When I got back from my morning grocery store run today I went through my email.
Amongst my email was something from my website’s contact form (which is not as well protected from bots as my actual email) with the rather scary title “You’ve Been Hacked!”
Rolling my eyes, I clicked on it to discover that it appears to be an all new scam in the growing area of scareware.
What is Scareware?
Scareware is a specific form of malware. It uses social engineering to scare the user into taking an action.
The most common form of scareware is those website popups that used to be more common, which tell you your computer has been infected. To fix it, all you have to do is download their software.
The goal is either to get you to buy the software or to get a trojan onto your system. They may also be after your credit card number.
But there’s also a newer kind of scareware, which seems to be becoming more and more common. The one Igot this morning appears to be new to the wild (and has been properly reported).
This scareware leverages the growing popularity of ransomware. Instead of actually encrypting or stealing your files, which would be work, the scammer attempts to convince you they have and demand a ransom anyway.
One of the most popular is the sextortion scareware email many people have now received. The one that includes some ancient password you used a few years ago and threatens to tell all of your friends what kind of porn you watch. I get that one regularly. It’s always good for a laugh.
How do You Identify Scareware?
Okay, so, I’m going to use this morning’s wonderful missive as an example:
Hello! You\’ve been hacked! Now we have all the information about you and your accounts: + all your logins and passwords from all accounts in payment systems, social. networks, e-mail, messengers and other services (cookies from all your browsers, i.e. access without a login and password to any of your accounts) + history of all your correspondence by e-mail, messengers and social. networks + all files from your PC (text, photo, video and audio files) Changing your username and password will not help, we will hack you again. Pay a ransom of $ 250 and you can sleep peacefully without worrying that all information about you and all your accounts, files and personal correspondence will not become public and will not fall into the hands of intruders. Bitcoin wallet to which you want to transfer $ 250 XXXXXXXXXXX If you do not pay until tomorrow evening, then we will sell all this information on the darknet, there is a huge demand for such information Pay $ 250 and sleep well!
Scary, right? (I elided the bitcoin wallet number just for safety and security).
So, how do you know this person hasn’t hacked everything?
For me there were two clues which made this easy:
- It came to my website’s contact form, not any of my actual email addresses. This indicates they might not even have my email address, or know who I am.
- I don’t own a PC. I’m a Mac user. Anyone who had hacked my system would know this.
But how about if you don’t have anything that easy to go by? It looks scary, after all.
Here are some indicators that this is scareware:
- The low ransom. $250 may seem like a lot and to some like a disaster, but it’s way less than the information they claim to have could fetch them on the dark web, especially if they sold it more than once.
- The tight deadline. “If you do not pay until tomorrow evening.” Scareware tends to make things seem urgent.
- The very poor English. Scammers never proofread. Like, ever.
- The demand for payment in bitcoin.
There’s also the fact that I’ve received scareware like this before. I once got the sextortion one several times a day every day for a week. No kidding.
Another thing to think about is that hacking everything would take hours upon hours. Why would they do that if they can scare you into paying up?
What to Do About It?
First of all, never pay. Never pay a scammer to go away because they will not go away. This goes for ransomware too.
Look up the email you received on the net. There are generally warnings posted against the most common ones, such as the infamous sextortion scam.
You should report the scam to the FTC especially if you can’t find it on the internet. That indicates it’s a new one and they need to know so they can post warnings.
Warn your friends about it, especially if it’s a new one.
Don’t take any other action. Don’t panic.
As I already mentioned, I’ve received these kinds of messages over 50 times and nothing has ever come of them. They want to panic you into giving them money for, ya know, nothing.
Unfortunately, enough people fall for these to make the scammers money. Don’t be one of them.