INTRODUCTION
Here’s a clever new twist on an old email scam that makes the con far more believable. The message claims to have been sent from a hacker who’s compromised your computer and used your webcam to record a video of you while you were watching porn. The sender threatens to release the video to all your contacts unless you pay a Bitcoin ransom. The new twist? The email references a real password previously tied to the recipient’s email address.
Example Sextortion Email
“You don’t know me so you’re probably wondering why you received this email, right? I know that, [PASSWORD REDACTED], is your password.
Well, I actually placed a malware on a porn website and guess what, you visited that website to have a little fun (you know what I mean). While you were watching the video, your web browser acted as an RDP (Remote Desktop) and a keylogger, which provided me access to your display screen and webcam. Right after that, my software gathered all your contacts from your Messenger, Facebook account, and email account.
What did I do next?
I made a split-screen video. The first part recorded the video you were viewing (you’ve got fine taste, hehe), and the next part recorded your webcam (Yep! It’s you doing nasty things!).
What should you do?
Well, I believe, $1,400 is a fair price for our little secret. You’ll make the payment via Bitcoin to the below address (if you don’t know how to do this, search “how to buy bitcoin” in Google).
BTC Address: 1Dvd7Wb72JBTbAcfTrxSJCZZuf4tsT8V72
(It is cAsE sensitive, so copy and paste it)Important:
You have 24 hours in order to make the payment. (I have a unique pixel embedded within this email, and right now I know that you have read this email). If I don’t receive the payment, I will send your video to all of your contacts, including relatives, co-workers, and so forth. However, if I do get paid, I will erase the video immediately. If you want evidence, reply with “Yes!” and I will send your video to 5 of your friends. This is a non-negotiable offer, so don’t waste my time and yours by replying to this email.”
The Power Passwords Hold over Us
Most passwords are a bit like abusive spouses: they’re meant to protect us, but we chose the dumb one with a pretty face, and now we’re constantly afraid of them hurting us (to learn how to develop healthy relationships with passwords, read Ryan’s post on the subject). Most people, even those who feel as though they could have been seen in a compromising position, would normally be too smart to fall for this kind of scam with no evidence. Including a real password makes it seem more convincing, though, which is why so many people fall for them.
How did they get your password? It is likely that this scam is at least semi-automated: most likely, the perpetrator has created some kind of script that draws directly from the usernames and passwords from a given data breach at a popular website, and that every victim who had their password compromised as part of that breach is getting this same email at the address used to sign up at that hacked website. There are also a number of shady password lookup services online that index billions of email addresses and passwords stolen in some of the biggest data breaches to date.
In the past several years, major companies such Adobe, eBay, LinkedIn, and Yahoo (twice) have fallen victim to database intrusions, massive security failures that let thieves steal billions of username-password combinations. If a breached company was responsible, it contacted affected users right away and forced them to change the passwords. If the company was negligent, and many are, you should run your email addresses through the HaveIBeenPwned breach-checking website (it’s safe to use.)
The Guilty Conscience Scam
This is a variation of the scam detailed above, purporting to expose your infidelity. Rather than finding a user’s password, the trick to this scam is that the sender has found the user’s real name and home address.
“[NAME REDACTED], I know about the secret you are keeping from [NAME REDACTED] and everyone else. More importantly, I have evidence of what you have been hiding.
It’s just your bad luck that I stumbled across your misadventures while working a job around Los Angeles. I then put in more time than I probably should have looking into your life at [ADDRESS REDACTED]. Frankly, I am ready to forget all about you and let you get on with your life. And I am going to give you two options that will accomplish that very thing.
Option 1: Ignore the message and the aforementioned evidence will be sent to your wife, her friends, her family members and your neighbors.
Option 2: Pay a “confidentiality fee” of $8,600 in bitcoin and your secret remains your secret. I’m not looking to break your bank. I just want to be compensated for the time I put into investigating you.
The clock is ticking, [NAME REDACTED].”
Do Not Pay the Ransom
If you receive an email like this, it’s best to ignore it. And most people will, but that doesn’t mean the scammers aren’t making a lot of money out of the sizable minority who panic and pay. This works because beyond believability and a false sense of urgency, the greatest trick is to instill a sense of dread and panic, which is a massive motivating force. Remember, once you transfer cash in the form of bitcoin or any other digital currency, it’s gone, never to be seen again.
According to security researcher SecGuru, after examining 42 bitcoin addresses used in this scam, he discovered that 30 victims have paid the blackmail demand for a total of over $50,000 in a single week.
The Good News
Sextortion—even semi-automated scams like this one with no actual physical leverage to backstop the extortion demand—is a serious crime, and the government is actually doing something about it. If you believe you’re a victim of sextortion, or know someone else who is, the FBI wants to hear from you: contact your local FBI office (or toll-free at 1-800-CALL-FBI), or file a complaint online using their ic3.gov site.