July 12, 2018

Here’s a clever new twist on an old email scam that could serve to make the con far more believable. The message purports to have been sent from a hacker who’s compromised your computer and used your webcam to record a video of you while you were watching porn. The missive threatens to release the video to all your contacts unless you pay a Bitcoin ransom. The new twist? The email now references a real password previously tied to the recipient’s email address.

The basic elements of this sextortion scam email have been around for some time, and usually the only thing that changes with this particular message is the Bitcoin address that frightened targets can use to pay the amount demanded. But this one begins with an unusual opening salvo:

“I’m aware that <substitute password formerly used by recipient here> is your password,” reads the salutation.

The rest is formulaic:

You don’t know me and you’re thinking why you received this e mail, right?

Well, I actually placed a malware on the porn website and guess what, you visited this web site to have fun (you know what I mean). While you were watching the video, your web browser acted as a RDP (Remote Desktop) and a keylogger which provided me access to your display screen and webcam. Right after that, my software gathered all your contacts from your Messenger, Facebook account, and email account.

What exactly did I do?

I made a split-screen video. First part recorded the video you were viewing (you’ve got a fine taste haha), and next part recorded your webcam (Yep! It’s you doing nasty things!).

What should you do?

Well, I believe, $1400 is a fair price for our little secret. You’ll make the payment via Bitcoin to the below address (if you don’t know this, search “how to buy bitcoin” in Google).

BTC Address: 1Dvd7Wb72JBTbAcfTrxSJCZZuf4tsT8V72
(It is cAsE sensitive, so copy and paste it)

Important:

You have 24 hours in order to make the payment. (I have an unique pixel within this email message, and right now I know that you have read this email). If I don’t get the payment, I will send your video to all of your contacts including relatives, coworkers, and so forth. Nonetheless, if I do get paid, I will erase the video immidiately. If you want evidence, reply with “Yes!” and I will send your video recording to your 5 friends. This is a non-negotiable offer, so don’t waste my time and yours by replying to this email.

KrebsOnSecurity heard from three different readers who received a similar email in the past 72 hours. In every case, the recipients said the password referenced in the email’s opening sentence was in fact a password they had previously used at an account online that was tied to their email address.

However, all three recipients said the password was close to ten years old, and that none of the passwords cited in the sextortion email they received had been used anytime on their current computers.

It is likely that this improved sextortion attempt is at least semi-automated: My guess is that the perpetrator has created some kind of script that draws directly from the usernames and passwords from a given data breach at a popular Web site that happened more than a decade ago, and that every victim who had their password compromised as part of that breach is getting this same email at the address used to sign up at that hacked Web site.

I suspect that as this scam gets refined even more, perpetrators will begin using more recent and relevant passwords — and perhaps other personal data that can be found online — to convince people that the hacking threat is real. That’s because there are a number of shady password lookup services online that index billions of usernames (i.e. email addresses) and passwords stolen in some of the biggest data breaches to date.

Alternatively, an industrious scammer could simply execute this scheme using a customer database from a freshly hacked Web site, emailing all users of that hacked site with a similar message and a current, working password. Tech support scammers also may begin latching onto this method as well.

Sextortion — even semi-automated scams like this one with no actual physical leverage to backstop the extortion demand — is a serious crime that can lead to devastating consequences for victims. Sextortion occurs when someone threatens to distribute your private and sensitive material if you don’t provide them with images of a sexual nature, sexual favors, or money.

According to the FBI, here are some things you can do to avoid becoming a victim:

-Never send compromising images of yourself to anyone, no matter who they are — or who they say they are.
-Don’t open attachments from people you don’t know, and in general be wary of opening attachments even from those you do know.
-Turn off [and/or cover] any web cameras when you are not using them.

The FBI says in many sextortion cases, the perpetrator is an adult pretending to be a teenager, and you are just one of the many victims being targeted by the same person. If you believe you’re a victim of sextortion, or know someone else who is, the FBI wants to hear from you: Contact your local FBI office (or toll-free at 1-800-CALL-FBI).


1,076 thoughts on “Sextortion Scam Uses Recipient’s Hacked Passwords

  1. JB

    Had a user report this e-mail to me today, he was NOT visiting porn sites, just tried to login to I suspect a fake Office 365 login page. They may be actively collecting passwords using a spoofed O365 website. If you got this e-mail after experiencing some odd behavior at a website it would be a good idea to change your Office 365 password immediately. As an added precaution you could enable MFA on your account and then they will never be able to get past the login screen.

  2. Mark K

    Moral of the story – if you have forgotten your MySpace password it’ll probably come back to you with one of these emails.

  3. Jim Babbington

    Just got this email today. It would have been more convincing and amusing if it had a frame grab of me. No tracking pixel – darn!
    They asked for $2900 to be sent to
    BTC address 1MzVdeNm4aoN1zWiTuD7U4iibeBsk2DAtX

    Will we see a spike in bitcoin prices because of this ?:-)

      1. Mark

        I just got one, but the password they included I have never used.

    1. David

      I got the same one at my work email with User and PW in the subject line

  4. Craig

    Got this email this morning on my work computer and was using one of our passwords we use to access various sites we are registered with. Figured it was a scam, since I’ve never visited any of those sites, and any webcam footage they may have is of me working. Ignoring them even though I’d love to email them back to mess with them.

  5. Paul C

    Yep. Got one today with a very old password. Unsettling, but it was easy to see that this was a scam after a double take. And yeah. I’m all password manager and 2FA wherever I can.

  6. Jon

    Yep, I got one of these too, with a password that I generally hadn’t used for years. I think I may have used it on Yahoo like someone else noted in the comments. Still, unsettling that someone had it. Is there any real point in reporting it, or not really?

  7. Robert P

    I received my “sextortion scam” 30 minutes ago and Googled to find this article. Thanks! Yes, very old password, likely from an old 2008 MySpace account that I opened just before discovering Facebook and Twitter. With all the news about data breaches as of late, I was expecting something like this to begin. On reading, I had reasons to believe that this was a scam. The fact that they knew an old password was a bit alarming, though. Tech companies should continue working on creating a security system which is less reliant on passwords.

  8. George R Brown CPA

    This article is a treasure! My “in” message was dated: Wed, Jul 11, 2018 at 5:02PM. I was uncomfortable for the past 18 hours until I googled this Krebs On Security article. Perhaps 10 – 20 years ago I was on an inappropriate site & got hacked. BUT… This was a great attempt at my system. Just like Jeffrey Goldberg (above) playing on the fears of (old [me]) folks is irritating.

  9. Peej

    Yep, got one of these myself this morning. To a business email address that is not associated with any of my device logins. But it did include an actual password I’ve used, but again, not for any accounts related to that email address. So it still got my blood pressure up and sent me own the rabbit hole of checking all associated accounts where that might have been used.

    Then I realized that it was a password I’d passed along FROM that email account years ago, so it was probably one of the recipients’ email accounts that had been hacked (guessing Yahoo) and that “password” got skimmed.

    Fun way to start my day…

  10. Marita Topmiller

    Just got my second sextortion demand today. This one from an Outlook account : ioharrix@outlook.com. I filed a complaint on the 1st one with the FBI, though it’s doubtful they can do anything.

  11. Hidden in Plain Sight

    I received this email two weeks ago. Unfortunately for the scammer, I am a hacker myself.

    I have identified the scammer’s name and address, he is acting alone. I went on the dark web and paid a well-regarded “cleanup man” to go see him and his family, shortly. If the scam stops, he did his job.

    1. Milo

      Will this clean up man sweep and mop his floors? That was very kind of you 🙂

  12. Jamison

    Someone got scammed:

    3BVpwfkuA7vw7tJv9V3Zawv1L5TuwC2BJk –> 1Dvd7Wb72JBTbAcfTrxSJCZZuf4tsT8V72
    $ 1,783.87

  13. Vignesh

    Just got that mail. Had password as subject. I was extremely worried. I do not have my webcam covered and recently visited adult sites. I thought this was for real. But the password that I got was an old password for same email. I do not know if he really have my cam videos but I’m concerned that if so he may send to my contacts? But I do not have any contacts in that mail. Should I worry? Please help.

    1. Peej

      Just make sure your email passwords are NOT that one. Unless they used any other SPECIFIC language in the email that varies much from the example published in the article, it’s just a scam–one that “feels” legitimate because they referenced one of your passwords.

  14. John Peace

    Yep…got one today too about Noon Eastern..had an old PW in the subject line..and the note was verbatim of what is posted . My cam is taped over… It did about a year ago, light up on it’s own and someone did hack into it. It’s been covered up eversince. But anyway, the ransom demand was the same amount, Bit coin payment etc.

    Wow, also read that many folks are panicking over this. It’s a hoax. gotta go…got someone on the phone saying they are from Microsoft, and my computer is generating error codes…

  15. Mark

    I received one of these emails this morning too. Looking back through my password vault the only place where I used that particular email address/password combo was myibm.ibm.com, although it has been many years since I logged on there. It was probably time to change that password anyway.

  16. marianne

    Received this EXACT email today….freaked me out that they would have my password used years ago. Thankfully this article is giving me some peace. I know we have not visited these websites…but this is certainly troubling….

  17. David

    Yeah I got it this morning too, looks like its getting around alot, used an old password from several years ago, promptly deleted it. If they did hack my cameras, alot of pictures at me at work looking bored, lol

  18. Paul B

    Hi
    i got this sextortion email this evening here in Dublin, Ireland. Was a bit spooked at first because it was a password I had not used in a good few years, possibly with Yahoo, an account I disabled a long time ago.

    Needless to say I went online and updated all my passwords. This is a worrying trend and no doubt will get more refined. I think it would be a good option if all devices had a facility like on my camera eyepiece that acts as a shutter.

  19. Chris

    3 of our users received this today; all reported it was a very old password.

  20. Ryan

    Has anyone actually replied “Yes!” just to see what happens? Curious (obviously you’d be playing the game with the scammer).

    1. JB

      They will likely not respond as the addresses used to send the e-mail is either fake or someone who has no idea a criminal is using their account for this. If you look at the headers of the e-mail you will likely find that it was sent from an open mail forwarding server and that the sender was spoofed.

    2. Craig

      I asked my IT guy if I could reply and tell them to politely “F*ck off” but he said that only confirms to the scammers and hackers that the email they have is a valid one. That these hackers likely obtained a list of breached data which the usernames were email addresses, and then broadcast emailed to everyone of those username/emails with the corresponding password.

      I will say I see a lot of folks commenting it’s possibly an old Yahoo or MySpace accounts. In the case of mine, that password they provided is business related and only applies to several federal and state government website registrations and other engineering consulting related websites, and FedEx website. Although my firm has used this password for many years so it could have been any number of those.

  21. John

    I just got this today after having an issue logging into 365. So what do we do. Ignore it. Pay?

    1. JB

      Are you serious or just playing along? If you did actually get it from an Office 365 site can you please check your browser history and post the exact website you went to in a reply?

      1. John

        So this is a scam, corect. Don’t pay correct? This scared the daylights out of me. They really have nothing to send correct?

        1. Generic First Name

          Did you even read the article?

  22. Norma

    I am in the UK, should this be reported to the police

  23. John

    Wonder how much this scam raked in?

    Pretty convincing email referencing an old password. Would have been even better if a photo of proof accompanied it. Then there would have been an issue.

    Had at least one client hit me with this scam and I received two myself.

  24. Jeff

    Looking at the source code there is no reference to a 1×1 image and there are a ton of comments spread throughout the body with my first name. Not sure why they are heavy on the HTML comment.

    1. timeless

      Probably fighting Bayesian (Spam) filters.

      Bayesian filtering more or less works by identifying words that are commonly used in Spam or commonly used in ham, they’ve reasoned that your name is likely to be in your Bayesian filter’s ham list and should thus help prevent the message from being married as Spam.

  25. Loren

    I read this email today, which came yesterday. It scared me a bit, but like the rest of you reading this article really did help. Thanks!

  26. Chris

    Ha! Got the same one at roughly the same time today that everybody else seems to have gotten it. Again, no visits to any sites of the character/subject matter referenced, so not too concerned about that.

    Looking to extort $2,900 in BC to
    BTC Address: 1Gf1K62rjKHzCQx1PHVgvKHTBuBZ1UdsDr

    Webcam has been covered up for years too…

  27. Otto Mears

    Best defense – avoid visiting porn sites…

    Second best defense – If you must then please put a piece of tape over the camera on your laptop.

    Gives me the shivers thinking about a friend not paying the ransom and me getting an email with this kind of video – yikes!

    1. JB

      Why just porn sites? Yes, they have been known to harbor malware, but I have seen other sites that are just as bad, if not worse. Every freaking time I go to Weather.com on my iPhone I get those annoying You Have Just Won popups, or I get one of those Your Device Is Infected, Cleanup Now ads. I use FireFox Focus just for that reason, not only does it cover my tracks, it prevents crap from getting in.

  28. Joanne

    Yes, I got one, also. It was demanding $2900.00. We also keep our cameras taped over.

    1. Cam

      I also got this email today, with a valid “throw-away” password that I use for non-value log ins. It also demanded 2900$. Since no evidence was provided (screen capture, etc) I dismissed it as a scam. Scary though, to include a valid password, even one meant to be hacked.

    2. user

      but dont you think one of these are actually real? I mean maybe someone actually recorded it and its a real threat?

    3. Dale M.

      Some asshole just tried the same thing with me.

Comments are closed.