(UPDATED) Earlier this year we talked about a “sextortion” scam (below) creating havoc around the world. Through emails, the scam tricked people into believing that their (very, very) personal web-viewing habits — along with videos captured through their computer cameras — would be distributed to their contact list unless they paid a bitcoin ransom.
The emails were believable because they contained the recipient’s real passwords. Now the scam has evolved. Here’s an update on what’s going on:
What is sextortion?
As a reminder, sextortion is an email phishing scheme. It involves threatening to distribute something highly sensitive or embarrassing about you unless you pay a ransom or provide sexual images or favors. In the first iteration of this latest scam, the email included one of the recipient’s actual passwords that was acquired on the dark web. This gave the scam credibility — and people paid up like never before. Now copycat scammers have piggybacked on the success of the first iteration.
Here are a couple of examples of what the original email scams had to say. There were many that have been coming from Microsoft and Hotmail addresses.
Why people are so worried
Since the passwords are real — they come from past cybersecurity breaches, probably the LinkedIn hack in 2012 — it appears the scammers have had some kind of access to the recipient’s inner cyber world. And even though the passwords are old, a lot of people use the same passwords for many years and for more than one account. The more recently a password has been used, the more believable the scam.
Also, porn is very popular. A significant portion of the population indulges (see this infographic). The possibility that family, co-workers, and friends might get an email revealing someone’s personal viewing habits, along with recordings of them watching, is enough to make some people pay the ransom. Just weeks after launching, the scam had conned more than 1,000 victims out of about $500,000.
Even if someone doesn’t watch porn, seeing their correct password in an email that says they’ve been recorded through their computer camera can be embarrassing enough. Some non-viewers have paid the ransoms to be safe.
Bitcoin ransoms range in amounts from a few dollars to many thousands of dollars. By using Bitcoin, transaction amounts can be tracked by monitoring Bitcoin wallets while the parties in the transactions remain anonymous. These sextortion scammers are using nearly 800 different Bitcoin wallets to make it harder for investigators to ultimately track them down.
What the most recent emails say
A more recent round of sextortion emails use the same threat and scary language but do NOT include a stolen password as leverage. Instead, the scammers simply spoof the victim’s email address so the “from” address is the same as the “to” address to make it appear they’ve been inside your private computing space.
Who’s susceptible to sextortion?
Initially, if your email address and password had been stolen in any cyber breach, you were a potential victim of the password scam. It was a semi-targeted phishing campaign that targeted a specific group of people (those with compromised personal data) but not specific individuals. According to Krebs on Security, It’s likely automated.” So, don’t take it personally if you get targeted. (Here’s additional information on how these scams are set up.)
Now, with the latest scam, anyone can be a victim and scared into paying up.
People who feel they have a lot of exposure are more susceptible to panicking and paying the ransom as are those who are especially risk-averse, embarrass easily, or are unfamiliar with how email scams work in general. This scam is particularly nasty because it can have consequences beyond monetary ones, depending on how victims respond.
While it is possible for cybercriminals to collect this kind of embarrassing information about people and use malware to access computer cameras, it’s labor-intensive. It’s a lot easier just to lie and say they did.
What to do if you get a sextortion email
Just because there’s no bite behind the bark doesn’t mean you shouldn’t take action if you get one of these emails. Take it as a reminder to protect yourself online. The FBI (and Leapfrog) recommends you:
- Do not pay
- Do not respond to the email
- Stop using the password immediately (and while you’re at it, update any old passwords — using a password manager is fastest)
- Change your passwords often
- See if your other email addresses and passwords have been pwned or stolen
- Never send compromising photos of yourself to anyone
- Don’t open attachments from strangers
- Be cautious opening unexpected attachments from people you know because their email addresses may have been spoofed
- Turn off your computer’s camera or put a piece of tape over it when you’re not using it
If you are the victim of a real sextortion attempt or know someone who is, it’s a serious crime. And if underage children may be involved — the FBI wants to know about it. Call 1-800-CALL-FBI or your local FBI office.
More scams you can look forward to
As hackers breach more and more companies, and information from those breaches ends up on the dark web, be prepared for scammers to take advantage of it. The more details about you they can include in sextortion and other scams, the more likely you’ll be to pay up. Fresh passwords, your Social Security Number (SSN), your date of birth, your kids’ names and home address, and information gleaned from public sources can be compiled into a threatening demand for cash or other things of value.
Remember, if there’s urgency or a deadline involved, it’s probably a scam.
If you’re a Leapfrog client and have any questions about this scam or any others, we strongly encourage you to call the Help Desk. We’re here to help.
If you liked this post, don’t forget to subscribe to FrogTalk, our monthly newsletter.