Sextortion Phishing Campaign Uses Recipient's Hacked Passwords



Krebs on Security has posted a new item: "Here's a clever new twist on an old email scam that could serve to make the con far more believable. The message purports to have been sent from a hacker who's compromised your computer and used your webcam to record a video of you while you were watching porn. The missive threatens to release the video to all your contacts unless you pay a Bitcoin ransom.

The new twist? The email now references a real password previously tied to the recipient's email address.

KrebsOnSecurity heard from three different readers who received a similar email in the past 72 hours. In every case, the recipients said the password referenced in the email’s opening sentence was in fact a password they had previously used at an account online that was tied to their email address.

However, all three recipients said the password was close to ten years old, and that none of the passwords cited in the sextortion email they received had been used anytime on their current computers.

Krebs commented: "I suspect that as this scam gets refined even more, perpetrators will begin using more recent and relevant passwords — and perhaps other personal data that can be found online — to convince people that the hacking threat is real."

We agree. There are billions of hacked passwords out there now, that can be used for any number of nefarious phishing scams. Here is a new way to find out of any of your users' breached passwords are out there.


BPTA whopping 25% of employees are using the same password for all logins. What if that password is available on the dark web? A massive amount of passwords are compromised due to data breaches and used by the bad guys for attacks. Are any hacked passwords in use within your organization? 

Using breached passwords puts your network at risk. Password policies often do not prevent employees using known bad passwords. Making your users frequently change their passwords isn’t a good solution either. It only takes one compromised password match for the bad guys to gain access.

KnowBe4’s complimentary NEW Breached Password Test (BPT) checks to see if your users are currently using passwords that are in publicly available breaches associated with your domain. BPT checks against your Active Directory and reports compromised passwords in use right now so that you can take action immediately!

Here’s how Breached Password Test works:

checkmark Checks to see if your company domains have been part of a data breach that included passwords

checkmark Checks to see if any of those breached passwords are currently in use in your Active Directory

checkmark Does not show/report on the actual passwords of accounts

checkmark Just download the install and run it  

checkmark Results in a few minutes! 

Find out now which users are using hacked passwords!

Download Now

PS: Don't like to click on redirected buttons? Cut & Paste this link in your browser:

https://info.knowbe4.com/breached-password-test 


Topics: Phishing

Subscribe To Our Blog


2019 National Cybersecurity Awareness Month Resource Kit




Get the latest about social engineering

Subscribe to CyberheistNews