I was Pwn3d!

I have a confession to make.

I was recently blackmailed by a “sextortion” email and it surprised me in many ways.

The email promised to share compromising videos, supposedly captured from the web-camera on my laptop, with family and friends unless I made an untraceable payment through Bitcoin. To add credibility to the threat, the email included a password that I previously used on a couple of web-sites.

Let me repeat that last bit for emphasis — the threatening email included one of my real passwords.

While I knew that the email was an empty threat, others apparently fell victim to the scam and coughed up Bitcoins. According to Forbes, over $250,000 has been paid to the perpetrators of this scam in the past couple of weeks. If I had to make an educated guess, it would seem that several people thought the threat was real, probably because it included a password they used, and they decided to pay up rather than risk embarrassment.

I share this story because the bad guys are becoming increasingly more sophisticated each and every day and they have one goal — to steal your money.

Everyone has likely encountered phishing scams, posing as legitimate university business that originate from compromised university accounts, but there are other attacks that are occurring against your online accounts too and you need to be aware of them.

In my case, my password that was in the blackmail was found in the “Anti Public Combo List,” a compilation of over 1 billion email addresses, usernames, and passwords from several unrelated data breaches. Those data breaches include break-ins at Adobe, Dropbox, LinkedIn, and Yahoo and the bad guys are continually trying to break into systems around the globe.

Now here’s the rub about my password being compromised. There is an attack that is increasing in popularity called Credential Stuffing.

Credential stuffing is the automated injection of breached username/password pairs in order to fraudulently gain access to user accounts. This is a subset of the brute force attack category: large numbers of spilled credentials are automatically entered into websites until they are potentially matched to an existing account, which the attacker can then hijack for their own purposes.

This is a serious threat for a number of reasons:

  1. It’s enormously effective due to password reuse problem — people using the same password on multiple sites are an easy target
  2. It’s hard for organizations to defend against because a successful “attack” is someone logging on with legitimate credentials
  3. It’s very easily automatable; you simply need software which will reproduce the logon process against a target website
  4. There are readily available tools and credential lists that enable anyone to try their hand at credential stuffing

Essentially, once your username and password have been compromised from a data breach on one web-site, there is a chance that a bad guy will try to use those credentials to gain access to other web-sites.

So what can you do to protect yourself?

One of the best things you can do to protect yourself from credential stuffing is to use a unique password with high password strength on every web-site. Yes, it’s a pain to use a unique password everywhere and the temptation to re-use the password is high, but do not give in to that temptation — if that password is ever compromised, you will need to change that password everywhere you use it. If you have ever had a credit card that was hacked and had to change all of your automatic bill-payments, you have already experienced how time consuming that can be. Now think about the various web-sites you may use.

To help manage your unique passwords, use a tool such as 1Password, KeePass, or LastPass. Those tools store your passwords in a digital password vault, so you only need to remember the vault password to access them.

Another “best practice” is to enable Two-Factor Authentication on your important accounts. In basic terms, Two-Factor Authentication requires a person to have both your password and also physical possession of a unique device (token), usually your cell-phone, to login to a system. I have enabled Two-Factor Authentication for my online banking and UF accounts, which means that in addition to my password, someone will need to have my cell phone in their hands to login as me.

Finally, you may wish to see if you too have been “pwned,” that is, check to see if your account has been reported in a data breach. The “Have I been Pwned” web-site will allow you to see if your account was in a reported data breach. Checking is quick, simply go to https://haveibeenpwned.com/ and enter your email address. I must emphasize, even if the “Have I been Pwned” web-site says you are in the clear, it is possible one of your accounts was compromised in a data breach that has not yet been discovered or reported.

Additional Reading

“The only secure password is the one you can’t remember” – https://www.troyhunt.com/only-secure-password-is-one-you-cant/

“Anti Public Combo List with Billions of Accounts Leaked” – https://www.hackread.com/anti-public-combo-list-with-billions-of-accounts-leaked/

“Sextortion Scam Uses Recipient’s Hacked Passwords” – https://krebsonsecurity.com/2018/07/sextortion-scam-uses-recipients-hacked-passwords/

“Lying Sextortion Scammers Score $250,000 After Sending Victims Their Own Hacked Passwords” – https://www.forbes.com/sites/thomasbrewster/2018/07/31/sextortion-scam-with-hacked-passwords-scores-250000-dollars-for-cybercriminals/

“What to Do if You Get the Latest Phishing Spam Demanding Bitcount – Electronic Frontier Foundation” – https://www.eff.org/deeplinks/2018/07/sextortion-scam-what-do-if-you-get-latest-phishing-spam-demanding-bitcoin

“xkcd: Password Strength” – https://xkcd.com/936/