Emails Exposing Passwords & Demanding Bitcoin

Hi Experts,

A month or so ago I received an email from myself claiming that one of my passwords has been exposed.  Fortunately, that was a dummy password (html123) to a non-secure test site. Plus, My email is Exchange, so i called MS, they confirmed its phishing; I changed my Exchange password to a random one, so th test site, and forgot about it.

Today, I received a similar email, but not  from myself and with a more serious passwords (the one for my banking, etc.), a password that I only know.  Truthfully, i store all my passwords in an email folder, especially the random ones.  Chrome also remembers my passwords.

Both emails are demanding bitcoin. Obviously, I immediately changed my banking password, but has anyone received such an email? What needs to be done - in terms of this email, and moving forward?

For 15+ years, I have been using Avast Internet Security without any issues.
APD TorontoSoftware DeveloperAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

ITguy565Commented:
I would suggest scanning all of your devices for virus and rootkits. to include your mobile devices. In addition to this, I would change "all" of my passwords using a computer that I was sure was not infected with malware.

After this was done, I would move all my passwords to a secure and encrypted password tracking application such as 1Password or LastPass. After my passwords were moved, I would delete all credentialed data from Chrome, and also the Windows credential manager and let 1Password and/or LastPass handle the authentication from now on.


1Password : https://1password.com/

LastPass : https://www.lastpass.com
APD TorontoSoftware DeveloperAuthor Commented:
How would I scan iPhone, or do I need to??
APD TorontoSoftware DeveloperAuthor Commented:
Also, scanning my PCs with Avast + Boot Scan, is it sufficient????
Active Protection takes the fight to cryptojacking

While there were several headline-grabbing ransomware attacks during in 2017, another big threat started appearing at the same time that didn’t get the same coverage – illicit cryptomining.

ITguy565Commented:
I use Malwarebytes for everything so it is the only software I will recommend.

IOS:
https://www.malwarebytes.com/ios/

Android:

https://www.malwarebytes.com/android/

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
ITguy565Commented:
I would download and run Malwarebytes on my PC https://www.malwarebytes.com as well as download and install Emsisoft https://www.emsisoft.com/en/software/eek/
ITguy565Commented:
It never hurts to run more than one Antivirus when you are looking for malware. When you are done, just remove it if you are running the premium trial version.
hecgomrecCommented:
You may run all antivirus and malware software out there... you are not going to avoid this by doing so.

First, these emails are coming from all around the world from different accounts and servers.  They will use what is for me a vulnerability or flaw in the email handling process.  The envelope of the email will have the real sender but in the "TO;" field they will use this flaw to make it look like it is from yourself or someone else.  I'm not typing it here!!.  The way they get your username and password can vary from random codes of websites you have visited or from unverified code running with adds along with real information on the sites you visit.  Also, they can go and read your saved passwords regardless where you put them.

At work few people got this, was easy to find out the why only few of them... they all played online games at work!!!


If these password are valid and in use, then go change them and for the love of God!!! do not save your passwords... better type them every time you need them.  I know might sound tedious but is my recommendation. By the way, I'd use the same password for over the last 25 years and since I created it... it has a Capital letter, lower cases, numbers and special characters with a length of 10 and never store it anywhere not even in my computer at home.
Dr. KlahnPrincipal Software EngineerCommented:
These are going around all the time now.  So many different sites have been penetrated due to poor security that passwords are widely available for a few cents each and you can buy email addresses associated with passwords by the million.

I got several amusing ones -- which  would have been terrifying if I hadn't known what was going on -- over the last few months with an obsolete password for LinkedIn and claiming that they had video from my computer's camera showing me surfing porn sites.  "That is quite a trick," says I, "considering that there are no cameras on any of my systems."

But as a point of good security, don't keep your passwords stored on your computer in any way, shape or form.  Buy a little notebook and keep them in there, written down, completely inaccessible to the computer except when you type them in.  Don't let any of your browsers store passwords; this is asking for trouble.  Use a random password generator (you can easily find them on the net), and use different passwords for each site.  Then when one of the sites you use get broken into (and it will happen again, in the US big companies have no motivation to keep your personal info secure), you have two advantages.  One, that password won't open up any of your other accounts.  Two, when they say "I know your password, here it is" you look it up in your book and say, "Ah, Facebook ... again."
KimputerCommented:
Check your emails on this website: https://haveibeenpwned.com
After the query, scroll down a bit to check if any breach involved the CLEAR or hashed password. If it's not there, the password must've been gotten from you. If the bank is listed, it's most likely they got the password from there. If your email was always stored server side, and the password of your email is listed, someone must have used that info to log in, and scanned through your email.
David FavorLinux/LXD/WordPress/Hosting SavantCommented:
I'm with Dr. Klahn... Some of these messages are super amusing.

1) Never pay them.

2) Never respond.

3) I've put a filter now that bounces all these, at send time, saying "The user you're trying to reach no longer has a mailbox here..."

4) Never, ever, ever use the same or even a similar password twice.

I generate unique 16-32 byte unique alphanumeric strings for all my passwords + keep these passwords in a strong encrypted file.

Using services which gather together passwords... gives me the willies...

Some day LastPass will be hacked or the company bought by an organized crime syndicate or one of the underpaid employees there will sell the entire database.

Keep this in mind when you divulge all your passwords to some convenience service.
Terry WoodsIT GuruCommented:
If it's not there, the password must've been gotten from you.
@Kimputer, that's not correct. There are plenty of data breaches where the data hasn't been made public, and therefore isn't available to the haveibeenpwned.com site.
APD TorontoSoftware DeveloperAuthor Commented:
Can I export all my passwords from Chrome and Windows Credentials, so I know where I have used the exposed password?
APD TorontoSoftware DeveloperAuthor Commented:
I also don't have a camera connected, but the email contents was the one that you described above regarding the porno sites. However we have very intimate photos of my wife and myself that are private. Should I be worried?

Also, can it be my malware in my IPhone?
Terry WoodsIT GuruCommented:
You can export passwords to .csv from Chrome as follows:
1. Open the Chrome Settings page
2. Click Passwords
3. To the right of "Saved Passwords", click the 3 vertical dots, and there should be an option "Export passwords".
Chrome Settings Export Passwords feature
APD TorontoSoftware DeveloperAuthor Commented:
These are the results from Malware Bytes...what does it mean?

Malwarebytes
www.malwarebytes.com

-Log Details-
Scan Date: 11/27/18
Scan Time: 1:00 PM
Log File: 5f7d8700-f26e-11e8-a498-180373be0e53.json

-Software Information-
Version: 3.6.1.2711
Components Version: 1.0.482
Update Package Version: 1.0.8047
License: Trial

-System Information-
OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: OPTIPLEX\Nataliia & aleks

-Scan Summary-
Scan Type: Threat Scan
Scan Initiated By: Manual
Result: Completed
Objects Scanned: 530134
Threats Detected: 10
Threats Quarantined: 0
Time Elapsed: 17 min, 37 sec

-Scan Options-
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Detect
PUM: Detect

-Scan Details-
Process: 0
(No malicious items detected)

Module: 0
(No malicious items detected)

Registry Key: 2
PUP.Optional.InstallCore, HKU\S-1-5-21-977892953-2162632028-4269820573-1000\SOFTWARE\PRODUCTSETUP, No Action By User, [407], [481004],1.0.8047
PUP.Optional.InstallCore, HKU\S-1-5-21-977892953-2162632028-4269820573-1000\SOFTWARE\CSASTATS\ic, No Action By User, [407], [586068],1.0.8047

Registry Value: 1
PUP.Optional.InstallCore, HKU\S-1-5-21-977892953-2162632028-4269820573-1000\SOFTWARE\PRODUCTSETUP|TB, No Action By User, [407], [481004],1.0.8047

Registry Data: 0
(No malicious items detected)

Data Stream: 0
(No malicious items detected)

Folder: 1
PUP.Optional.WinYahoo.TskLnk, C:\USERS\NATALIIA & ALEKS\APPDATA\LOCAL\{F856CE0A-DCFE-A2B2-B166-875A950E7BC2}, No Action By User, [714], [484244],1.0.8047

File: 6
PUP.Optional.WinYahoo.TskLnk, C:\USERS\NATALIIA & ALEKS\APPDATA\LOCAL\{F856CE0A-DCFE-A2B2-B166-875A950E7BC2}\sona, No Action By User, [714], [484244],1.0.8047
PUP.Optional.WinYahoo.TskLnk, C:\Users\Nataliia & aleks\AppData\Local\{F856CE0A-DCFE-A2B2-B166-875A950E7BC2}\config.dat, No Action By User, [714], [484244],1.0.8047
PUP.Optional.WinYahoo.TskLnk, C:\Users\Nataliia & aleks\AppData\Local\{F856CE0A-DCFE-A2B2-B166-875A950E7BC2}\info.dat, No Action By User, [714], [484244],1.0.8047
PUP.Optional.WinYahoo.TskLnk, C:\Users\Nataliia & aleks\AppData\Local\{F856CE0A-DCFE-A2B2-B166-875A950E7BC2}\install.log, No Action By User, [714], [484244],1.0.8047
PUP.Optional.WinYahoo.TskLnk, C:\Users\Nataliia & aleks\AppData\Local\{F856CE0A-DCFE-A2B2-B166-875A950E7BC2}\Sqlite3.dll, No Action By User, [714], [484244],1.0.8047
PUP.Optional.WinYahoo.TskLnk, C:\Users\Nataliia & aleks\AppData\Local\{F856CE0A-DCFE-A2B2-B166-875A950E7BC2}\uninst.dat, No Action By User, [714], [484244],1.0.8047

Physical Sector: 0
(No malicious items detected)

WMI: 0
(No malicious items detected)


(end)

Open in new window

KimputerCommented:
Only low risk potentially unwanted program (PUP) found (Yahoo isn't gonna risk going full malware to protect their brandname).
Would have been helpful if you actually checked what I asked you though. Because a positive (or negative, depending on how you look at it), would shed some light already on the whole situation.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Exchange

From novice to tech pro — start learning today.