Ransom e-mail request with real password in clear-text what to do

I chose to write this article hoping to help most users that are being targeted by yet another widespread e-mail fraud attempt. This time the technique used is particularly subtle: the alleged blackmailer, through a threatening e-mail, says that he have managed to hack your computer (and/or e-mail address); he also declares to have found compromising material, such as porn content and/or embarassing video acquired through the webcam, that could be released at any time unless the ransom payment is sent. As proof of the truthfulness of its claims, the alleged hacker includes your password in clear text… And that’s where the issue actually lies: the password seems to be genuine, or close enough to be a serious cause of alarm: it can either be an old password that has been used until recently, or maybe still used on some website accounts, or even – the worst case scenario – your actual password.

Such fraud attempt, compared to the many that we are used to and we have learned to recognize and ignore, is particularly effective: reading your actual password (or something really close to it), thus understanding that the blackmailer knows it as well, is nothing less than a cold shower for everyone. Even if the rest of the e-mail is the usual nonsense – especially if you don’t have a webcam – the presence of that specific detail can be a real issue… and ut’s an unequivocal sign that something didn’t work as it should.

Let’s start by explaining briefly what happened: how did the blackmailer get hold of our password? The first thing to clarify is that, luckily enough, the blackmailer hasn’t violated our system.: the actual victim of the data breach was most likely a website or web service to which we registered – recently or even a long time ago – and with that same password which has been put on the blackmailing e-mail we just received. This basically means that:

On closer inspection, we can clearly see how the alleged hacker has not only targeted us, but with a list of users (others) potentially very large. In all probability, the message we received was sent via an automated script to the entire database of users of the infringed site, which – I repeat – evidently contained both our e-mail and the access credentials we sent at the time of registration.

Such password is likely to be scary enough for us, because it’s definitely one of the passwords we did actually use at least once, i.e. to register on one or more sites – including the hacked one: at worst, if we have been incautious to the point of using the same password for all sites and web services to which we we registered to, it might even be OUR CURRENT PASSWORD. This leads us to formulate our first statement, which is very important in terms of computer security: NEVER USE THE SAME PASSWORD ON MULTIPLE SITES OR SERVICES, to avoid being hit from this type of threats. How they did that?

At this point, experienced users might ask another question: shouldn’t these passwords be encrypted right before being stored in the databases of these websites? The answer is affirmative: almost all the websites created with modern CMS and/or site-building platforms ( WordPress, Joomla, Drupal, etc.) foresees an encryption mechanism based upon a technique called hashing: this means that the password, before being stored, is transformed into a completely different text string by means of a standard (or proprietary) one-way algorithm, without any possibility of reversing the process: from that moment on, to verify that the password is correct, the site does nothing more than transform in the same way all the passwords typed by their users during the login phase and compare the hashes, without ever using (and/or storing) them in clear text.

• The website in question did store the passwords in clear text, without implementing any hashing or encrypting policy: this is a rather common scenario for “amateur” websites, such as manually developed blogs, without using WordPress and the likes – and their up-to-date security standards and best practices, specifically designed to protect their users data. This leads us to a second, important consideration, valid for users yet also for software developers: NEVER STORE THE PASSWORDS IN CLEAR TEXT.

• The website in question did not use a up-to-date hashing or encrypting system: a hashing algorithm is only safe if it uses a custom fingerprint or seed – that is, a unique block of text that is used from encryption algorithms as a “base” to carry out the encryption process. We can think of it as an “encryption password”. Unfortunately, the hashing technique with a custom seed is relatively recent among most custom-made site-building platforms: most of the sites developed between the 1990s and 2000s use standard hashing algorithms, such as MD5 or SHA-1, without a seed: the transformations carried out by these functions, although safe and non-reversible, have the enormous problem of being completely identical among all the sites and/or services that implement them in that same way. This, over the years, has led to the creation of gigantic online databases (such as MD5online.com) that offer an automated reverse engineering service that will retrieve the clear-text password from a given hash. These services works in a very simple way: they have a huge database containing millions of possible “common” passwords (like, for example, the words of most written languages ​​of the world, plus all the numeric combinations from 000000 to 999999, and so on) and their corresponding hashes: you input the hash, they answer with the corresponding password. That’s about it. Now, what does all this have to do with our main topic? It ‘s pretty simple: whenever a hacker puts his hands to a user database containing a series of e-mail and md5-encrypted passwords, he just has to use one of these reverse engineering services to obtain a good amount of non-complex passwords used by those accounts. As we just said, this process only works if the password used is relatively common (a number, a single word etc.), which leads us to a third security consideration: NEVER USE WEAK PASSWORDS. To understand what a password is weak, I strongly recommend reading this enlightening Wikipedia article or, for those who do not want to immerse themselves in technicalities, taking a look to this hilarious (and no less illuminating) image taken from the popular XKCD webcomic:

• The website in question is (or was) using appropriate security measures, yet still suffered a major violation: although being a not-so-common scenario, it’s not impossible: there have been numerous cases in recent history – Sony, Microsoft, Twitter, only for cite a few – of online giants that have been hacked or exploited, thus allowing their hackers to steal a large number of user accounts and data – including passwords. Although 9 times out of 10 these passwords have been hashed or encrypted properly, it’s possible that the hackers were also able to get a hold of the encryption algorithm details and/or the related seed, fingerprint or key used to make the hashing or encryption process secure: if that’s the case, they could eventually retrieve the clear-text passwords as well. These reversing processes are anything but easy and could take some time: weeks, months or even years, depending on the algorithm strength and the infrastructure available to the hackers; at the same time, considering the CPU performance progress over time, there’s a high chance that any encrypted or hashed password could eventually be reversed into its clear-text equivalent. This leads us to a very important fourth security consideration: REMEMBER TO FREQUENTLY CHANGE YOUR PASSWORD.

It goes without saying that paying the requested amount is out of the question. Such action would be completely irrelevant and won’t change your situation in any way: the payment method required – bitcoin wallet – doesn’t allow to track the sender or the recipient of the transaction: consequently, the blackmailer would have no way of understanding that you have paid, even if you did. Remember that you’re dealing with mass-mailing people that sends tons of requests hoping that some scared user will fall into their fraudolent network. Moreover, if you think about it, there is nothing to pay: your password is already in their hands, as well as your personal data that you did put in the website who suffered the data-breach: conversely, what you need to do is stop them from using them to get other data from you and/or your relatives.

For this reason, the first thing to do is not to lose your temper. The second is to make a honest and humble analysis of your recent (and not-so-recent) online experience to understand if that exploited password is still valid, i.e. still used to connect to one or more websites or services. The answer to this self-analysis process will determine the countermeasures that you should take in order to protect your online security. Password still in use? Defcon 2

If the password is still “active” – that is, in use with one or more services – it is imperative to change it as soon as possible , especially if you’ve been so naive to use it for important services such as: your e-mail account (especially where you received the offending e-mail!); online payment systems (eg PayPal); e-commerce sites (eBay, Amazon); the administrative accounts of your smartphone (Google, Apple); and so on. Be that as it may, regardless of how and how much you have used that password, your primary goal must be to make it useless. There’s only one way to do that: modify it wherever you think you have used it with a new one secure and unique password for each site or service.

IMPORTANT: in addition to changing the password, it’s strongly advised to switch to a two-factor authentication system (if the service supports it) to protect your account even further. If you look around, you’ll find that a lot of services are already supporting that feature: Google, Apple, Paypal, Ebay, all online banking accounts, and even a lot of “standard” websites. The most common 2FA implementation is based upon SMS: the website will send a confirmation SMS containing an OTP code to be entered immediately after the password. Two-factor authentication is, to date, the most effective system to protect against password theft and therefore deserves another important security consideration: ALWAYS ACTIVATE A 2-FACTOR AUTHENTICATION SYSTEM WHEN AVAILABLE.

Regardless of the authentication system you might want to choose, remember to act immediately: you need to change these password ASAP. Not acting, or – even worse – pretending you didn’t receive that e-mail message could be a big mistake. You must be humble enough to acknowledge the fact that, since you are one of those users that uses the same password for multiple websites, your concept of “cyber security” is still quite primitive. Let me be clear, nobody intends to blame you for this: the hackers have made the violation, not you. At the same time, it is important that you understand the importance of responding promptly to what they did: if that password is still used somewhere, you need to protect yourself and your family members, acquaintances and/or colleagues by modifying it immediately. Not doing so will most likely expose you to risks that, not being clearly computer experts, you are probably not even able to evaluate properly.

In the unfortunate event that the password you received in clear-text is the same one you’re currently using to access that mailbox / e-mail account… well, this is bad, because it most likely means that the hacker has been given the chance to login into it. As a matter of fact, you can only assume he didn’t if you had previously enabled two-factor authentication with your e-mail provider (such as GMail, who does actually support it).

• Take a look to all the e-mail messages that may still be present in the mailbox and immediately change any password contained therein, such as: confirmation messages (some sites have the bad habit of repeating your registration password in clear text); messages of colleagues or friends or relatives who wrote you some plain-text password; and so on. All of these eventualities lead us to make one last important consideration: NEVER SEND CLEAR-TEXT PASSWORDS THROUGH E-MAIL.

• If the “compromised” mailbox is related to a company or work email, or contains information about your company, it’s very likely that the communication of the potential Data-Breach is a required action for you to take. If that’s the case, you’ll need to inform your IT manager (or equivalent officer) to decide what to do: again, acting promptly might be crucial to avoid much bigger problems in the immediate future. .. in addition to protecting you from possible disciplinary sanctions if the breach becomes of public domain.