This morning, I received the following e-mail:
From: [My E-Mail Address]
Sent: Thursday, December 20, 2018 7:59 AM
To: [My Old E-Mail Account Password]
Subject: Security Alert. You account has been hacked. Password must be need changed.
As you may have noticed, I sent you an email from your account. This means that I have full access to your account: On moment of hack your account has password: [My Old E-Mail Account Password]
You say: this is the old password!
Or: I will change my password at any time!
Yes! You’re right! But the fact is that when you change the password, my trojan always saves a new one!
I’ve been watching you for a few months now. The fact is that you were infected with malware through an adult site that you visited.
If you are not familiar with this, I will explain. Trojan Virus gives me full access and control over a computer or other device. This means that I can see everything on your screen, turn on the camera and microphone, but you do not know about it. I also have access to all your contacts and all your correspondence.
Why your antivirus did not detect malware?
Answer: My malware uses the driver, I update its signatures every 4 hours so that your antivirus is silent.
I made a video showing how you satisfy yourself in the left half of the screen, and in the right half you see the video that you watched. With one click of the mouse, I can send this video to all your emails and contacts on social networks. I can also post access to all your e-mail correspondence and messengers that you use. If you want to prevent this, transfer the amount of $736 to my bitcoin address (if you do not know how to do this, write to Google: [A Google Address]).
My bitcoin address (BTC Wallet) is: [Scammer’s Bitcoin Address]
After receiving the payment, I will delete the video and you will never hear me again. I give you 48 hours to pay. I have a notice reading this letter, and the timer will work when you see this letter.
Filing a complaint somewhere does not make sense because this email cannot be tracked like my bitcoin address. I do not make any mistakes.
If I find that you have shared this message with someone else, the video will be immediately distributed.
What’s all this then? The bits in square brackets are my replacements for what was originally in the e-mail. The sender did know my e-mail address and an old password I used to access my e-mail account so, begorra tomorrow, it looks as if I’ve been caught out being a very naughty boy watching and reacting to a porn site. Hmm, could this be so? Let’s explore.
This is what’s known as a Malware Sextortion Scam and, apparently, some people do fall for it and pay money into the scammer’s Bitcoin account. There is no video even if you have visited a porn site, and the sender does not have access to your e-mail account and will not be sending the video to everyone in your Contact list. In fact, the sender is probably sitting in his, or her, sleazy den, reading comics, picking his, or her, nose, and ingesting illegal substances.
“But, how did the scammer know my e-mail address and password?” you ask. Easy. Because those details were in a database that was breached sometime in the past. Every day, we read of data breaches: eBay, Facebook, Apple, Tumblr, Uber, Google Plus, Snapchat, Gmail… The list is long. This article on Wikipedia lists 268 organisations that have been breached in the period 2004 – 2018, and there are some big names in the list including all those I mentioned above. So, it is highly likely that your e-mail data exists on one, or more, lists that are touted around to scammers full of nefarious intentions and bad breath.
You can find out if this is the case. Check to see if you’ve been pwned. No, this is not a spelling mistake. Pwned is an adjective coming from the world of online gaming and said to originate from the common mis-spelling of the word owned. The letters O and P are adjacent on the keyboard and owned often ends up as pwned. The mis-spelling has now passed into common usage and means dominated, defeated, taken over.
To find out if you have been pwned, go to the Have I Been Pwned? website, a safe site to visit, and enter your e-mail address:
If your e-mail details have been included in a data breach, you will be informed accordingly. In my case, I’ve been pwned four times…
… followed by a list of the four breaches that contained my details:
Adobe (October 2013), Dropbox (mid-2012), LinkedIn (May 2016) and an Online Spambot (August 2017). Should I worry about these breaches? Yes, and no. My current e-mail access password is not the one revealed by the scammer and I can do nothing about the data breaches other than change, yet again, the password. I may do this.
If you receive one of these sextortion e-mails, your best bet is to delete it and forget about it. The e-mail I received this morning is the third in as many weeks recently. I deleted the first two e-mails as they came in and nothing happened after 48 hours. The threat to share my incriminating video with everyone in my Contacts list is a hollow one.
There’s one other thing to ponder upon. The first thing I do when I buy a new laptop is to cover the webcam at the top of the screen with a piece of non-transparent paper. I did this four or five years ago on the day I bought my current laptop. Hence, even if I have been a naughty boy, it would be impossible for anyone to video me!