use a password manager so you don’t even have to know what the password is (have it generate 30 or 40 character random passwords for most things).
  • Don’t visit porn sites. Besides the obvious, they are magnets for malware.
  • Do not downoad “free” copies of commercial software. You’re a thief if you do, and you’re likely to get a well-deserved malware with it.
  • Backup in triplicate (at least) and keep at least two of these backups offline, not connected to the computer.
  • Don’t run Windoze unless it’s the latest and battened-down with anti-virus.
Deals Updated Daily at B&H Photo
View BEST Deals Right Now
B&H Deal ZoneDeals by Brand/Category/Savings
Deals expire in 9 hours unless noted. Certain deals may last longer.
$599 SAVE $200 = 25.0% Canon 17-40mm f/4 EF L USM in Lenses: DSLR
$519 SAVE $130 = 20.0% Canon 70-200mm f/4 EF L USM in Lenses: DSLR
$449 SAVE $100 = 18.0% DJI Goggles Racing Edition in Video: Drones
$299 SAVE $50 = 14.0% $149 FREE ITEMS DJI Spark Quadcopter (Sunrise Yellow) in Video: Drones
$50 SAVE $100 = 66.0% Lowepro DroneGuard CS 400 in Video: Drones
$2497 SAVE $300 = 10.0% $29 FREE ITEMS Nikon 70-200mm f/2.8 AF-S NIKKOR E FL ED VR in Lenses: DSLR
$1099 SAVE $100 = 8.0% Sigma 85mm f/1.4 DG HSM Art in Lenses: DSLR
$898 SAVE $500 = 35.0% Sony a7 II Mirrorless in Cameras: Mirrorless
$898 SAVE $506 = 36.0% $19 FREE ITEMS Sony a7 II Mirrorless with Accessory Kit in Cameras: Mirrorless

diglloyd.com | Terms of Use | PRIVACY POLICY
Contact | About Lloyd Chambers | Consulting | Photo Tours
Mailing Lists | RSS Feeds | Twitter
Copyright © 2008-2017 diglloyd Inc, all rights reserved.
Display info: __RETINA_INFO_STATUS__