The following information is a consumer-based alert. With that said, we understand that employees use employer-issued machines and networks to access personal information and websites. Therefore, we felt this alert would be beneficial to create awareness. Please share with your team members as you see fit.
A new type of Phishing message has been circulating that uses your own passwords to create the appearance that the attacker knows who you are and has valuable information about you.
The message usually begins with a statement like "I know your password is _________." The most recent variation of this appears as a claim that you have been observed visiting an illicit web site, and that the sender has video proof. The message will then proceed with the ultimatum - in order to stop this evidence from being sent to people who you know, you must pay a specified amount in Bitcoin to a specified address.
In each of the cases currently reported, the password published in the ransomware message was in fact a legitimate password, with the caveat that it was 10 years old or older. In no instance was a currently used password reported.
What has really happened is that the Phishing attacker is using data obtained from an online database that was hacked more than a decade ago. Such databases are usually published with information "for sale" to other would-be hackers.
Nevertheless, the presence of a password that the recipient knows he or she has used is sufficient to create a panic factor for many people. It is this "panic factor" that the attacker is counting on - "If they know this about me, they may also know who my friends are, and they may know other passwords that I use."
If you have recently received a message like this, or if you receive one in the near future, the important thing to remember is "Don't panic - don't fall for it." Take another look at the password in the message. If it is an old one that you have not used in a while, the attacker probably does not have current information about you.
However, as this type of Phishing becomes more refined, it is likely that attackers will learn how to obtain and use more current information, such as online databases that have recently been compromised.
The FBI has published the following suggestions to help keep you from becoming a victim:
- Never send compromising pictures of yourself to anyone under any circumstances. It does not matter who they are. The issue is not your trust in another person - the issue lies in how that information might eventually be obtained by someone else.
- Never open attachments or links from people you don’t know, and pay attention to message content, attachments and links coming from people you do know. If something seems unnatural or out of the ordinary, it probably is.
- Turn off your web camera when it is not in use. It is also a good idea to cover it, since it can be turned on by another application.
- If you believe you’re a victim, contact your local FBI office (or toll-free at 1-800-CALL-FBI).
Share this article