Avatar of APD Toronto
APD Toronto
Flag for Canada asked on

Emails Exposing Passwords & Demanding Bitcoin

Hi Experts,

A month or so ago I received an email from myself claiming that one of my passwords has been exposed.  Fortunately, that was a dummy password (html123) to a non-secure test site. Plus, My email is Exchange, so i called MS, they confirmed its phishing; I changed my Exchange password to a random one, so th test site, and forgot about it.

Today, I received a similar email, but not  from myself and with a more serious passwords (the one for my banking, etc.), a password that I only know.  Truthfully, i store all my passwords in an email folder, especially the random ones.  Chrome also remembers my passwords.

Both emails are demanding bitcoin. Obviously, I immediately changed my banking password, but has anyone received such an email? What needs to be done - in terms of this email, and moving forward?

For 15+ years, I have been using Avast Internet Security without any issues.
ExchangeChromeSecurityWeb Browsers

Avatar of undefined
Last Comment
Kimputer

8/22/2022 - Mon
ITguy565

I would suggest scanning all of your devices for virus and rootkits. to include your mobile devices. In addition to this, I would change "all" of my passwords using a computer that I was sure was not infected with malware.

After this was done, I would move all my passwords to a secure and encrypted password tracking application such as 1Password or LastPass. After my passwords were moved, I would delete all credentialed data from Chrome, and also the Windows credential manager and let 1Password and/or LastPass handle the authentication from now on.


1Password : https://1password.com/

LastPass : https://www.lastpass.com
APD Toronto

ASKER
How would I scan iPhone, or do I need to??
APD Toronto

ASKER
Also, scanning my PCs with Avast + Boot Scan, is it sufficient????
Experts Exchange is like having an extremely knowledgeable team sitting and waiting for your call. Couldn't do my job half as well as I do without it!
James Murphy
ASKER CERTIFIED SOLUTION
ITguy565

THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
GET A PERSONALIZED SOLUTION
Ask your own question & get feedback from real experts
Find out why thousands trust the EE community with their toughest problems.
ITguy565

I would download and run Malwarebytes on my PC https://www.malwarebytes.com as well as download and install Emsisoft https://www.emsisoft.com/en/software/eek/
ITguy565

It never hurts to run more than one Antivirus when you are looking for malware. When you are done, just remove it if you are running the premium trial version.
hecgomrec

You may run all antivirus and malware software out there... you are not going to avoid this by doing so.

First, these emails are coming from all around the world from different accounts and servers.  They will use what is for me a vulnerability or flaw in the email handling process.  The envelope of the email will have the real sender but in the "TO;" field they will use this flaw to make it look like it is from yourself or someone else.  I'm not typing it here!!.  The way they get your username and password can vary from random codes of websites you have visited or from unverified code running with adds along with real information on the sites you visit.  Also, they can go and read your saved passwords regardless where you put them.

At work few people got this, was easy to find out the why only few of them... they all played online games at work!!!


If these password are valid and in use, then go change them and for the love of God!!! do not save your passwords... better type them every time you need them.  I know might sound tedious but is my recommendation. By the way, I'd use the same password for over the last 25 years and since I created it... it has a Capital letter, lower cases, numbers and special characters with a length of 10 and never store it anywhere not even in my computer at home.
⚡ FREE TRIAL OFFER
Try out a week of full access for free.
Find out why thousands trust the EE community with their toughest problems.
Dr. Klahn

These are going around all the time now.  So many different sites have been penetrated due to poor security that passwords are widely available for a few cents each and you can buy email addresses associated with passwords by the million.

I got several amusing ones -- which  would have been terrifying if I hadn't known what was going on -- over the last few months with an obsolete password for LinkedIn and claiming that they had video from my computer's camera showing me surfing porn sites.  "That is quite a trick," says I, "considering that there are no cameras on any of my systems."

But as a point of good security, don't keep your passwords stored on your computer in any way, shape or form.  Buy a little notebook and keep them in there, written down, completely inaccessible to the computer except when you type them in.  Don't let any of your browsers store passwords; this is asking for trouble.  Use a random password generator (you can easily find them on the net), and use different passwords for each site.  Then when one of the sites you use get broken into (and it will happen again, in the US big companies have no motivation to keep your personal info secure), you have two advantages.  One, that password won't open up any of your other accounts.  Two, when they say "I know your password, here it is" you look it up in your book and say, "Ah, Facebook ... again."
Kimputer

Check your emails on this website: https://haveibeenpwned.com
After the query, scroll down a bit to check if any breach involved the CLEAR or hashed password. If it's not there, the password must've been gotten from you. If the bank is listed, it's most likely they got the password from there. If your email was always stored server side, and the password of your email is listed, someone must have used that info to log in, and scanned through your email.
David Favor

I'm with Dr. Klahn... Some of these messages are super amusing.

1) Never pay them.

2) Never respond.

3) I've put a filter now that bounces all these, at send time, saying "The user you're trying to reach no longer has a mailbox here..."

4) Never, ever, ever use the same or even a similar password twice.

I generate unique 16-32 byte unique alphanumeric strings for all my passwords + keep these passwords in a strong encrypted file.

Using services which gather together passwords... gives me the willies...

Some day LastPass will be hacked or the company bought by an organized crime syndicate or one of the underpaid employees there will sell the entire database.

Keep this in mind when you divulge all your passwords to some convenience service.
Experts Exchange has (a) saved my job multiple times, (b) saved me hours, days, and even weeks of work, and often (c) makes me look like a superhero! This place is MAGIC!
Walt Forbes
Terry Woods

If it's not there, the password must've been gotten from you.
@Kimputer, that's not correct. There are plenty of data breaches where the data hasn't been made public, and therefore isn't available to the haveibeenpwned.com site.
APD Toronto

ASKER
Can I export all my passwords from Chrome and Windows Credentials, so I know where I have used the exposed password?
APD Toronto

ASKER
I also don't have a camera connected, but the email contents was the one that you described above regarding the porno sites. However we have very intimate photos of my wife and myself that are private. Should I be worried?

Also, can it be my malware in my IPhone?
⚡ FREE TRIAL OFFER
Try out a week of full access for free.
Find out why thousands trust the EE community with their toughest problems.
Terry Woods

You can export passwords to .csv from Chrome as follows:
1. Open the Chrome Settings page
2. Click Passwords
3. To the right of "Saved Passwords", click the 3 vertical dots, and there should be an option "Export passwords".
Chrome Settings Export Passwords feature
APD Toronto

ASKER
These are the results from Malware Bytes...what does it mean?

Malwarebytes
www.malwarebytes.com

-Log Details-
Scan Date: 11/27/18
Scan Time: 1:00 PM
Log File: 5f7d8700-f26e-11e8-a498-180373be0e53.json

-Software Information-
Version: 3.6.1.2711
Components Version: 1.0.482
Update Package Version: 1.0.8047
License: Trial

-System Information-
OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: OPTIPLEX\Nataliia & aleks

-Scan Summary-
Scan Type: Threat Scan
Scan Initiated By: Manual
Result: Completed
Objects Scanned: 530134
Threats Detected: 10
Threats Quarantined: 0
Time Elapsed: 17 min, 37 sec

-Scan Options-
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Detect
PUM: Detect

-Scan Details-
Process: 0
(No malicious items detected)

Module: 0
(No malicious items detected)

Registry Key: 2
PUP.Optional.InstallCore, HKU\S-1-5-21-977892953-2162632028-4269820573-1000\SOFTWARE\PRODUCTSETUP, No Action By User, [407], [481004],1.0.8047
PUP.Optional.InstallCore, HKU\S-1-5-21-977892953-2162632028-4269820573-1000\SOFTWARE\CSASTATS\ic, No Action By User, [407], [586068],1.0.8047

Registry Value: 1
PUP.Optional.InstallCore, HKU\S-1-5-21-977892953-2162632028-4269820573-1000\SOFTWARE\PRODUCTSETUP|TB, No Action By User, [407], [481004],1.0.8047

Registry Data: 0
(No malicious items detected)

Data Stream: 0
(No malicious items detected)

Folder: 1
PUP.Optional.WinYahoo.TskLnk, C:\USERS\NATALIIA & ALEKS\APPDATA\LOCAL\{F856CE0A-DCFE-A2B2-B166-875A950E7BC2}, No Action By User, [714], [484244],1.0.8047

File: 6
PUP.Optional.WinYahoo.TskLnk, C:\USERS\NATALIIA & ALEKS\APPDATA\LOCAL\{F856CE0A-DCFE-A2B2-B166-875A950E7BC2}\sona, No Action By User, [714], [484244],1.0.8047
PUP.Optional.WinYahoo.TskLnk, C:\Users\Nataliia & aleks\AppData\Local\{F856CE0A-DCFE-A2B2-B166-875A950E7BC2}\config.dat, No Action By User, [714], [484244],1.0.8047
PUP.Optional.WinYahoo.TskLnk, C:\Users\Nataliia & aleks\AppData\Local\{F856CE0A-DCFE-A2B2-B166-875A950E7BC2}\info.dat, No Action By User, [714], [484244],1.0.8047
PUP.Optional.WinYahoo.TskLnk, C:\Users\Nataliia & aleks\AppData\Local\{F856CE0A-DCFE-A2B2-B166-875A950E7BC2}\install.log, No Action By User, [714], [484244],1.0.8047
PUP.Optional.WinYahoo.TskLnk, C:\Users\Nataliia & aleks\AppData\Local\{F856CE0A-DCFE-A2B2-B166-875A950E7BC2}\Sqlite3.dll, No Action By User, [714], [484244],1.0.8047
PUP.Optional.WinYahoo.TskLnk, C:\Users\Nataliia & aleks\AppData\Local\{F856CE0A-DCFE-A2B2-B166-875A950E7BC2}\uninst.dat, No Action By User, [714], [484244],1.0.8047

Physical Sector: 0
(No malicious items detected)

WMI: 0
(No malicious items detected)


(end)

Open in new window

Kimputer

Only low risk potentially unwanted program (PUP) found (Yahoo isn't gonna risk going full malware to protect their brandname).
Would have been helpful if you actually checked what I asked you though. Because a positive (or negative, depending on how you look at it), would shed some light already on the whole situation.
This is the best money I have ever spent. I cannot not tell you how many times these folks have saved my bacon. I learn so much from the contributors.
rwheeler23