Sextortion Scam with a Disturbing Twist
Online “sextortion” scams are nothing new. They claim to have information, pictures and/or video of you in a compromising situation and ask for a little hush money to keep it between ‘friends’. Lately though, there is a new twist that has many people doing a jaw drop and becoming very concerned. What causes this nervous reaction: The email contains a real password of the victim.
But how! Read on…
Here is how a common variety of the email reads:
I do know, [password removed], is your password. You do not know me and you’re most likely thinking why you are getting this e-mail, right?
In fact, I installed a malware on the adult video clips (porno) site and you know what, you visited this web site to experience fun (you know what I mean). While you were watching videos, your web browser began operating as a RDP (Remote control Desktop) having a keylogger which provided me with access to your display and also web cam. Right after that, my software collected all of your contacts from your Messenger, FB, as well as email.
What exactly did I do?
I made a double-screen video. First part shows the video you were viewing (you’ve got a fine taste ; )), and second part displays the recording of your web camera.
What should you do?
Well, in my opinion, $1900 is a reasonable price for our little secret. You will make the payment through Bitcoin (if you do not know this, search “how to buy bitcoin” in Google).
Note: You have one day to make the payment. (I have a unique pixel within this email, and right now I know that you have read through this email). If I do not receive the BitCoins, I will certainly send your video to all of your contacts including members of your family, coworkers, and many others. Nonetheless, if I do get paid, I will destroy the video immidiately. If you want to have evidence, reply with “Yes!” and I will send out your video to your 8 friends. This is the non-negotiable offer, and so please do not waste my personal time and yours by responding to this email.
The password that was retracted in this email was an actual password that is used or was used by the victim. Obviously, this adds a level of authenticity that greatly increases the chance of a ‘sale’ for the cyber-criminal. The victim thinks ‘if they know my password the rest of the email must be true too’. And… if our sorry target was actually visiting adult sites on his computer, well the deal is practically in the bag.
The good news is that despite assurances that they know a lot about you the reality is all they know is that password. The rest is fiction.
How did they do it?
The big question… where did they get the password? How did they know? The most likely scenario is that the emails and passwords were harvested from well known repositories on the Dark Web. Think about it… all these hacks you hear about on the news from companies who do business online; there have been some widely publicized hacks:
- LinkedIn – 159 million emails stolen
- Adobe – 152 million emails stolen
- Myspace – 359 million emails stolen
- Dropbox – 68 million emails stolen
These are just a few of the big ones but the list goes on and on. The total goes into the billions and more emails and/or passwords that have been stolen by hackers.
Infographic shows over 12 billion emails hacked and 687,000 in just the past week.
Often these emails become salable merchandise, purchased by minion hackers to use several tricks to extort money from unsuspecting people. One such trick is the sextortion described above. Another trick is to use the email and password to try to log into other online services. After all, most people use 3 or 4 passwords for up to dozens of online services!
Has your email and password been hacked?
One astute Microsoft employee, Troy Hunt, took it upon himself to compile a database of all the hacked passwords. Check it out and see if your email is in there.
Just type in one of your emails and click ‘pwned?’ (What is ‘pwned’ mean? … click here if you are interested)
If it shows up as hacked, make sure any passwords that go along with that email are fresh.
The same website has a list of all the hacked passwords.
https://haveibeenpwned.com/Passwords
Type in a password here to see if it is in the list (It’s OK to type in your password here, it is not saved). If it comes back saying that password is on the list then you should never use that password again on anything. So, if you are thinking about choosing a new password, why not check here first… if it is in the database, don’t use it!
Lessons
Is it important to use unique passwords?
A resounding YES. It is a challenge to monitor them all so our recommendation is to use a password manager like Roboform (https://www.roboform.com). Then you need to remember only 1 master password and all the others are saved in the program which is accessibly via your computer, your phone/tablet or any Internet connected computer.
Keep your passwords fresh. New hacks happen all the time and that password that you have been using for a couple of years may have been hacked by now. Switch it up!
Ethix IT – We’re sick and tired of people getting ripped off and now we are dedicated to protecting the vulnerable.