Received a ransomware email

Likely just  a hoax / phishing.  Unless you see something odd on your computer, I'd ignore it.

---

»bp

Delete the email. it's just spam.
they use the leaked email/name databases and send out spam.

Thanks, I just updated the question.  Suggestion as to what software to run on the mac to check for malware etc?

I do have problems with my macbook keys, the qwerty set of keys get stuck every few days and i have to keep pressing them to get them to work but I think thats a fault more than anything else.   Been like that for a year.

 I doubt the latter as its a mac

Yeah, they aren't infallible and thinking like that is a risk in it's own right.

Claims to also have video footage of what I've watched and from my macbook air camera.

Get a camera shutter

could be a hack from a web site

That can be done too.

However, just ignore it, worst case scenario your willy ends up going on Facebook, stand proud! Best case, nothing happens.

He has part of a password phrase that I use but I have a unique password for each site.

Figure out which site and change the password.  Then forget it.  Criminals hack Yahoo (for example), get your email address and password there... then as proof you've been hacked, they email you and demonstrate they have your password to trick you into paying them bitcoin.

No one can say with 100% certainty that this is a scam... they could have your info... but 99.999% chance it's a scam.  I get these 10 times per week...

lol no *illy to show, the worst someone will record is me picking my nose or watching netflix.   Guilty as charged.  
Just ordered a camera shutter on amazon an hour ago.

Its not possible to hack an email account though is it, when 2 step verification is on unless they have the physical phone to receive the text.

Might be hard to identify the site.

Just adding my agreement that this is spam. Hackers break into some 3rd party site that hasn't properly secured its passwords, and they get your email address and password from that site. Since a lot of people reuse the same password everywhere, there will be one or two people who think, "Oh no! They have my password, so this must be true!" It's hackers using a small bit of information to bluff and pretend that they have more footage - all in order to push people into sending money.

You have to figure that even with today's cheap storage options, recording hours and hours of footage of everyone would be ridiculous (not to mention that virtually every web camera is pointed chest and up). Just ask yourself how many times you've actually heard of such footage being released for some average person (answer: never), and you'll get an idea of how legitimate the threat is.

Its not possible to hack an email account though is it, when 2 step verification is on unless they have the physical phone to receive the text.

Sure it is, but it's a lot more complicated. A hacker could steal your cookies to log himself/herself in, but that requires a pretty extensive level of access to do, so it's very unlikely for any site (unless that site was built by a beginner).

Or the hacker could intercept the text if they can get to the cell phone towers near you or if your text is exposed to other mediums (e.g. they break into your PC via a remote admin and you have Messages for Web or something like that running). But again, it requires a pretty concentrated level of effort to do that. So unless you're a politician or A-list movie star, you're probably not worth the extra effort (nothing personal).

Try putting the email address they used to contact you at here:
https://haveibeenpwned.com/

It's a database of the major data breaches where email/password combinations have been hacked.

Hoax.

And, best always keep offsite backups.

It’s a hoax I get at least 20 of these a day!

They are using old information from previously hacked orgs!

I get these several times a month, and the "here's proof, I have your password" password is one from Yahoo several years back.  Now I use the Random Password Generator web site and generate new passwords for all accounts at least once a year.

I must admit that I do find "I have video of you from your camera" particularly amusing.  "Ah, so ya snuck in and installed a camera when I wasn't looking, didja?  One that I can't see in Device Manager?  Yer a clever boy."

Just another voice agreeing that it is a hoax.  I get several a week and have been ignoring them for months.

If you know which site it was originally for, go change that password and never use that password again.

I've only ever gotten one hoax email about my password and it's an old password from a yahoo hack that I had changed when yahoo 1st notified me.  This was years before they got in the news for the breach, and I had changed it at least 5 years before the email scam.  Never got any other scam/phish/hoax.

1. How do cookies contain passwords?  Thats surprised me

2. what about recommendations for a malware protection for a mac? (not google search but a recommendation)

3. MASQ > Thanks for that link, very helpful.  It shows Houzz, adobe, Verifications.io, Onliner Spambot as sites that may have exposed me.  
The email that was sent by the person, says there is tracking technology built into one pixel of the email.  I know such technology exists, html or something which can then inform them via tracking even though I see no sent mail go out.  How is that possible?

3. it is possible it’s standard techniques for mailing lists to know of the email has been delivered open and read!!!

but your email does not contain this the entire email is hoax please ignore it delete it or in your Country forward to your phishing police squad!!!!

They are conflating Web Beacons with the whole scam.  Given how ancient that tracking technology is it would be really surprising if your email browser didn't block that on receipt but as you describe it fires a distant memory that these things are possible.

So if you're already panicking that the web camera (that you don't have) has filmed something (you didn't do) and then some remote access software (that you haven't got installed) sent the video (that doesn't exist) to someone, etc ... it just adds to the psychological pressure to respond.  This is how social engineering works.

Hopefully you've already enough reassurance that they've just grabbed an old password from a publicly available list and are waving it at you to try to scare you into action.

Now, if you were foolish enough to be still using the same password on most of your accounts ...

BTW cookies routinely can be used to store your password (usually encrypted), whenever you tick "remember me on this site" that's what you're asking the site to do.  It even happens here.  If you delete your EE cookies you'll find yourself logged out (even if you've asked your browser software to also remember the password for the site).

My advice use LastPass and start changing all passwords to complex passwords and start using 2FA where applicable

In the last few years I have started using a password with an algo in my head that makes it unique, part of the same password but with additional combinations of letters based on the domain name that I visit and jumble them according to a formula e.g. add 3 letter so the second letter in the web address and minus 5 characters from the 5 letter etc..   so unless someone can hack into my head, they will not guess the unique password.  

But as I say they may have guessed part of the password OR used a password that many years ago I didnt implement a algo to the password, so some of sites may have had the same password.....but difficult to identify which.

I do have a web camera, but I rarely use it and don't see any lights on.  Can someone really remotely activate a camera on a mac without the LED light coming on>

BTW Im not asking all these questions because I'm panicking,  I'm asking only out of curiosity to understand better.

Are you familiar with Zero Day vulnerabilities and exploits?  As per Wired: Zero day actually refers to two things—a zero-day vulnerability or a zero-day exploit. Zero-day vulnerability refers to a security hole in software—such as browser software or operating system software—that is yet unknown to the software maker or to antivirus vendors.  But just because they are not yet known to the software maker doesn't mean some malicious criminal hasn't found it. So while IN THEORY there is no known, unpatched issue that would allow someone to control your web cam, that doesn't mean a criminal hasn't found a way.  Or for that matter, a government (see here).

Personally, I use KeePass for tracking passwords and though for years, I used similar ones depending on the sensitivity of the site, I have since started using 16-32 character passwords and 2FA whereever possible.

Keep in mind, practically NOTHING is hack proof.  Ask a true hacker... they can read your VGA monitor with the proper tools wirelessly.  Even air gapping can be hacked... it's REALLY hard and few people can do it... the right tools and environments may be needed, but virtually everything can be hacked.  The question is, is it worth the time and effort to hack it?

While you can't enable your own camera without the green light coming on, the NSA has succeeded in doing so.  That green LED is software controlled, so that it comes on when the camera comes on.  If you write your own low level driver, you can tell it now to not turn on when you activate the camera.  The newer Dells and Lenovo laptops come with a built in screen cover slider for this very reason.  I'd prefer they just have  a real on & of switch that goes along with it as well as a on & off switch for the microphone, like they used to have.  I want them off, and completely disconnected, so they can't use any electricity and suck up the battery.
https://www.eff.org/deeplinks/2013/04/how-protect-against-laptop-webcam-hacking

The cookies don't actually need to keep your password, just an active session token to maintain the connection.  It doesn't have to be related to the password.  It's actually best if it's not a password.  This means if someone has access to your cookie, they can impersonate you without knowing your password or get access to knowing your password.  Having a session cookie means you can sign out and force a disconnect of the session for anyone that may have intercepted your session cookie.  Once signed out, you shouldn't be able to use that stale session token to reconnect.  This makes it more secure, but that means you should periodically sign out, then sign back in, to clear the session, so that you can get a new session token.
https://en.wikipedia.org/wiki/Session_ID

If you don't want web beacons, turn off all linked images and javarscript in your email and you'll be able to stop the email web tracking beacons.
https://en.wikipedia.org/wiki/Web_beacon

Stick a sticker over your camera!

As I mentioned before, Ive now got a privacy slider.

I've just looked at my Chrome passwords and usernames and the only one associated with the dodgy email I received is evernote.  Does anyone know if evernote was recently hacked?

Evernote had a breach back in 2013.  Was your password changed since then?

There's also a recent suspicion of a breach that evernote has not verified.
https://discussion.evernote.com/topic/119126-security-breach-more-serious-than-made-out-by-evernote/
https://discussion.evernote.com/topic/117044-possible-security-breach/

There was a recent evernote extension flaw that affected 4.6 million users.  Do you use the extension?
https://www.fightingidentitycrimes.com/evernote-web-clipper-security-flaw/

I honestly cannot remember.  Most probably it has, but I haven't used it in a few years.  Having checked my emails I see my password was changed on 4 September, but again as silly as it sounds I cannot remember if I changed it or not because with a new PC at work, my chrome add ons were downloading and its possible I may have reset it.  Anyhow, I have just changed it again now.

Usually I recall things pretty well but not this time around.  I am changing my password now for this site, but certainly from my Chrome saved passwords, my email address used (I have several) and passwords associated with this suspicious email seems to be a one off.

That said, in my spam gmail folder I seem to have received another suspicious email (also from an outlook account) with nothing but a PDF attachment.  The email subject line contains part of the paraphrase password and a 4 digit number to open the pdf.  I havent opened it but if I open it in browser mode rather than downloading it, is that ok?  More curious than anything else.

Delete those.  You could be opening a malware.  If you really want to mess with malware, you need a spare, sacrificial computer that you can wipe, just in case it takes over your system.  It also needs to be disconnected from your network when you try it.  Reinstall the OS when you're done.

Ok I wont open it.  But if you open it in gmail browser screen view mode, can you still download malware?  Its not like its asking me to open a msi file or exe or flash file?

Nobody here has suggested any recommended malware apps for the mac.  Does nobody not know any?

Ive checked my evernote account history, does not seem to have had any activity in the last month.

If in doubt about an email from someone you don’t know Google it there is a high chance you are not the only person that was targeted!!

Also stick a sticker over your microphone as well!!!

have already googled the outlook email, comes up with nothing.

DON'T save passwords in your browser!  That is the first place the make looks.

You can install any free AV that you find in Google.  I've used Avira and Avast for home.  I also use the free version of Malwarebytes and just do manual scans.  Workplaces have used paid AV like ESET and Bitdefender.  Since a Mac is also a POSIX compliant Unix, you may also want to run rootkit scanners if you run a webserver.

Mac AV mostly scans for Windows viruses to prevent the spread to Windows users.  There are only a handful of Mac viruses out there, and they've been taken down, so far.

It's better to install an adblocker and privacy badger to block malware ads and 3rd party tracking.  I also block scripts in my main browser, but that's tedious for a regular user to manage.

Downloaded and tried malware bytes and that seems to indicate that my macbook is clear.  That said I need to check my wife's laptop too.

Who doesn't save passwords in their browser.  You have to have an element of convenience too.
I mean, I have been using the internet since 1995 and this is the first serious issue I have seen so it kind of gives you an idea of my level of conservative security preferences and care taken.....

My wife's macbook has indicated 2 threats, duplicate photo fixer pro and photos duplicate cleaner app, but they have been on there for over a year without much of an issue.

for the benefit, of those that may read this thread later... here's a similar copy of the "phishing" hoax attempt, I receive daily!

Please note email address, password and Bitcoin address have been changed.

Hello!

I have very bad news for you.
03/09/2019 - on this day I hacked your OS and got full access to your account andrew.hancock@wellknown.domain.com
On this day your account andrew.hancock@wellknown.domain.com has password: dogsdinner1984

So, you can change the password, yes.. But my malware intercepts it every time.

How I made it:
In the software of the router, through which you went online, was a vulnerability.
I just hacked this router and placed my malicious code on it.
When you went online, my trojan was installed on the OS of your device.

After that, I made a full dump of your disk (I have all your address book, history of viewing sites, all files, phone numbers and addresses of all your contacts).

A month ago, I wanted to lock your device and ask for a not big amount of btc to unlock.
But I looked at the sites that you regularly visit, and I was shocked by what I saw!!!
I'm talk you about sites for adults.

I want to say - you are a BIG pervert. Your fantasy is shifted far away from the normal course!

And I got an idea....
I made a screenshot of the adult sites where you have fun (do you understand what it is about, huh?).
After that, I made a screenshot of your joys (using the camera of your device) and glued them together.
Turned out amazing! You are so spectacular!

I'm know that you would not like to show these screenshots to your friends, relatives or colleagues.
I think $850 is a very, very small amount for my silence.
Besides, I have been spying on you for so long, having spent a lot of time!

Pay ONLY in Bitcoins!
My BTC wallet: 1GR7rJfntdcbfxyfhrth5teRDby4z5ex1ou4Z

You do not know how to use bitcoins?
Enter a query in any search engine: "how to replenish btc wallet".
It's extremely easy

For this payment I give you a little over two days (exactly 55 hours).
As soon as this letter is opened, the timer will work.

After payment, my virus and dirty screenshots with your enjoys will be self-destruct automatically.
If I do not receive from you the specified amount, then your device will be locked, and all your contacts will receive a screenshots with your "enjoys".

I hope you understand your situation.
- Do not try to find and destroy my virus! (All your data, files and screenshots is already uploaded to a remote server)
- Do not try to contact me (you yourself will see that this is impossible, I sent this email from your account)
- Various security services will not help you; formatting a disk or destroying a device will not help, since your data is already on a remote server.

P.S. You are not my single victim. so, I guarantee you that I will not disturb you again after payment!
 This is the word of honor hacker

I also ask you to regularly update your antiviruses in the future. This way you will no longer fall into a similar situation.

Do not hold evil! I just do my job.
Good luck.

Browsers now do have extras security, but password managers are made for this very thing. They have plugins to the browser to make things easier. You don't have to give up convenience in order to be slightly more secure.

I face two problems with password managers for the computer.

1. In the password app (for iphone) I always store the password hint as my password never the actual password.  Call it over protection or what you will, so it would mean that I start trusting an actual software to store my real passwords.....but then granted, it's better than browser storage I suppose.

2. I cannot install it on the office computer which is fully locked down

There's a new variation which is the encrypted pdf which you describe using your details taken from the links mentioned earlier.

Again it's using social engineering to say - "even though you don't recognise the source of this it has details associated with it that are familiar so perhaps I should check it".

These are usually ransomware trojan droppers engineered to look like a PDF and because they are encrypted your system can't spot this until you enter the password to decrypt.

Again these are spammed to millions of users as only a fraction of a percentage of those need to be fooled to make the scam financially worthwhile.

It's not really a serious issue.  You likely haven't been hacked.  They spam these emails and hope someone falls for it and clicks on their trojan.  Delete them.  If this is your most serious issue, then you've done a better job than most people at protecting password credentials.  If you've changed your password already, then it's time to ignore it and move on.

Check for you passwords https://haveibeenpwned.com/Passwords and if they exist there, then change it and never use it again.  If you don't feel comfortable entering your password, then download that 11.1 GB database, convert your password to a hash and check it against that list of hashes.  I did that and only found one password on it, and I had already changed away from long ago.  Spammers tried to scam with that old password in one of those scam phishes and I just laughed it off.  They can try that old password all they want.  It's not going to get into anything.

Regarding password managers - for locked-down computers, most institutions will install a password manager for you  - it protects the network as well.  I recommend that whichever password manager you use after you sync from your computer to your phone delete any cloud data, if it exists.

One of our members, Andrew Leniart, did an excellent review of Password Managers here:

https://www.experts-exchange.com/articles/31413/Password-Managers-5-of-the-best-reviewed-Part-1.html

There are 2 or 3 parts to this article, all worth the read.

Password managers are not a panacea.  There are a few accounts where you should just memorize the password.

https://www.zdnet.com/article/lastpass-bug-leaks-credentials-from-previous-site/

Because a couple of PMs were hacked, that does not make them something to avoid.  That is also the reason I refuse to keep my password data in the cloud.  The PM I use (Sticky Password) does not store your master password anywhere but on your local machine and uses securely encrypted tokens to authenticate you remotely (I had a long talk with their tech people).

I can only mirror what others have already said regarding the claims of them having footage of you recorded. I've got 100+ of those emails over the last 12 months and I've yet to see anything posted. I'd be curious how they're filming me given that when not in use, my laptop built in webcam has a nice removable sticker over it. Something I've made a habit of doing for years.

In so far as password managers, you might like to check out an article I wrote on that very topic, comparing some popular ones.

Password Managers - 5 of the best reviewed!  (Part 1)

If you find it of interest and have any questions, please feel free to reach out.

Regards, Andrew

You still need a backup of your passwords that you place in a password manager.  Services can get hacked.  Programs can crash.  If you use a local password manager and you get ransomeware, you could lose those passwords.  Password managers are no a panacea.  It's a tool like any other.  You need to be aware that you will always need a backup of your passwords.

There are some passwords that you should never save, such as the master password to a password manager.  If this is for a company, you many need an escrow of the master passwords, or just have them save somewhere else where people can recover them in an emergency.

No matter what you do you need a protocol to protect your passwords so you have backups.

@serialband,

Agreed about backups.  I am a firm believer in having in at least 2 places other than the original.  I have both written article son it and practice it myself.  My passwords are no exception, although I don't have a word file on my computer named "passwords" (yes we have all seen that "security"), I do have several backups.  Although I love my password manager, I do not rely on it to that extent.  I do know several passwords that are the ones I either need to know daily and do not trust to anything but my brain, or ones that should not be stored anywhere (like my financial login info).  That said, I still have several hundred passwords I have accumulated over the years and am certainly unable to remember so many unique passwords/passphrases/etc - hence the password manager.

Hi u587162,

@all, forgive me I didn't read all 44 comments. I just wanted to address the initial concern.

This is a widely known scam that started surfacing in 2018 called Sextortion Email Scams.

Basically how it works is that cybercriminals get database dumps that occurred from previous breaches so they have your name, email, and password. Just having that info is enough to scare people into believing they have hacked your system, capture the victim pleasuring themselves to porn, and can remotely access the system (mic & camera) whenever they want.

Action: Report as phishing & delete.

As a side note the database dumps they have been using are very old so if you recognize your password as being a current one its time to implement a password vault service like Dashlane or the like. That way the vault remembers very complicated passwords for all your sites and you only have to remember one complicated password to access the vault. Its easy to use as it auto logins and auto generates new passwords to your existing sites. If you have stored passwords you can import them. There is some leg work upfront but once you understand how big your internet footprint is, it becomes very easy to manage thereafter.

Let me know if you have any questions!

but what about for sites which do not auto populate the username and password field?  having a password manager like  that surely won’t work?

Correct, you'll have to manually enter username and password details or remember them, or make a note somewhere securely!

It depends on how exactly how your password manager and that web site works.  Some browsers and password manager mixes allow some of those to be filled too.

Many of the vaults look through the source code for the fields within forms...in modern browsers (namely, Firefox & Chrome but others as well) they auto populate 99.999% of the time. And for the .001% that don't...the vault has a copy/paste function. If that is still too inconvenient I guess getting owned is your alternative because there is no better way to securely manage truly strong and unique passwords across your entire online footprint. On average a normal user's footprint is about 150-200 sites (databases), power users are 300-500 sites and until you perform an audit on your own footprint everyone typically has this notion that they only access a few sites.

There are also features in Dashlane like breach detection where it will notify you of a breach and you can simply make one click within the vault to update all your passwords automatically. Then the vault will login with the previous credentials and change the passwords uniquely on the site and at the same time update the vault with the newly created ones as well.

I'm not sure if it can get more convenient. :)