Back to Basics: a phish is an email
that’s ‘fishing’ for you to click a link or take an action that hooks
you into a scam, either to take your cash or control your online
accounts, or convert your computer into an online employee (‘bot’) of
the phish-sender (the ‘botnet herder’).
And a ‘spear phish’ is a targeted
phish, customized to just one recipient, frequently with scary amounts
of inside knowledge, like the names of coworkers, where you bank, and so
on. In-between, there’s just a rough attempt to make the message look
personal, usually by taking the domain from your email
(yourbusiness.com) and using it throughout the email. It’s rarely a true
one-recipient spear phish, unless you are a public officer of a large
corporation, or a ‘target of value.’ Some of the Democrats hacked during
the last election were attacked using spear phish emails. For most of
us, we’ll just see phish with some mail-merge insertions of our email
addresses in a few spots.
So, do you believe that the email shown below is real? Did I win the lottery?
I hope there were only ‘no!’ answers
for that. The “UNITE STATE” company mentioned, Facebook, is made to
appear to have a Canadian address, a South African bank, and a FREE
email address from Yahoo of Japan, and a phone number with a South
Africa country code of 27. And they’re asking for enough information,
with that driver’s license, to run a credit check or apply for a loan.
So, clearly I did not win a lottery that I never entered in the first
So, if no one believes that phish, why
is this one so convincing? It’s a new version, just showing up this
month in very large numbers, somewhat shortened because the original
content is far too crude to include here:
Hello there, Hope u do not mind my english sentence structure, because i’m from Germany. I contaminated your machine with a malware and im in possession of all of your personal data from your operating-system… (vague threats of web site history recordings here) After some time additionally, it pulled out every one of your social contacts. If you ever would like me to remove your everything i currently have – transmit me 790 us in btc it’s a cryptocurrency. Its my account transfer address – 141… At this moment you will have 26 hours. to make up your mind Once i will receive the transaction i’ll eliminate this video and every little thing thoroughly. Or else, please remember this evidence would be sent to your contacts.
Some of these show up with your own email address as the ‘from’ or ‘reply-to’ address. It’s faked. Scammers who have your real email login information use it to send bulk mail, not ask for Bitcoin.
There have been a lot of these for the last two months, blackmail letters with Bitcoin payment demands and claims about webcams. Bitcoin is difficult to trace and impossible to call back. Delete these hoaxes. Some of them include real passwords-mine included a password for a video website I visited 6 years back, so I know that “learntoprogram.tv” was hacked and lost their user list.
I know that site was hacked because I
gave it a unique password. No passwords used online should be used in
more than one location, because once a site owner realizes that they’ve
been hacked, they don’t tell you. They just set the database for
everybody to “lock out user until they request a ‘forgot my password’
reset link.” But if they were hacked, that means that some hacker has
your email address and a password that you have used, somewhere, at
least once. So they’ll start bulk attempts to use their new
million-address database of stolen email and password pairs to log in at
the top 50 banks, Amazon, the Apple Store, even some online games where
you’ve built up a powerful character to take over. They’ll attempt to
log into anything with digital resale value or a cash equivalent. If
they succeed, they can take over that account, and whatever it contains.
Again, don’t re-use passwords. When they’re hacked on one site, they’re tested elsewhere and everywhere.