12
Jul 18

Sextortion Scam Uses Recipient’s Hacked Passwords

Here’s a clever new twist on an old email scam that could serve to make the con far more believable. The message purports to have been sent from a hacker who’s compromised your computer and used your webcam to record a video of you while you were watching porn. The missive threatens to release the video to all your contacts unless you pay a Bitcoin ransom. The new twist? The email now references a real password previously tied to the recipient’s email address.

The basic elements of this sextortion scam email have been around for some time, and usually the only thing that changes with this particular message is the Bitcoin address that frightened targets can use to pay the amount demanded. But this one begins with an unusual opening salvo:

“I’m aware that <substitute password formerly used by recipient here> is your password,” reads the salutation.

The rest is formulaic:

You don’t know me and you’re thinking why you received this e mail, right?

Well, I actually placed a malware on the porn website and guess what, you visited this web site to have fun (you know what I mean). While you were watching the video, your web browser acted as a RDP (Remote Desktop) and a keylogger which provided me access to your display screen and webcam. Right after that, my software gathered all your contacts from your Messenger, Facebook account, and email account.

What exactly did I do?

I made a split-screen video. First part recorded the video you were viewing (you’ve got a fine taste haha), and next part recorded your webcam (Yep! It’s you doing nasty things!).

What should you do?

Well, I believe, $1400 is a fair price for our little secret. You’ll make the payment via Bitcoin to the below address (if you don’t know this, search “how to buy bitcoin” in Google).

BTC Address: 1Dvd7Wb72JBTbAcfTrxSJCZZuf4tsT8V72
(It is cAsE sensitive, so copy and paste it)

Important:

You have 24 hours in order to make the payment. (I have an unique pixel within this email message, and right now I know that you have read this email). If I don’t get the payment, I will send your video to all of your contacts including relatives, coworkers, and so forth. Nonetheless, if I do get paid, I will erase the video immidiately. If you want evidence, reply with “Yes!” and I will send your video recording to your 5 friends. This is a non-negotiable offer, so don’t waste my time and yours by replying to this email.

KrebsOnSecurity heard from three different readers who received a similar email in the past 72 hours. In every case, the recipients said the password referenced in the email’s opening sentence was in fact a password they had previously used at an account online that was tied to their email address.

However, all three recipients said the password was close to ten years old, and that none of the passwords cited in the sextortion email they received had been used anytime on their current computers.

It is likely that this improved sextortion attempt is at least semi-automated: My guess is that the perpetrator has created some kind of script that draws directly from the usernames and passwords from a given data breach at a popular Web site that happened more than a decade ago, and that every victim who had their password compromised as part of that breach is getting this same email at the address used to sign up at that hacked Web site.

I suspect that as this scam gets refined even more, perpetrators will begin using more recent and relevant passwords — and perhaps other personal data that can be found online — to convince people that the hacking threat is real. That’s because there are a number of shady password lookup services online that index billions of usernames (i.e. email addresses) and passwords stolen in some of the biggest data breaches to date.

Alternatively, an industrious scammer could simply execute this scheme using a customer database from a freshly hacked Web site, emailing all users of that hacked site with a similar message and a current, working password. Tech support scammers also may begin latching onto this method as well.

Sextortion — even semi-automated scams like this one with no actual physical leverage to backstop the extortion demand — is a serious crime that can lead to devastating consequences for victims. Sextortion occurs when someone threatens to distribute your private and sensitive material if you don’t provide them with images of a sexual nature, sexual favors, or money.

According to the FBI, here are some things you can do to avoid becoming a victim:

-Never send compromising images of yourself to anyone, no matter who they are — or who they say they are.
-Don’t open attachments from people you don’t know, and in general be wary of opening attachments even from those you do know.
-Turn off [and/or cover] any web cameras when you are not using them.

The FBI says in many sextortion cases, the perpetrator is an adult pretending to be a teenager, and you are just one of the many victims being targeted by the same person. If you believe you’re a victim of sextortion, or know someone else who is, the FBI wants to hear from you: Contact your local FBI office (or toll-free at 1-800-CALL-FBI).

Tags: , ,

1,076 comments

  1. I got one of these emails yesterday as well, with an old password that was something I once used long ago.

  2. Very timely! I just had a client email us last night about this very thing. Good to see that we were correct and gave good advice. Thanks Krebs for all your work!

  3. Ok these guys are Black Mirror fans

  4. This is why I have no friends. So no one can ever blackmail me.

  5. The Sunshine State

    Don’t go to porn websites, then you won’t have this problem.

    • People who access the web from shared computers could easily be tricked into believing this.

    • Following a mantra of “Don’t be Stupid” would almost fully resolve many personal life problems for anyone who actually followed it, too.

    • Probably not from someone who has that knowledge of his victim anyway. It’s likely just some standard spammer who got a hold of a list and decided to stick the porn allegation in to trick some fools into biting. Someone like that is simply banking on 1. People who have viewed naughty stuff illicitly and will pay, and 2. People who panic and pay up, even if they haven’t ever viewed anything worse than PG stuff on their computer. The spammer is almost certainly lying about having evidence.

      Remember, this scam has gone around before. This is just the latest iteration of it. I’ll bet it has zero to do with porn and more to do with recently released password lists. The release of such lists tends to be associated with extortion spam over time.

    • … or you could just cover your webcam.

    • So whats to keep the threat actor from changing to any one of hundreds of other ideas for extortion? All they likely did was write some code to parse through the LinkedIn breach dataset(and potentially other datasets) and then automated the emails of a very basic template out with the only modifications being the email username and password. The threat actor likely counted on password re-use so likely the password the user sees was used on dozens or maybe even hundreds of sites at one point.

      This is a very unsophisticated scheme and honestly im surprised it hasnt been done sooner.

  6. Nicholas Weaver

    The mail itself is automated: I’ve received two of this variant, not one. There is a different variant (w/o the password) that I’ve received as well.

    They are randomizing things somewhat: both the extortion amount and the Bitcoin address (there are ways to generate multiple wallet addresses with the same private key).

    They are also sending through the Outlook web interface, which doesn’t report the sender IP in the headers (although if the FBI wants to send a subpoena to Outlook they could get that information, assuming it leads anywhere at all.)

    • Thanks for sharing this, Nicholas.

      • have you looked at the html code in these? Why is the compromised user name embedded in html comment like a million times?

        • No html in the email I got. I’ve seen this stuff before, just without the password part.

    • “There is a different variant (w/o the password) that I’ve received as well…”

      I wonder if that means the spammer is working off a list that may have some identifying info but is missing a password. Or if they’re combining lists? Or if it’s a partially separate group?

      Interesting detail. But too vague to do more than speculate on. It’ll help incident response teams explain things, though, so there’s value in knowing it.

  7. Some of our clients are also seeing “copycat” versions of the same email, without the reference to a real password.

  8. There’s a Yahoo account I used long ago whose password I’ve forgotten; I’ve even forgotten which email account it was tied to, and Yahoo’s “support” gave up on helping me after several wrong guesses. So I’m sort of hoping for one of these emails with the password…

  9. Or don’t associate people who will judge you for that. Even if the miscreants *had* the material they claimed to, I’m pretty sure none of my contacts would care. They’d just be like “Dude, I think you were hacked. Also, please invent mind bleach. Yikes”.

  10. I’ve gotten three variants; my favorite part is the whole “If you want evidence, reply with “Yes!” and I will send your video recording to your 5 friends.” – I’m sorry, but if I want proof but you want money, wouldn’t it make more sense to send me the proof and THEN make more threats?

    • Yeah, I noticed that as well. It’s pretty much an admission that they don’t have anything at all. To gain “proof” you have to reveal the “incriminating video” to people you don’t want to. So, they’re saying they’ll prove it in a way that you’d never allow. Just more scare for bait.

  11. Looks like the messages have another variant with the username/password in the subject.
    Format: johnDoe – johnDoePassword

  12. A couple of users did recieve this same message word for word. It was very unsettling to them. Ironically both were female. One of the emails listed the former zip code and the other a password.

  13. “You don’t know me and you’re thinking why you received this e mail, right?” – No. This is just the first instance of improper English usage in the email and tells me this is just a scam.

  14. I, and some others, have also receive this same scam as a text message.

  15. Of course I’m not going to do this… but man, when I see extortion spam like that, I’m tempted to reply:

    “Dear Whoever the **** you are,

    THANK YOU! I’d dearly love to know what happened that night. All I remember was waking up on my floor, bottle of whiskey nearby, and the laptop laying on it’s side, showing nothing but static. If you could go ahead and just send that video to my 5 friends, maybe those jerks would learn a lesson about using roofies. In the meanwhile, could you also tell me where the hell those clothes on me came from? I never wear anything that flamboyant.

    Yours truly,
    XXXXX”

  16. We monitor our users that show up in HIBP, and we worked with some that got a copy of this message, and were able to determine that the likely source of the passwords being used by the extortionist was the Myspace Breach back in 2008.

    • Definitely Myspace. I use uniquely coded emails and passwords for every site and it’s Myspace — an account I deleted just after they had that huge breach.

  17. Jeffrey Goldberg

    Ha. I got one of these, too. I was amused to find that it was an old MySpace password they had (the virtues of using a password manager that keeps track of password history). In my instance, the spam came from what I presumed to be a compromised Live/Outlook account. (It definitely was an Live/Outlook account, all the right DKIM headers and such were in place.)

    And to me, this was deeply embarrassing because it looked like a password I’d created myself instead of using a generator. (I would have been using pwgen in those days, but apparently I wasn’t using it for everything.) It was imported to my password manager, 1Password, in 2007, but I don’t know its history before then.

    Although amused at that the ancient MySpace password, I am really angered by scams (or even sales pitches) that try to play on people’s fears.

    • Unless you transfer $2900 in BTC to my wallet, I will release evidence that you didn’t use a pwgen password to all of your contacts.

      Looks like July 12 is the day for the scam revival. Yay!

  18. Garrett Hildebrand

    I received one of these Tuesday. The one I received did not mention a password. Otherwise, the email was the same.

  19. My sister just got one of these emails. Thank you for this article. Really clears it up because we were confused! She watches a lot of porn, too, so she was scared. lol jk

  20. Bruce Thompson

    I just got one of these as well.

    Looking at the raw source, there’s no indication that there’s a web-bug in the email either, so unless someone in Law Enforcement is collecting these (Does anyone know?), quick trip to the trash for it I think.

  21. Got mine today. The password they referenced is at least 10 years old, has never been used on my new iMac, and is related to an Adsense account that is no longer active.

  22. In a era when a lot of people are sharing their home made sex videos and pictures for free, is this still an profitable scam ? lol….

    • You need to remember that there are communities where being exposed as sexually active for fun (and not merely for reproductive purposes) can be devastating to a person’s reputation and social life.

      Then there’s the aspect of being exposed in a situation that was supposed to be very private. Many people aren’t comfortable with having such a situation made public to their social circles.

      And by shotgunning something like this to anyone they can link email and password for, fooling even 0.1% is going to be a nice payday.

  23. 2 of my clients reached out to me today in regards to this. From the common breach search database I found both of their e-mail addresses on LinkedIn and Exploitln, but the Exploitln combo list makes things a little more difficult to pinpoint. Time to change password and set up 2fA!

  24. First, the “special pixel” is another good reason to TURN OFF HTML IN YOUR MAIL TOOL. I read my email as plain text, unless I know who it’s from and care to see the HTML version. Plain text lets me be amused, for example, at the email allegedly from the IRS… that’s sent from a Brazil domain.

    And I’d enjoy them try this on me… since I don’t have a webcam.

    Seriously, your email tools all support viewing email as plain text – set that as the default.

    And thanks *so* much to Bill Gates, who made what was once a joke on newbies to the ‘Net (you can catch a virus by reading an email!) into reality.

    • I’ve been doing this for quite a while on Gmail, since it is so spammy. One of the tings I noticed immediately was emails with no content at all, just a picture that was not embedded in the email, but rather was a link. The address to the picture had a long hexadecimal code that, from experimentation, I found was linked to your email address. I.e. you could follow a link to a scam site once, put in some bogus information to try to get data on the scam, but the second time you went to the same link from the picture you would get something totally different. My idea is that it flagged your email as a valid one with a human behind the keyboard…

      Your advice is very good and highly recommended for both work and home environments!

      • Could you tell me how one switches to plain text display (as opposed to automatically-applied HTML formatting) in Gmail? There doesn’t appear to me to be an option in the Gmail settings, and I don’t see one (properly) identified when I do a Google search.

  25. Got this email this AM.

    Found it a little funny since I don’t actually have a webcam on my Monitor, so knew it was BS from the get-go.

    The password they cited:
    It was genuine, BUT from 2008 MySpace account I never used, but joined once to contact someone.

    So at least in my case the PW was from 10 years ago and the MySpace Hack that was reported.

    The “sextortion” email was received from “Tedmund Burner”, gymtomasinagx@outlook.com

    Since they offer an option to reply, I assume the email addy is active and not spoofed?

    I am confused why MS/Outlook doesn’t nix, track or report this account to authorities.

    • I agree about detecting and filtering these out to the spam folder. But as far as contacting authorities:

      1. Who knows if Microsoft has or not? I don’t think any of us in this comments section have been told either way.

      2. “Reporting this account to authorities” doesn’t necessarily get anyone arrested or even investigated right away. Very few spammers are so dumb that they’ll send out through accounts tied to their actual identity. Most of the time, spam like this will come through a compromised account, or several of them, and the origin will either be something in a bulletproof hosting company or from a botted host or network of them. So the best that can be done is that the event can be documented and added to a pile of existing evidence in the hope that someday, info will converge and identify the spammer. Until then, proper “authorities” to report to are the admins of the hosts involved, not necessarily anyone outside. Authorities outside Microsoft and law enforcement agencies would be places like DHS’s NCCIC, the ISACs and ISAOs. Non-government authorities would be threat intelligence companies. Either one can aggregate info that law enforcement can use. But that all takes time; it won’t normally be set off by just one spam campaign.

  26. I received an email today. Unsettling for sure!

  27. I received the above scripted email with an old password, wanting a $1900 payoff, threatening to send to 12 people. Thanks for all the tips and info. Scammers suck.
    Porn is not my thing, pretty amusing if you consider the minds of people putting this together…

  28. I just received this email, 2 times in fact. It was referencing a very old password I used to use, and not even my email account’s password it’s for the social network account.
    It did scare me a little though. Reminded me to change all my passwords.

  29. How much do you know about a scammer who has stolen millions of euros and is still doing his own? Philippe Ballesio is his name, fraud in many ways but the most common ways is with fraudulent companies and companies. Do not forget that name, maybe like that, avoid a scam.

  30. Both my wife and I got similar ones. Mine had no password listed. Her’s had one. Both of us keep the cameras on our Mac laptops taped over so there’s no possibility of capturing anything through the camera.