Photo by typographyimages
You open your inbox and see a message labeled “Change your password immediately. Your account has been hacked.” Inside, the email contains what it claims is one of your passwords, a threat, and a demand for money. The password is indeed one you’ve used in the past—how did the hacker get it? Could you really have been infected with malware?
This “blackmail spam” has been inundating inboxes across the Internet, and while there’s no way to know how effective it is, it has caused plenty of raised pulses. Written in deliciously fractured English, the email message purports to be from a hacker who has taken over your computer and installed spyware that has revealed your brazen browsing habits. The hacker also claims to have taken pictures of you (staring intently, one presumes) while you click through “the big delight of your favorite resources” and threatens to share them with your contacts and brick your computer unless you send a payment using Bitcoin.
What has caused concern for lots of people is that the blackmail spam “proves” that it’s legitimate by showing you a password that you’ve used in the past. (This is often the case, but not universally so. Most copies of this spam that I’ve received include passwords I never used.) Hopefully, the revealed password is not one that you’re still using, since it was extracted from one of the many large password breaches that have occurred over the last decade. To see which breaches might include one of your passwords, check your address at Have I Been Pwned. (It’s worth noting that most of the passwords that attackers have decrypted are short and insecure. If your password was over 12 characters and didn’t use dictionary words or well-known patterns, it may have resisted decryption.)
To make this painfully clear, everything in the message other than your email address and breached password is fabricated. Your computer has not been hacked, there is no malware spying on your browsing, no pictures of you have been uploaded to a remote server, and so on. You have nothing to worry about, and you should feel free to mark the message as spam and get on with your life.
If your friends and colleagues ask you about similar blackmail spam, point them to this article and reassure them that they have nothing to worry about. Unless, of course, they’re still using the password that was revealed, in which case they should change it immediately.
Nonetheless, this spam marks what I fear is a turning point in malicious Internet communications. Most spam and phishing messages are almost entirely generic, with their main customization being your email address and occasionally your name. Sometimes they spoof a friend’s address or are even sent from a friend’s compromised account, but that’s about it. Such spam messages are convincing—to the extent that they are—only because of some larger context or because they tap into common desires to get or save money, be more attractive, or partake of some of that brazen browsing. (I’m trying hard to avoid triggering overeager spam filters with more specific words here!)
But not this message. The believability of this blackmail hinges on the fact that—in theory—only you know your password. If the blackmailer can know your password, you think, perhaps their other claims are true too. They’re not, but even people whose browsing habits are always G-rated often report a moment of panic. I presume those who still use ancient insecure passwords experience more than a moment of panic, and well they should.
The problem is that old stolen passwords are just the tip of the iceberg when it comes to information about us that’s readily available online. This blackmail spam combines only two bits of information—your email address and password. What happens when similar attacks expand the amount of information they use?
Some breaches, like the Apollo breach that took place in July 2018, include lots of other types of personal data—places of employment, roles held, locations, and corporate revenue numbers. Even more data is available in public databases. The New York Times recently published an article about apps that use voter registration and voting records to encourage friends to vote, but it’s easy to imagine that data being used for malicious purposes. Then there are real estate records, bankruptcy filings, divorces, and so on.
Blackmail spam taken to its logical extreme is the ultimate example of why we all have something to hide. It’s not that anyone has necessarily done anything that embarrassing, but the chance that we could be blackmailed into paying to keep certain facts under wraps is increasing. Imagine blackmail spam that threatens to reveal your likely voting history to everyone in your neighborhood who is registered with the other party. Or blackmail spam that says it will tell everyone on the Internet with your last name about your bankruptcy or divorce. Blackmail spam doesn’t even have to be true to be damaging. What would be the hit to your career if a spammer targeted everyone at your company’s domain name with an anonymous message that accused you of having committed sexual assault a few years ago and said that the sender was too terrified to identify themselves?
I don’t like to feed privacy paranoia, but as criminal organizations acquire more data science skills and ever larger datasets, such attacks will become all the more sophisticated and believable. It may not happen overnight—people with such skills can usually find legitimate employment more easily—but just as organized crime groups now have or can hire skilled programmers to create malware, they’ll eventually be able to find people who can combine every available piece of data about you and weaponize it in numerous ways. Similarly, it has become clear that governments aren’t above sowing fear, dissension, and confusion in the general populace, and they probably have the resources to do this already.
The worst part is that I can’t imagine a good defense against such attacks. Spam filters work against traditional spam because you’re protected if you don’t see the message. But you not being aware of a threat won’t prevent a blackmailer from carrying it out. Blocking payment methods or tracking payments may be effective in the real world, but cryptocurrency systems make such payments harder to track, if not completely anonymous when the money comes out of an exchange. But even that wouldn’t protect against a dedicated state actor looking to introduce strife into society.
Enhanced privacy legislation that limits the amount of data available about us online could help prevent or reduce the severity of these attacks. Though it’s far from perfect, Europe’s GDPR is a step in that direction. Here in the United States, however, serious privacy legislation probably won’t stand a chance—at least until the politicians who oppose it have had their lives laid bare for all to see, just like the rest of us.