Money has always been a catalyst for greed and malice. Blackmail is one way to extort money from the innocent and has existed since ancient times. In the digital world, blackmail is not unknown and there are many ways to go about it. We have discussed some of them in previous Bulletin articles (“Malware, ransomware, doxware and the like”). Recently, there has been a clever new twist on an old e-mail scam that might make the con far more believable.
A message received at CERN or elsewhere claims that your computer has been compromised and the attacker has full access to your device. This is not beyond the realms of possibility as computers always have some vulnerabilities that haven’t been fixed yet (by you or the developer of the operating system). And “full access” really implies full access: to the documents stored on that device like photos, videos, bank statements; to the buffer of its keyboard so that every keystroke – including any passwords being typed – can be logged and stolen; to its screen and whatever is displayed on it snapshotted by the attacker; and to the attached microphone and web camera. In the last case, this allows the attacker to spy on any activity committed in the vicinity of that computer (see also our Bulletin article “Curiosity clicks the link”). And the attacker can play dirty tricks with that power. By claiming to have a recording of the webcam’s livestream while the computer was accessing webpages with pornographic material, the attacker can threaten to release the video to all locally registered contacts unless a Bitcoin ransom is paid… The new twist? The e-mail does not only include this threat but also now references a real password previously tied to the recipient’s e-mail address, which makes the scam much more believable!!!
How come? Passwords are a necessary token for protecting your data in any web service. CERN INDICO, CERN EDH, Facebook, Twitter, Amazon, etc. Hence, they are usually stored in combination with an identifier (i.e. your e-mail address) for that web service – but not always in a perfectly secure fashion. At CERN, we protect your password in accordance with best practice, converting it into a non-recoverable string (technically a “salted hash”), but some other sites might store your password in clear text. If those websites are infiltrated, all clear text passwords are exposed and the access protection for any other data is completely lost. From that moment, all data can be considered to be involuntarily public. This is happening more often than you might think. Whenever the CERN Computer Security Team learns about newly exposed passwords linked to your CERN e-mail address or any other address registered with CERN, we will let you know!
Thus, if you receive such a scam e-mail blackmailing you, please DON’T PANIC. And for sure, do not pay any ransom money! The only thing you should do is to change the password revealed in the e-mail – if you recognise where it was used. Consider terminating that specific account. To be more proactive, recall these simple principles to keep your digital life secure: keep all your devices always up-to-date by using the operating system’s auto-update feature (““WannaCry”? The importance of being patched”); choose complex and/or long passwords and keep them to yourself (“CERN Secure Password Competition…”); have different passwords for different sites and different purposes; and do not click on links in e-mails or on webpages whose origin you don’t trust or which look dodgy (“A free click for your awareness”)!
Do you want to learn more about computer security incidents and issues at CERN? Follow our Monthly Report. For further information, questions or help, check our website or contact us at Computer.Security@cern.ch.