Yes, I know I’m always banging on about passwords

Username and password theftThe simple fact is that this issue causes more problems than any other for my IT support clients. Therefore, I can’t resist telling you about something that happened a few weeks ago that offers yet another reason why you really shouldn’t use passwords more than once.

I received a phone call from a client saying that she’d just had a nasty email from someone saying that they had managed to access her Mac and, to prove it, they told her the password to get into her Mac. The email said they had stolen contact information, personal files, etc. I won’t describe what they said they were going to do next, but the bottom line was that they wanted about £3000 not to go ahead and do it.

Luckily, my client is a level-headed person who knew that a lot of what they said couldn’t be true. However, she was still – quite rightly – concerned about the accessing of her computer and asked me what to do. Since I was completely tied up with another client at the time I couldn’t give it detailed thought at that moment, so I advised her to contact the police and her bank and that I’d get back to her later.

The police said that it was a scam (ie, there was no real threat – they were just trying to “con” money out of her as opposed to extorting it). However, the police didn’t tell her how it was done.

ScamWhen I got a chance to look at the email itself later on, it seemed to me that absolutely everything in the email – except one fact – could be explained by saying that this was just a scam (that they were bluffing, lying, and hadn’t managed to get into her computer at all). The one inconvenient fact that didn’t fit this explanation was that they knew the Administrator’s password for her Mac. If they knew that, then there was a possibility that they could have accessed her Mac. That was why I had advised her to contact the police and her bank.

And then it struck me that the email address they used wasn’t her normal one, so maybe that was a clue. Maybe the combination of that email address and password had been used by her in another context and that that combination had become known to the bad person.

So, I checked to see if she had been “pwned”. This is when data is stolen in a data breach. You can check to see if your email address has been involved in a data breach by visiting “Have I Been Pwned?“. Sure enough, her email address and LinkedIn password had been stolen many years before in that organisation’s huge loss of data. Wikipaedia says of that data breach:

The social networking website LinkedIn was hacked on June 5, 2012, and passwords for nearly 6.5 million user accounts were stolen by Russian cybercriminals. Owners of the hacked accounts were no longer able to access their accounts, and the website repeatedly encouraged its users to change their passwords after the incident.

PwnedMy client did seem to remember being told of that data breach and undoubtedly did as LinkedIn suggested and changed her password. I asked her if she knew what the old password was and she couldn’t remember. Crucially, though, she said that it COULD have been the same password that she is now using (or was using until a few weeks ago!) as the administrator’s password on her Mac. What is almost certain is that her email address, together with that password, are up for sale on the Dark Net.

So, we concluded that what had probably happened is that the putative blackmailer bought her email address and LinkedIn password (probably on the Dark Net) and then just emailed her, assuming that the password for her Linked In account was the same as the password for her Mac. And he was right, so the scam worked (up to a point – but he certainly didn’t get any money from her). He managed to mis-direct us into thinking that he’d gained access to her computer when, in fact, he hadn’t.

This scam can only work if people re-use passwords and if they don’t keep a record of what passwords they used, when, and for what. Had my client not re-used passwords, and had she kept such records, she would have been able to tell that the password he claimed was her Mac’s password, was, in fact, an old password stolen in a data breach and not related to her Mac at all. The whole thing would then have been immediately obvious as a scam.

I rest my case (for now).

There are, of course, a lot of scams and attempted frauds connected with computers and the internet. Most of these involve something that originates on the computer itself, but one scam that’s been around for a couple of years seems to take people by surprise and make them wonder if it’s genuine.Microsoft scam - looking through magnifying glass

This involves an unexpected phone call from someone purporting to work for Microsoft who tells you there are problems with your computer. (S)he may suggest that they have been informed by your internet provider that your computer has been infected with viruses or malware, or a variation is that your “warrantee is about to expire so your computer needs checking” (!) They then get you to log onto a website. This website may or may not include logos suggesting that the website owner is a “certified partner” of Microsoft. The idea is that the website reassures you that they are genuine and provides the means for them to remotely access your computer (with your permission). It’s not then difficult for them to show you your Windows Event Viewer. This will have entries in it that are accompanied by warning triangles and the like. At this point they will say “there you are, told you so, your computer is in a mess. Pay me £90 (or £180) by credit/debit card now and I’ll clean it up for you”. As well as the financial fraud, they could also plant viruses or spyware at this time and/or steal data from your computer.

This is a scam. Entries in your Event Viewer do not, per se, mean there’s any problem (let alone a virus or malware infection). And think about it – when did you give Microsoft your phone number? Probably never. Where did they get your phone number from, then? It looks very likely from the evidence that people are gathering about this scam that they get your name and phone number from the phone book. As simple as that. When they call you they don’t even know that you’ve actually got a computer – but it’s a fair bet that you have, and it’s cost them very very little if you haven’t.

I’ve had three people contact me about this in the last six months. That’s not very many until you consider that I don’t know millions of people so this seems to me to be a significant proportion. I understand that this problem has been around for a couple of years, but it seems that it is becoming more common.

This scam is known to the UK authorities but there’s little they can do as the perpetrators are based abroad (India seems to be getting the blame). The originating phone call is routed via the internet so it can’t be traced.

Don’t bother asking them to prove their bona fides by speaking to a supervisor or asking for a number you can call back and don’t believe anything you see on any website they direct you to. Anyone can answer any phone call saying whatever they’ve prepared beforehand and anyone can create a website and put whatever they want onto it – genuine or otherwise. These phone calls are a scam. Do not be fooled or worried. Just hang up.

Microsoft is aware of this problem and they explicitly state that they wouldn’t phone you out of the blue.

Oh, and if you have already fallen for this scam I suggest you cancel the credit/debit card you used.

© 2011-2019 David Leonard
Computer Support in London
Privacy Policy Suffusion theme by Sayontan Sinha