Over the last few months, we've seen a number of reports of scam messages from individuals claiming to have received a message from someone stating they have intercepted the client's username and password. These messages go on to state they have been watching their screen activity via webcam while the client has been unaware. Even going so far as to say they have compromising information or video footage.
After telling the client this, the attacker then threatens to send footage to client contacts, colleagues, or social media channels. Demanding payment in Bitcoin, malicious hackers essentially blackmailing their victims to keep their confidential information private.
Where Have These Attacks Come From?
In many cases where hackers have claimed to have a victims' password, this has turned out to be true. To an extent...
In the last few years alone, many large websites and companies have suffered enormous hacks which have released confidential details on many of their users. LinkedIn, Yahoo, and Myspace all suffered massive and devastating hacks. Some users of these services are still feeling the consequences today.
The details leaked from these sites, and others facing the same issues, are sold online for years after the initial breach. Hackers buy username and password combinations in the hopes of reusing them to access services, steal money, or better yet, blackmail their owners.
How to Respond
If you have been contacted by one of these hackers, it is a scary reality that it's possible they do have access to your credentials, for one or more online services. As concerning as that sounds however, you can take heart that the attacker most likely does not have access to your web camera and they are simply bluffing about having compromising footage.
How can you be sure? Because your web camera resides locally on your computer and cannot be controlled by someone who is not locally logged onto your computer unless they've installed a special piece of software that allows them to operate the camera. Having a email or banking credential does not allow them to do that.
That said, these types of emails are sometimes extremely scary looking. In some cases where the scammer does have a password of yours obtained from a breach they will place it in the email as a sort of digital "proof of life". If you are the recipient of one of these emails and a password is listed that you recognize, you should change the password on any accounts that use it immediately. Security on additional services you use should be updated too.
Self Defense On the Web
When using online services, a unique password for every site is your number one defense. A good password manager makes this practical and straightforward too.
Using a different password for each site you use means that hackers can only gain access to one site at a time. A hack in one place should never compromise your other accounts by revealing the single password you use everywhere.
Often, people think that maintaining many passwords is hard work or even impossible to do. While it can be a bit of a juggling act, there are services that can make this much easier. Password managers are a great first-step as they allow you to remember only a single password thereby allowing you to maintain complex passwords that are different for every site.
Another good thing to enable for online accounts that support it is 2-factor authentication. 2FA utilizes an email address or even your phone to send a special code whenever you log in. This helps ensure that you are the only person logging into the account. If you receive a 2FA code while you're out to lunch, it likely means someone is trying to access your account and has your password. Fortunately they will be unable to access it due to not having the code that was sent you to and you know to change the password for that account ASAP.
Do you think you might have been hacked already? Want to prevent it from happening? Give us a call and we can help you update your security.