Sextortion Scam Luring Victims in with Breached Passwords – Don’t Pay! – Info CCrime
If you haven’t been targeted already, you might have at least heard about the latest “sextortion scam” that surfaced a couple weeks ago. I’ve been seeing the email scam making its rounds since then, and sure enough, it’s now hit my own inbox. Seeing this nefarious message firsthand, I wanted to share some things to watch out for with scams like this and share tips on protecting yourself.
The other day, while going for my email spam folder, I noticed my email address and a previous password as the subject of a message. Curious, I decided to take a look at the email.
The body of the email contained the following, spelling mistakes and all. (I placed an asterisk where he listed an actual old password of mine.):
I do know, ********, is your pass word. You may not know me and you are probably thinking why you are getting this email, right?
In fact, I setup a malware on the adult vids (pornography) web-site and do you know what, you visited this site to have fun (you know what I mean). While you were watching video clips, your web browser initiated operating as a RDP (Remote Desktop) with a key logger which gave me accessibility to your display and webcam. Immediately after that, my software program obtained your entire contacts from your Messenger, social networks, as well as email.
What did I do?
I created a double-screen video. First part displays the video you were viewing (you’ve got a good taste rofl), and 2nd part displays the recording of your web camera.
What should you do?
Well, I believe, $1900 is a fair price tag for our little secret. You will make the payment via Bitcoin (if you don’t know this, search “how to buy bitcoin” in Google).
BTC Address: **********************************
(It is cAsE sensitive, so copy and paste it)
You now have one day to make the payment. (I have a special pixel in this email message, and right now I know that you have read this email message). If I don’t get the BitCoins, I will definately send out your video recording to all of your contacts including relatives, coworkers, and so on. Having said that, if I do get paid, I’ll destroy the video immidiately. If you need proof, reply with “Yes!” and I will send your video to your 8 contacts. It is a non-negotiable offer, that being said please don’t waste my time and yours by replying to this mail.
When I examined the HTML of the message, I noticed that the text was broken up with a comment, specifically , every 3-6 characters. I then had a good laugh at the claims and the “method of compromise” along with the data taken.
At this point, it’s worth pointing out for those that are unaware that nearly everybody has a username/email and password on a breach list somewhere. Some people are embarrassed when they learn their username and password has been compromised, but we live in a day and age when it is unavoidable.
You have no control over the security precautions used by various web sites, and all too often websites are breached and login credentials and stolen. With all the websites with which we’ve registered, it’s more than likely that your credentials have been stolen and tried on other websites. You can easily see if you appear on any breach lists with a quick search of Have I Been Pwned.
I recognized this as a scam immediately and ignored it. I received the email on July 10th and noticed it on July 22nd, so this email scam has been going around for at least a few weeks.
More recently, my aunt posted on Facebook that she had received a similar message. I asked her to forward it to me and, sure enough, it was almost identical. But it was clearly reworded. Interestingly, her forward (with no additional text) showed up in my inbox, while the original had made it into my spam folder, and she isn’t in my contact list.
Here’s the email, again with spelling mistakes and all (and an actual password masked by asterisks).
I know ********* one of your pass word. Lets get right to the point. You may not know me and you are probably wondering why you’re getting this e-mail? No-one has compensated me to check about you.
actually, I actually placed a malware on the 18+ videos (pornography) web-site and do you know what, you visited this web site to experience fun (you know what I mean). While you were watching videos, your internet browser started working as a Remote Desktop that has a key logger which provided me with access to your display screen as well as web cam. Immediately after that, my software gathered every one of your contacts from your Messenger, social> networks, and e-mailaccount. Next I made a video. First part displays the video you were viewing (you’ve got a nice taste ; )), and next part displays the view of your webcam, yea its you.
You got two different choices. Why dont we understand these solutions in particulars:
First choice is to skip this e mail. In that case, I will send your very own video to all your your contacts and also imagine about the shame you feel. And definitely in case you are in a relationship, how this will affect?
Number 2 choice should be to compensate me $7000. Let us name it as a donation. As a consequence, I most certainly will promptly eliminate your video footage. You could go on with your life like this never took place and you would never hear back again from me.
You will make the payment via Bitcoin (if you don’t know this, search for “how to buy bitcoin” in Google search engine).
BTC Address: *************************************
[case-SENSITIVE, copy & paste it]
If you may be wondering about going to the police, very well, this email message cannot be traced back to me. I have covered my steps. I am just not trying to ask you for money so much, I simply want to be rewarded. You have one day to make the payment. I’ve a special pixel in this e-mail, and now I know that you have read this mail. If I don’t get the BitCoins, I will certainly send out your video recording to all of your contacts including close relatives, coworkers, and so forth. However, if I receive the payment, I’ll erase the video immediately. It’s a non-negotiable offer, and thus do not waste mine time & yours by responding to this e-mail. If you want evidence, reply Yeah & I will send out your video to your 11 contacts.
The bitcoin addresses were different, and I was amused by the slight wording and formatting changes. Additionally, and this may just be a coincidence given the small sample set, the email I received was from someone with the initials “CH,” while my aunt’s was from a sender with the initials “HC.” In both cases, the email subject was [username] – [password], and the username matched the email username (likely because they were looking for accounts where the username was an email address).
One insulting thing was that my aunt’s password was worth $7000, while mine was only worth $1900.
To reiterate, when you see an email like this, as long as you already changed your passwords following a breach, the sender has nothing. If you have not changed your password, they may have access to that account. It is a good idea to sign up for breach notifications with a service like Have I Been Pwned to ensure you know when one of your accounts appears in the wild.
It’s also important to remember that we live in a time where password breaches are as common as having a morning coffee or going to sleep at night. Use proper password hygiene and the risk associated with a data breach will be minimized. You can find plenty of lists online, but I’ll leave you with the two I feel are most important.
Don’t reuse passwords
It’s important that you create a new password with every site you use. If you have difficulty remembering passwords, there are two options. The first is a password manager. This way, you have one password to remember, and it will remember all of your passwords for you. The second, relatively low-tech solution is a notebook.
Plenty of places will tell you not to write down passwords, and this is sound advice at work and in public places. But a small notebook containing passwords in your desk drawer is not the end of the world, and it’s a much better option than reusing the same password. It may not be ideal, but the goal is to minimize risk, and it definitely introduces less risk than a reused password.
Multi-factor (or 2-factor) authentication is a great way to improve your security. Most major social media websites and many other websites (particularly in the gaming world) make use of MFA these days. This adds a second method of confirming your identity to a website. Many sites use a code sent via SMS to your mobile device, while others integrate into the apps found on your smartphone, either vendor-specific (like Facebook) or a generic app (like Google Authenticator) that can be used with multiple websites.
Another option is a key fob that you can carry on your keychain. The use of multiple authentication methods limits the risk of a compromise when a data breach occurs.
Have you received the email? Have your friends or family? You may want to pass these tips along, even if they haven’t mentioned the email to you. They may be too embarrassed to have brought it up.
Article Prepared by Ollala Corp