Table of Contents
I chose to write this article hoping to help most users that are being targeted by yet another widespread e-mail fraud attempt. This time the technique used is particularly subtle: the alleged blackmailer, through a threatening e-mail, says that he have managed to hack your computer (and/or e-mail address); he also declares to have found compromising material, such as porn content and/or embarassing video acquired through the webcam, that could be released at any time unless the ransom payment is sent. As proof of the truthfulness of its claims, the alleged hacker includes your password in clear text... And that's where the issue actually lies: the password seems to be genuine, or close enough to be a serious cause of alarm: it can either be an old password that has been used until recently, or maybe still used on some website accounts, or even - the worst case scenario - your actual password.
Needless to say, the message ends with a payment request, strictly to be carried out via bitcoins: if you're not willing to pay, too bad - the "compromising" material recovered as a result of the violation will be distributed to your friends, relatives and who knows who else.
Such fraud attempt, compared to the many that we are used to and we have learned to recognize and ignore, is particularly effective: reading your actual password (or something really close to it), thus understanding that the blackmailer knows it as well, is nothing less than a cold shower for everyone. Even if the rest of the e-mail is the usual nonsense - especially if you don't have a webcam - the presence of that specific detail can be a real issue... and ut's an unequivocal sign that something didn't work as it should.
What's happened? How did they find that password?What could they actually steal? And above all, what can I do to secure my mail, my documents and / or my online identity?
I'll try to give an answer to these legitimate questions with this article. Luckily enough, there are good chances that the actual scenario might be less critical than what it seems, especially if the recipient of the e-mail in question is adopting and following a decent password management policy.
Let's start by explaining briefly what happened: how did the blackmailer get hold of our password? The first thing to clarify is that, luckily enough, the blackmailer hasn't violated our system.: the actual victim of the data breach was most likely a website or web service to which we registered - recently or even a long time ago - and with that same password which has been put on the blackmailing e-mail we just received. This basically means that:
- The hacker managed to break into (or obtain somehow) a compromised database containing a list of e-mail addresses and passwords;
- The hacker is (automatically) sending a "personalized" e-mail message to all of them, each one containing the "hacked" password, hoping that the recipient is still using it for everything else - thus scaring him in the worst possible way.
On closer inspection, we can clearly see how the alleged hacker has not only targeted us, but with a list of users (others) potentially very large. In all probability, the message we received was sent via an automated script to the entire database of users of the infringed site, which - I repeat - evidently contained both our e-mail and the access credentials we sent at the time of registration.
Such password is likely to be scary enough for us, because it's definitely one of the passwords we did actually use at least once, i.e. to register on one or more sites - including the hacked one: at worst, if we have been incautious to the point of using the same password for all sites and web services to which we we registered to, it might even be OUR CURRENT PASSWORD. This leads us to formulate our first statement, which is very important in terms of computer security: NEVER USE THE SAME PASSWORD ON MULTIPLE SITES OR SERVICES, to avoid being hit from this type of threats.
How they did that?
At this point, experienced users might ask another question: shouldn't these passwords be encrypted right before being stored in the databases of these websites? The answer is affirmative: almost all the websites created with modern CMS and/or site-building platforms (WordPress, Joomla, Drupal, etc.) foresees an encryption mechanism based upon a technique called hashing: this means that the password, before being stored, is transformed into a completely different text string by means of a standard (or proprietary) one-way algorithm, without any possibility of reversing the process: from that moment on, to verify that the password is correct, the site does nothing more than transform in the same way all the passwords typed by their users during the login phase and compare the hashes, without ever using (and/or storing) them in clear text.
If things are really like this, how could "our" hacker get a hold of our password? Answering this question is not always possible, since we do not know what the hacked site is and what kind of security countermeasures it was using. However, in most cases the explanation is one of the following:
- The website in question did store the passwords in clear text, without implementing any hashing or encrypting policy: this is a rather common scenario for "amateur" websites, such as manually developed blogs, without using WordPress and the likes - and their up-to-date security standards and best practices, specifically designed to protect their users data. This leads us to a second, important consideration, valid for users yet also for software developers: NEVER STORE THE PASSWORDS IN CLEAR TEXT.
- The website in question did not use a up-to-date hashing or encrypting system: a hashing algorithm is only safe if it uses a custom fingerprint or seed - that is, a unique block of text that is used from encryption algorithms as a "base" to carry out the encryption process. We can think of it as an "encryption password". Unfortunately, the hashing technique with a custom seed is relatively recent among most custom-made site-building platforms: most of the sites developed between the 1990s and 2000s use standard hashing algorithms, such as MD5 or SHA-1, without a seed: the transformations carried out by these functions, although safe and non-reversible, have the enormous problem of being completely identical among all the sites and/or services that implement them in that same way. This, over the years, has led to the creation of gigantic online databases (such as MD5online.com) that offer an automated reverse engineering service that will retrieve the clear-text password from a given hash. These services works in a very simple way: they have a huge database containing millions of possible "common" passwords (like, for example, the words of most written languages of the world, plus all the numeric combinations from 000000 to 999999, and so on) and their corresponding hashes: you input the hash, they answer with the corresponding password. That's about it. Now, what does all this have to do with our main topic? It 's pretty simple: whenever a hacker puts his hands to a user database containing a series of e-mail and md5-encrypted passwords, he just has to use one of these reverse engineering services to obtain a good amount of non-complex passwords used by those accounts. As we just said, this process only works if the password used is relatively common (a number, a single word etc.), which leads us to a third security consideration: NEVER USE WEAK PASSWORDS. To understand what a password is weak, I strongly recommend reading this enlightening Wikipedia article or, for those who do not want to immerse themselves in technicalities, taking a look to this hilarious (and no less illuminating) image taken from the popular XKCD webcomic:
- The website in question is (or was) using appropriate security measures, yet still suffered a major violation: although being a not-so-common scenario, it's not impossible: there have been numerous cases in recent history - Sony, Microsoft, Twitter, only for cite a few - of online giants that have been hacked or exploited, thus allowing their hackers to steal a large number of user accounts and data - including passwords. Although 9 times out of 10 these passwords have been hashed or encrypted properly, it's possible that the hackers were also able to get a hold of the encryption algorithm details and/or the related seed, fingerprint or key used to make the hashing or encryption process secure: if that's the case, they could eventually retrieve the clear-text passwords as well. These reversing processes are anything but easy and could take some time: weeks, months or even years, depending on the algorithm strength and the infrastructure available to the hackers; at the same time, considering the CPU performance progress over time, there's a high chance that any encrypted orhashed password could eventually be reversed into its clear-text equivalent. This leads us to a very important fourth security consideration: REMEMBER TO FREQUENTLY CHANGE YOUR PASSWORD.
What can I do?
Now that we have understood what happened and how it was possible, we need to determine what we can do to fix our issue for good and prevent potential data breaches on our side: what to do when receiving such type of e-mail messages, containing one of our passwords in clear text?
It goes without saying that paying the requested amount is out of the question. Such action would be completely irrelevant and won't change your situation in any way: the payment method required - bitcoin wallet - doesn't allow to track the sender or the recipient of the transaction: consequently, the blackmailer would have no way of understanding that you have paid, even if you did. Remember that you're dealing with mass-mailing people that sends tons of requests hoping that some scared user will fall into their fraudolent network. Moreover, if you think about it, there is nothing to pay: your password is already in their hands, as well as your personal data that you did put in the website who suffered the data-breach: conversely, what you need to do is stop them from using them to get other data from you and/or your relatives.
For this reason, the first thing to do is not to lose your temper. The second is to make a honest and humble analysis of your recent (and not-so-recent) online experience to understand if that exploited password is still valid, i.e. still used to connect to one or more websites or services. The answer to this self-analysis process will determine the countermeasures that you should take in order to protect your online security.
Password still in use? Defcon 2
If the password is still "active" - that is, in use with one or more services - it is imperative to change it as soon as possible , especially if you've been so naive to use it for important services such as: your e-mail account (especially where you received the offending e-mail!); online payment systems (eg PayPal); e-commerce sites (eBay, Amazon); the administrative accounts of your smartphone (Google, Apple); and so on. Be that as it may, regardless of how and how much you have used that password, your primary goal must be to make it useless. There's only one way to do that: modify it wherever you think you have used it with a new one secure and unique password for each site or service.
Regardless of the authentication system you might want to choose, remember to act immediately: you need to change these password ASAP. Not acting, or - even worse - pretending you didn't receive that e-mail message could be a big mistake. You must be humble enough to acknowledge the fact that, since you are one of those users that uses the same password for multiple websites, your concept of "cyber security" is still quite primitive. Let me be clear, nobody intends to blame you for this: the hackers have made the violation, not you. At the same time, it is important that you understand the importance of responding promptly to what they did: if that password is still used somewhere, you need to protect yourself and your family members, acquaintances and/or colleagues by modifying it immediately. Not doing so will most likely expose you to risks that, not being clearly computer experts, you are probably not even able to evaluate properly.
Password in use to access the targeted E-Mail account? Defcon 1!
In the unfortunate event that the password you received in clear-text is the same one you're currently using to access that mailbox / e-mail account... well, this is bad, because it most likely means that the hacker has been given the chance to login into it. As a matter of fact, you can only assume he didn't if you had previously enabled two-factor authentication with your e-mail provider (such as GMail, who does actually support it).
That being the case, it is extremely important to perform the following steps:
- Change the password immediately (you should have already done so - see previous paragraph), also enabling, if possible, 2-factor authentication.
- Take a look to all the e-mail messages that may still be present in the mailbox and immediately change any password contained therein, such as: confirmation messages (some sites have the bad habit of repeating your registration password in clear text); messages of colleagues or friends or relatives who wrote you some plain-text password; and so on. All of these eventualities lead us to make one last important consideration: NEVER SEND CLEAR-TEXT PASSWORDS THROUGH E-MAIL.
- In case of a Data-Breach, which could happen whenever your e-mail box contains personal data of friends, relatives and/or colleagues, consider the opportunity to warn them: although it might seem humiliating, these are people who trusted you: if you have been compromised, your duty right now is to protect them.
- If the "compromised" mailbox is related to a company or work email, or contains information about your company, it's very likely that the communication of the potential Data-Breach is a required action for you to take. If that's the case, you'll need to inform your IT manager (or equivalent officer) to decide what to do: again, acting promptly might be crucial to avoid much bigger problems in the immediate future. .. in addition to protecting you from possible disciplinary sanctions if the breach becomes of public domain.
Not sure if the password is still being used somewhere? Find it out (and act)
In many cases, unless you're using a keyring to store the passwords of all the sites and services you use and/or you have a different password for each site, you won't be able to be 100% sure that the leaked password is still being used somewhere or not.
This is a typical scenario for those who're using three or four passwords for everything, "alternating" them depending on some more or less structured criteria: the "personal stuff" password, the "work" password, the "banking" password, and so on. Such technique, despite giving the impression of being more sophisticated than the "one for all" method described above, is still a symptom - at least nowadays - of a substantially inadequate approach to computer security.
The advice here is to make a quick "assessment" of all the important websites and services (online banking, PayPal, Amazon, Google / Apple, etc.) and make sure that:
- The password is different and univocal
- The 2-factor authentication is enabled and/or enabling it when possible.
Password not used anymore? No need to worry (almost)
Let's now face the last possible scenario: the one where your password management policy is decent enough to make you think, without a reasonable doubt, that the leaked password is not being used anymore - at least not for any relevant website.
If that's the case, then you have nothing to fear and you can therefore sleep peacefully. However, just to be sure - and to take the chance to strengthen your policy even further - I would still suggest you to perform the following activities:
- Delete the fraudolent e-mail you received (it still contains a clear-text password!) or save it in a safe place, making sure that it does not contain viruses or potentially infected files: usually e-mails of this type do not contain suspicious attachments, but you never know...
- Enable 2-factor authentication on all the sites and services supporting that feature, especially "important" sites (e-payment, e-commerce, Google / Apple, etc.).
- Pay a visit to the HaveIBeenPwned.com website, which contains a database of all the emails that have been subject to noticeable data-breaches: you'll simply have to enter your e-mail address and read the results: the website will inform you whether it is appropriate to change the password or not.
Now that we have reached the end of this long article, we just need to summarize the main security considerations that emerged during our analysis:
- NEVER USE THE SAME PASSWORD ON MULTIPLE WEBSITES OR SERVICES.
- NEVER STORE THE PASSWORDS IN CLEAR TEXT.
- NEVER USE WEAK PASSWORDS.
- REMEMBER TO FREQUENTLY CHANGE YOUR PASSWORD.
- ALWAYS ACTIVATE A 2-FACTOR AUTHENTICATION SYSTEM WHEN AVAILABLE.
- NEVER SEND CLEAR-TEXT PASSWORDS THROUGH E-MAIL.
Truth to be told, these are mostly common-sense advices that you'll most likely have already heard before a number of times: from your tech-geek cousin, system administrator, IT technician or colleague of the IT department: at the same time, if you are reading this article, it's likely that you still need to hear them.