How Phishers Got Your Password to Blackmail You!

How Script Kiddies Got Your Password and Email Address

Many viewers have received emails blackmailing them with old or current passwords, I explain how they got it, and what to do now!

Episode #10-19 released on December 15, 2019

Watch on Youtube

You will understand, by the end of this episode, the error of your ways. And, please, I am talking from the universal fact of our nature, that until something bad happens, we will always seek the simplest method to accessing our life, until someone starts making that process ever so complicated. After that point, it becomes an arms race. We use ever so complicated passwords and methods to fight the illicit hacker. But there is no winning against the weaknesses of code and security implementation. Which brings us to my point, how did that script kiddie phisher get your password in the first place?

Every website online is going to be a target. The majority hacking attempts against websites start off as a series of attempts by bots to infiltrate a website, or occasionally, specific websites can be targeted by hackers as high value targets. The goal of such hacking attempts is information. The more information, the better. The information hackers are after regarding targeting of users of websites include usernames, passwords, email, addresses, date of birth, credit card numbers, etc. When hackers are hacking businesses, especially big businesses, may focus on projects, code, blueprints, confidential information, etc. Basically, corporate espionage. Hacking is used to steal all kinds of information from users and businesses. Sometimes that information is used to attempt to blackmail users and or businesses. This is probably why you are here.

Once hackers collect databases full of usernames, passwords, etc. they may have to decrypt any encrypted information. The stronger the encryption, the harder it is to decrypt. It is at this point that we see if any of the hard work of programmers pay off. It is for this reason why even the precise methods I use to secure my databases are a secret. The less information is made available about the process, the harder it is to decrypt the database. There is a particular issue, in some cases, where the website development team have yet to safeguard the data with encryption, whether through ignorance or negligence, and those are the ones most likely to cause issues for people like us. When passwords are in plaintext it is already too late. In the case of unsalted hashes, it only mildly complicates the process of determining what the passwords are.

Once, all the information is decrypted, the databases of information is sold on the dark web, and or used to blackmail businesses and end users, which would be you. Most blackmail schemes affecting users are the result of publicly accessible password dumps that many users are still using. It is at this point that users switch from simple passwords to complicated passwords but are not necessarily aware of the required process to be secure.

Are you a victim of a blackmail phishing email or attempted hack? Do you believe it is possible for you to become the victim of this in the future?

You are likely to be the victim of an account hacking, if it hasn't already happened. And, worse still, you are likely already a victim of a hack and are not aware of it yet. There is nothing that can be done to prevent a hack from occurring, after all, it is a digital arms race.

What can be done to avoid account breaches and take overs?

Use a complicated, automatically generated password from applications like LastPass. We should not use complicated passwords that we create because we are simply too predictable. As humans in an ever-complicating world, we are always looking for shortcuts, and this will open us up to a whole host of issues regarding passwords, including the use of predictable pattern-based passwords. If you use a predictable pattern and have the same username or email address on several services, they can merely decode your methodology and take over your account.

You should always enable multi-factor authentication with preference to application driven methods like Google Authenticator, Authy, etc. when provided with a choice. I prefer E-mail over Text message because of the SS7 vulnerability, but when it comes to security, time-based methods are safer than transmitted methods because of the MITM problem, but the issue with all those, is that end users need to use backup methods for the timed-based single use password tokens and websites have to maintain a backup method to allow users back into their account, like have a backup email driven single use token method in place.

Host : Steve Smith | Music : | Editor : Steve Smith | Producer : Zed Axis Dot Net

Community Comments

Share your thoughts, opinions and suggestions

Login or Register to post Your comment.