Using stolen passwords to get a victim's attention, a new sexploitation scam threatens victims with exposing them "doing nasty things." In an emailed threat, the hacker claims to have downloaded malware on the victim's computer that enabled the scammer to take over the victim's webcam.

The scammer also claims to have pilfered email and social media contacts and to have a recording of the victim, filmed from the victim's own webcam, watching porn. Demanding a ransom in bitcoin, the scammer says if the victim doesn't send $1,000 to $2,000 within 24 hours, the crook will share compromising images of the victim with all of the victim's contacts.

"I think $1,400 is a fair price for our little secret," the con artist's email says.

In reality, the crook doesn't have your contacts or access to your webcam, according to Brian Krebs, who operates a top technology security site. However, the scammer does have a password that the victim once used -- or may still use -- with one or more websites.

The email reads as follows:

“I’m aware that <substitute password formerly used by recipient here> is your password,” reads the salutation.

You don’t know me and you’re thinking why you received this e mail, right?

Well, I actually placed a malware on the porn website and guess what, you visited this web site to have fun (you know what I mean). While you were watching the video, your web browser acted as a RDP (Remote Desktop) and a keylogger which provided me access to your display screen and webcam. Right after that, my software gathered all your contacts from your Messenger, Facebook account, and email account.

What exactly did I do?

I made a split-screen video. First part recorded the video you were viewing (you’ve got a fine taste haha), and next part recorded your webcam (Yep! It’s you doing nasty things!).

What should you do?

Well, I believe, $1400 is a fair price for our little secret. You’ll make the payment via Bitcoin to the below address (if you don’t know this, search “how to buy bitcoin” in Google).

BTC Address: 1Dvd7Wb72JBTbAcfTrxSJCZZuf4tsT8V72
(It is cAsE sensitive, so copy and paste it)

Important:

You have 24 hours in order to make the payment. (I have an unique pixel within this email message, and right now I know that you have read this email). If I don’t get the payment, I will send your video to all of your contacts including relatives, coworkers, and so forth. Nonetheless, if I do get paid, I will erase the video immidiately. If you want evidence, reply with “Yes!” and I will send your video recording to your 5 friends. This is a non-negotiable offer, so don’t waste my time and yours by replying to this email.

Sending bitcoin if you get this email is, of course, a bad idea. However, if you received one, changing your passwords is wise. In fact, it might be smart to change passwords for all important accounts even if you don't get targeted.

Why? A series of massive data breaches have exposed password information on hundreds of millions of consumers. These passwords are now floating around the dark web, available to purchase for scammers like this one, as well as those with even more nefarious intent.

Consumers who want to find out whether their passwords have been compromised can go to security website Have I Been Pwned, which has collected data on the email addresses and passwords that were involved in data breaches. Frequently, consumers will find that their email has been subject to many breaches, which means that multiple passwords may be at risk.

There was a time when child identity theft was thought of as a family problem, and it’s true that many cases over the years have been perpetrated by a custodial or non-custodial parent, a close relative, or even a family friend. Once the individual gained access to the child’s sensitive documents, they could open numerous lines of credit with the child’s “untarnished” credit record. In many cases, the identity thief may have been trying to get out of a dire financial situation, and fully intended to pay off any debt incurred in the child’s name; at the same time, some unscrupulous thieves didn’t care what consequences waited for the child down the road.

Too often, the children didn’t even know they’d been victimized until they reached adulthood and tried to use their legitimate credit.

In more recent years, though, hackers and identity thieves have begun targeting kids in order to take advantage of clean credit that no one will be monitoring for years to come. Schools, doctor’s offices, daycare centers, even school lunch computers have suffered data breaches intent on nabbing kids’ personal identifiable information.

According to Javelin Strategy and Research’s 2018 Child Identity Fraud Study, there were more than one million reported cases of child identity theft in the US last year, with the majority of those cases victimizing children under the age of eight. Another 20 percent of the victims were between the ages of eight and twelve.

Unfortunately, those are just the cases that were reported, which means the actual number of victims may be much higher.

But this new avenue of data breaches leading to identity theft doesn’t mean that parents can let their guards down about friends or relatives. The same Javelin study found that in 60 percent of the cases last year, the child knew their identity thief; that’s very different from the data point that says only 7 percent of adult victims know their identity thief.

One of the increasingly common methods of using children’s stolen credentials is to grab a Social Security number and combine it with a fake name, address, phone number, and more. Known as “synthetic identity theft,” the thief isn’t using the child’s complete identity, but rather has created a whole new person with this information. That makes it a little harder for victims and law enforcement to notice the problem in the first place or take action after the fact.

Concerned parents or guardians have a few steps they can take, though. If the child in question is over 14, they can request a credit report in the same way that any consumer does. Visiting annualcreditreport.com will provide the minor in question with a free credit report, and allow them to look it over for signs of suspicious activity. If the child is under the age of 14, the steps are a little harder. The adult must prove they have a right to access and see the information, but it’s a worthwhile step if there’s reason to believe a child’s identity may have been compromised.

Social media has become an inevitable part of our lives. Networks such as Facebook and Instagram have billions of users, many of whom share personal information. This leaves hackers, burglars and identity thieves with limitless opportunities to cause harm.

During summer season, many people are taking time off, traveling and posting digital updates more than usual, making it more important than ever to pay attention to online security and privacy.

Here are some practical tips on how to stay safer and more secure on social media while enjoying the summer fun.

Pay Attention to Privacy Settings

Each social media platform has privacy settings that you can customize to your comfort level.

On most platforms you decide who can view your posts, friend lists and the pages you follow or like. You can also limit friend requests and prevent people from seeing your email address and other personal information. To get the most out of these privacy features, we recommend reviewing your settings regularly.

Don’t Reveal Everything

Have you ever posted a photo of your home or shared your address on social media? How many times have you told the internet that you are out of town or abroad? As benign as it may seem, such practices could put you in harm’s way.

A lot of burglars scout social profiles to find out whether someone is home. If thieves know you are away, it allows them more time to break in and steal. Save the vacation pictures and updates for when you return!

Choose Friends Carefully

An average social media user is glad to see new friend requests. After all, you want to feel acknowledged and appreciated by your peers. But popularity isn’t everything. A best practice is to only accept friend requests from people you know or have met in real life.

Criminals are known to create fake accounts and befriend thousands of users in order to gain access to their personal information. If a name doesn’t ring a bell, check out the profile to learn more details. If it seems strange or you don’t know them, we strongly suggest you reject their request to be friends.

Links May Lead to Malware

When in doubt, throw it out: Links in emails, social media posts and online advertising are often how cybercriminals try to steal your personal information. Even if you know the source, if something looks suspicious, delete or ignore it.

Strengthen Passwords

We saved the best for last. Most hackers use gigantic databases to break passwords; a weak password  will increase the odds of your account being accessed. A strong password is a sentence that is at least 12 characters long. Focus on positive sentences or phrases that you like to think about and are easy to remember (for example, “I love country music.”). On many sites, you can even use spaces!

Millions of people post personal information online without even realizing it, allowing burglars and digital thieves to exploit their private data. If you want to avoid this problem and use social networks safely, keep these five tips in mind.

A highly critical cryptographic vulnerability has been found affecting some Bluetooth implementations that could allow an unauthenticated, remote attacker in physical proximity of targeted devices to intercept, monitor or manipulate the traffic they exchange.

The Bluetooth hacking vulnerability, tracked as CVE-2018-5383, affects firmware or operating system software drivers from some major vendors including Apple, Broadcom, Intel, and Qualcomm, while the implication of the bug on Google, Android and Linux are still unknown.

The security vulnerability is related to two Bluetooth features—Bluetooth low energy (LE) implementations of Secure Connections Pairing in operating system software, and BR/EDR implementations of Secure Simple Pairing in device firmware.
 

How the Bluetooth Hack Works?

Researchers from the Israel Institute of Technology discovered that the Bluetooth specification recommends, but does not mandate devices supporting the two features to validate the public encryption key received over-the-air during secure pairing.

Since this specification is optional, some vendors' Bluetooth products supporting the two features do not sufficiently validate elliptic curve parameters used to generate public keys during the Diffie-Hellman key exchange.

In this case, an unauthenticated, remote attacker within the range of targeted devices during the pairing process can launch a man-in-the-middle attack to obtain the cryptographic key used by the device, allowing them to potentially snoop on supposedly encrypted device communication to steal data going over-the-air, and inject malware.

"For an attack to be successful, an attacking device would need to be within wireless range of two vulnerable Bluetooth devices that were going through a pairing procedure."

"The attacking device would need to intercept the public key exchange by blocking each transmission, sending an acknowledgment to the sending device, and then injecting the malicious packet to the receiving device within a narrow time window. If only one device had the vulnerability, the attack would not be successful."

On Monday, CERT/CC also released a security advisory, which includes additional technical details about the Bluetooth vulnerability and attack method.

According to the CERT/CC, Bluetooth makes use of a device pairing mechanism based on elliptic-curve Diffie-Hellman (ECDH) key exchange to allow encrypted communication between devices.
 

Stop Bluetooth Hacking—Install Patches from Vendors

To fix the issue, the Bluetooth SIG has now updated the Bluetooth specification to require products to validate public keys received as part of public key-based security procedures.

Moreover, the organization has also added testing for this vulnerability within its Bluetooth Qualification Process.

The CERT/CC says patches are needed both in firmware or operating system software drivers, which should be obtained from vendors and developers of the affected products, and installed—if at all possible.

Many small businesses are opting for cloud storage solutions rather than having their own server in-house. But this has led some business owners to wonder whether these services are safe.

Thankfully, as cloud storage has been around for a number of years, there are a multitude of organizations successfully using cloud storage as safe and secure way to store their data.

The real question is “is it safer for you to use cloud storage or internal servers?”

What Are The Benefits of The Cloud?

There’s no doubt that one of the major benefits of the cloud is not having the expense of running your own server or data centre. This doubles up as one of the reasons why the cloud is safer; costs can be so high that businesses fail to spend enough to get a high quality and secure system.

The security of cloud stored data tends to be better provided that passwords are strong and protected. It also means that you do not need to have members of staff with the knowledge and expertise needed to manage your server, as this will all be taken care of for you. There is also the benefit that if your data is stored away from your premises, there is less risk that you could lose it in the event of a disaster, such as a flood or fire.

An additional advantage of cloud storage is that your level of usage can be reduced or expanded to suit your current needs. This means that you won’t be overspending on a large server that you don’t need, nor struggling with limited capacity.

Are There Any Risks?

Of course, like any technology, using cloud is not free from risk. One of the clear risks is that you are no longer in full control of how and where your data is held. You are handing that responsibility over to another company. This is why it is essential to choose a reputable company that you can trust – especially if you’re handling highly sensitive data such as medical records. Your data is the lifeblood of your business, so you need to be certain that the company storing it can be completely relied upon.

Remember, the “cloud” is still a physical server, it’s just located somewhere else. There is still the risk of data being lost, wiped or even stolen. You might assume that keeping your data on the cloud will guarantee that it will never go missing or be corrupted, but there is always the possibility, however small.

Is Data Safer On The Cloud?

There are undoubtedly many reasons that data can be considered safer on the cloud – for example, major data breaches tend to occur mostly against companies with their own internal servers rather than those utilizing cloud storage. Additionally, it tends to be issues such as outdated systems that are the major cause of these breaches.

Working with a high-quality cloud storage provider will almost certainly carry fewer risks than having your own server in-house. Still, they are not invulnerable. If passwords are stolen, a hacker can use them to access your data just as they would with an in-house server.

Choosing a good cloud storage provider

Choosing a cloud provider might seem like a daunting task at first, especially if you do not have much data security experience. It’s worth noting that some providers specialize in the storage of certain types of data, so it’s wise to search for cloud storage that suits your business’ needs.

Nebula Consulting offers several cloud storage options. Contact us today to speak with one of our engineers for a free consultation.