The old "we have pictures of you naked" scam with a new (password) twist
At various times various people and groups have tried an extortion scam that claims to have pictures or video of the user, naked. (This new analysis comes to us, ironically, courtesy of Naked Security, an arm of Sophos.)
This time around they claim to have proof that they have access to your machine, because they have, and tell you, your password. This group appears to have access to one of the myriad password troves that are littered around the Internet, so they may have access to your password. If you use the same one everywhere. And if you haven't changed it in the past several years.
Of course, nobody uses the same password everywhere, right? Well, one of the things we learned from the Ashley Madison debacle was that there are an awful lot of people in responsible positions, who do use the same email and password for work and visiting sex sites ...
(This reminds me of the various CISSP holders, over the years, who have discovered the cissp.txt file, and were horrified to discover that they were in it! It was an old file that someone had scraped off the ISC2 site, when it had a member directory, and was reposted at various times over the years. You can find more details in the CISSPforumFAQ, section 4.4.)
Other posts: https://community.isc2.org/t5/forums/recentpostspage/user-id/1324864413
This message may or may not be governed by the terms of http://www.noticebored.com/html/cisspforumfaq.html#Friday or https://blogs.securiteam.com/index.php/archives/1468
That is actually a pretty good trick. Even if they report an old password for the wrong account, one likely believe them. After all, they could have snagged the pix a while ago, or from a cloud backup of my documents/pix.
Of course, the bigger problem for them is that even my old passwords are something like "PST9hJcP4rJas4ctMnJ0e1Q#CJTVQVV", which are very unlikely to show up in a password trove.
Date sent: Fri, 13 Jul 2018 22:24:01 +0000 (UTC) Subject: Re: The old "we have pictures of you naked" scam with a n ew (password) twist ((ISC)Â² Community Subscription Update)
> denbesten (Contributor II) posted a new reply in Industry News on 07-13-2018
> That is actually a pretty good trick.Â Even if they report an old > password for the wrong account, oneÂ likely believe them.Â After all, they > could have snagged the pix a while ago, or from a cloud backup of my > documents/pix.
Social engineering. It's always social engineering. Generally it's a lot easier to fool people than systems.
(Of course, once you can fool systems, you can fool them over and over again ...)