July 12, 2018

Here’s a clever new twist on an old email scam that could serve to make the con far more believable. The message purports to have been sent from a hacker who’s compromised your computer and used your webcam to record a video of you while you were watching porn. The missive threatens to release the video to all your contacts unless you pay a Bitcoin ransom. The new twist? The email now references a real password previously tied to the recipient’s email address.

The basic elements of this sextortion scam email have been around for some time, and usually the only thing that changes with this particular message is the Bitcoin address that frightened targets can use to pay the amount demanded. But this one begins with an unusual opening salvo:

“I’m aware that <substitute password formerly used by recipient here> is your password,” reads the salutation.

The rest is formulaic:

You don’t know me and you’re thinking why you received this e mail, right?

Well, I actually placed a malware on the porn website and guess what, you visited this web site to have fun (you know what I mean). While you were watching the video, your web browser acted as a RDP (Remote Desktop) and a keylogger which provided me access to your display screen and webcam. Right after that, my software gathered all your contacts from your Messenger, Facebook account, and email account.

What exactly did I do?

I made a split-screen video. First part recorded the video you were viewing (you’ve got a fine taste haha), and next part recorded your webcam (Yep! It’s you doing nasty things!).

What should you do?

Well, I believe, $1400 is a fair price for our little secret. You’ll make the payment via Bitcoin to the below address (if you don’t know this, search “how to buy bitcoin” in Google).

BTC Address: 1Dvd7Wb72JBTbAcfTrxSJCZZuf4tsT8V72
(It is cAsE sensitive, so copy and paste it)

Important:

You have 24 hours in order to make the payment. (I have an unique pixel within this email message, and right now I know that you have read this email). If I don’t get the payment, I will send your video to all of your contacts including relatives, coworkers, and so forth. Nonetheless, if I do get paid, I will erase the video immidiately. If you want evidence, reply with “Yes!” and I will send your video recording to your 5 friends. This is a non-negotiable offer, so don’t waste my time and yours by replying to this email.

KrebsOnSecurity heard from three different readers who received a similar email in the past 72 hours. In every case, the recipients said the password referenced in the email’s opening sentence was in fact a password they had previously used at an account online that was tied to their email address.

However, all three recipients said the password was close to ten years old, and that none of the passwords cited in the sextortion email they received had been used anytime on their current computers.

It is likely that this improved sextortion attempt is at least semi-automated: My guess is that the perpetrator has created some kind of script that draws directly from the usernames and passwords from a given data breach at a popular Web site that happened more than a decade ago, and that every victim who had their password compromised as part of that breach is getting this same email at the address used to sign up at that hacked Web site.

I suspect that as this scam gets refined even more, perpetrators will begin using more recent and relevant passwords — and perhaps other personal data that can be found online — to convince people that the hacking threat is real. That’s because there are a number of shady password lookup services online that index billions of usernames (i.e. email addresses) and passwords stolen in some of the biggest data breaches to date.

Alternatively, an industrious scammer could simply execute this scheme using a customer database from a freshly hacked Web site, emailing all users of that hacked site with a similar message and a current, working password. Tech support scammers also may begin latching onto this method as well.

Sextortion — even semi-automated scams like this one with no actual physical leverage to backstop the extortion demand — is a serious crime that can lead to devastating consequences for victims. Sextortion occurs when someone threatens to distribute your private and sensitive material if you don’t provide them with images of a sexual nature, sexual favors, or money.

According to the FBI, here are some things you can do to avoid becoming a victim:

-Never send compromising images of yourself to anyone, no matter who they are — or who they say they are.
-Don’t open attachments from people you don’t know, and in general be wary of opening attachments even from those you do know.
-Turn off [and/or cover] any web cameras when you are not using them.

The FBI says in many sextortion cases, the perpetrator is an adult pretending to be a teenager, and you are just one of the many victims being targeted by the same person. If you believe you’re a victim of sextortion, or know someone else who is, the FBI wants to hear from you: Contact your local FBI office (or toll-free at 1-800-CALL-FBI).


1,076 thoughts on “Sextortion Scam Uses Recipient’s Hacked Passwords

  1. Mark

    Got this myself today. The password I got was a partial password to what I’m currently using on my email. Was it everyone else full password?

    1. Eddy

      I also recieved this email but it had the correct password! Scary!

  2. Renee

    I received the same email and I have never gone on any porn sites here at work or at home. I received this at my worm, but the only scary thing is they had part of my password right for my banking. Changed that right away

      1. Mikey

        Dang, my worm only gets facsimiles. I feel so techdated!

        On the other hand, mine asked for $2,900, so at least I’m getting a more ambitious class of scammer. Although I’m somewhat jealous that some here actually got a black mail threat using the word ‘onanism’; maybe I’m just getting a greedier class of scammer. 8(

  3. Michael

    Just received this email today.
    It shows an actual password that I only use to log on forums but I use it since years.
    I’m glad that I’ve found your article.
    By the way, scammer asked for 1.900 $

      1. MerryMoose

        OMG, its discriminate billing!

        First it was phone and cable companies, and now sextortionists are participating in the practice.

        Times are changing 🙁

  4. JB

    The solution to this is simple, the era of the password is coming to an end, Multi-Factor Authentication is the key to our salvation. Two Factor is a good start if you really can’t shake the password habit. If you want to get crazy add biometrics to the mix.

  5. Chris

    Got one today and freaked me out. Used an old password. The email you post is almost identical.

  6. Guido

    I just got one of these and the ironic thing was, the password was the one I use to access PORN SITES.

  7. cr

    Thank you for the informative and reassuring article.
    I have gotten two of the same extortion emails in the last week, along with an old password associated with my account to make it seem like they have something on me that they do not. They asked for $1900 from me lol.
    The only twist that may or may not be related is that right after i opened these emails, i started getting several calls on my cell phone from a caller who was listed as “Unknown.” Four in a row last night after I opened the email.
    Then later last night the unknown caller called again at 442 am and 446 am, waking me up. I tried to block them but my attempts so far did not work. I cannot say it is related to the email threat extortion, but it seems awfully coincidental.
    I knew it was a scam because I have an external webcam on the computer I usually use and it sits in my drawer unused 99% of the time, and has been unused for six months at least, with the lens right up against the inside of my drawer I keep it in.
    Nonetheless, along with the phone calls the email threats are a bit unsettling. I had to get a new credit card a month or so ago because my info was leaked in a major security breach on line too.

    1. JB

      Get yourself a copy of the app Mr. Number, it will stop scam callers dead in their tracks. I use it on all of my phones, works like a charm. If you get a call that slips through you can report it as spam so other people don’t get the same call.

    2. Russ

      Camera in your drawers? No wonder you got hit. : )

  8. Andrew Gerber

    I got one too; I didn’t even recognize the account or password.
    And I don’t have a webcam at all on my home computer! I bet they still get money from this scam.

  9. Jay

    Also got this today. Old email address still viewed at times. Pass was legit variation of pass I’ve been using a long time so can’t pinpoint the breech it’s from. Changing everything to new password scheme. Was concerned until I saw the address was old. I’m happy for folks they are finding this site rather than panicking and feeding into this jackass. Thanks Krebs

  10. JCitizen

    Phew! Good thing I don’t go to porn sites! 😉

    It wouldn’t matter anyway, as my anti-virus blocks web-cams with a feature called web-cam shield. Avast is always ahead of the pack!!

  11. Rebecca

    Got the very same one today only my password is a recent password. What do I do?

    1. JB

      Step 1: Change your password at any site that uses that password.

      Step 2: Enable Two Factor Authentication on any site that allows it.

      Step 3: Relax.

      1. SeymourB

        As part of step 1 I’d make each site use a unique password. That way if it happens again you’ll know exactly which site got compromised.

        Just say no to password reuse.

        1. Japher

          Different passworf for every site… which is why my password vault has 1800+ passwords in it.

        2. JB

          Nothing wrong with using the same password for all sites that have 2+FA, as a matter of fact it may be a good idea. If a criminal gets your password and starts doing the rounds your e-mail will start filling up with warnings from all of the sites with multi-factor auth letting you know something is up. Not to mention the constant text messages from the same sites sending you codes you did not ask for.

  12. Sean

    I received this too and glad I got this website. So people getting this 2 days in a row had no issues? How do you know if a key logger is on your sight.

  13. David

    Here is an email I recieved today 7/12/2018
    Subject Line had m user name and PW

    It seems that, XXX, is your pass word. You may not know me and you’re most likely wondering why you are getting this e mail, right?

    In fact, I actually installed a malware on the adult video clips (sexually graphic) site and you know what, you visited this site to experience fun (you know what I mean). While you were watching videos, your internet browser began functioning as a RDP (Remote control Desktop) that has a key logger which provided me with access to your display and web cam. Right after that, my software obtained your entire contacts from your Messenger, FB, and email.

    What did I do?

    I created a double-screen video. 1st part shows the video you were viewing (you’ve got a fine taste hehe), and next part displays the recording of your web cam.

    exactly what should you do?

    Well, in my opinion, $2900 is a fair price for our little secret. You’ll make the payment by Bitcoin (if you don’t know this, search “how to buy bitcoin” in Google).

    BTC Address: 1KSD5DmkSo7y9xJ2qXdnn7UjNLNCebf4bf
    (It is cAsE sensitive, so copy and paste it)

    Note:
    You now have one day to make the payment. (I have a specific pixel in this email, and at this moment I know that you have read this e-mail). If I don’t receive the BitCoins, I will send out your video recording to all of your contacts including close relatives, colleagues, and so on. Having said that, if I receive the payment, I will erase the video immidiately. If you need evidence, reply with “Yes!” and I will certainly send your video recording to your 15 contacts. This is the non-negotiable offer, so do not waste my time and yours by replying to this message.

  14. Alex

    Does everyone have HP or Mac computers that have received this email?

    1. Martha

      I got it today on my HP. Current (and old) password. I am changing all of them, but I just feel like someone needs to be notified about this. It’s extortion, even if it is a scam. Is there anything we can do?

  15. Kasper

    I got this as well, and I have a Dell laptop. It happened the second after I registered on a game on Facebook using that password. The game was Forge Empires or something.

    1. JB

      Everyone blames the porn sites but truthfully the gaming sites are where you will find most of the malicious stuff hiding. My 11 year old can tell you that.

  16. MrObvious

    I got one too, without the old password, but demanding $1900.

    As to what to do about them:
    1) Ignore the email. It is a HOAX. It isn’t real. It’s a fantasy of a script kiddie who couldn’t do what he claimed. If he COULD make a side by side video of you and a porn site, don’t you think a screen capture, i.e. one incriminating frame out of the video, would result in more payments to him?
    2) If you don’t have your webcam covered with a sticky note when not in use, do it NOW.
    3) A keylogger only works on YOUR machine. Putting a keylogger on a website is useless. Putting malware that you might be tricked into downloading COULD put a keylogger on your machine.
    4) If you think your machine has ANY malware on it, get help from an expert, or just go ahead and reformat it. Once you have had malware, you can never be sure it is completely eradicated.

    1. SeymourB

      Putting a keylogger on a website basically means capturing passwords entered to that website. It’s far more likely for the password database to be compromised but ehhh whatever.

      I’d just disable the webcam’s driver, that way the OS doesn’t even see that a webcam is available for use. However it can come back during driver or OS updates so it’s a little less simple. Another option would be to open up the system or display and disconnect the camera. Then you rely on an external camera that you hook up when you need a camera and disconnect it when you don’t.

      My worry about the post-it notes of the world is that its not permanent and they can slip off. Well duh you notice it, but people aren’t always that observant.

      1. Reader

        You don’t need a whole post it note. Cut it to size, stick it over the camera, cover with a bit of scotch tape. Comes off easily if needed, but won’t fall off.

  17. Lee

    I’ve not received an extortion threat. Why was I not invited to the party?

  18. JustSayin

    I got one too. Old password and haven’t used in a decade. . If worried, don’t be. This is a trick to get you to pay up. If they net one person then they have won. Change passwords, use two factor authentication when possible, and I concur Mr Obvious’ post. Don’t be a victim, be proactive.

  19. David

    This is what I received today at 11:37 am July 12, 2018 at my work email

    It seems that, chowder, is your pass word. You may not know me and you’re most likely wondering why you are getting this e mail, right?

    In fact, I actually installed a malware on the adult video clips (sexually graphic) site and you know what, you visited this site to experience fun (you know what I mean). While you were watching videos, your internet browser began functioning as a RDP (Remote control Desktop) that has a key logger which provided me with access to your display and web cam. Right after that, my software obtained your entire contacts from your Messenger, FB, and email.

    What did I do?

    I created a double-screen video. 1st part shows the video you were viewing (you’ve got a fine taste hehe), and next part displays the recording of your web cam.

    exactly what should you do?

    Well, in my opinion, $2900 is a fair price for our little secret. You’ll make the payment by Bitcoin (if you don’t know this, search “how to buy bitcoin” in Google).

    BTC Address: 1KSD5DmkSo7y9xJ2qXdnn7UjNLNCebf4bf
    (It is cAsE sensitive, so copy and paste it)

    Note:
    You now have one day to make the payment. (I have a specific pixel in this email, and at this moment I know that you have read this e-mail). If I don’t receive the BitCoins, I will send out your video recording to all of your contacts including close relatives, colleagues, and so on. Having said that, if I receive the payment, I will erase the video immidiately. If you need evidence, reply with “Yes!” and I will certainly send your video recording to your 15 contacts. This is the non-negotiable offer, so do not waste my time and yours by replying to this message.

    Nothing is terrible except fear itself. -Francis Bacon
    John Kenneth Galbraith~ Economics is extremely useful as a form of employment for economists.
    Get thy spindle and thy distaff ready, and God will send flax. – Darkovan Proverb
    Bette Midler~ I never know how much of what I say is true.
    What’s it called when a vampire kisses you goodnight? Necking.
    Redneck Insult: The wheels still turning, but the hamsters dead
    Yo mama’s so fat, when she was in school she sat next to everybody!
    Will Rogers~ Im not a real movie star. Ive still got the same wife I started out with twenty-eight years ago.
    Ralph Waldo Emerson~ I awoke with devout thanksgiving for my friends.
    Always the beautiful answer who asks a more beautiful question. -E E Cummings
    Jim~ The truth which makes men free is for the most part the truth which men prefer not to hear.
    Blondes arent dumm
    Antione De Riveral~ The sword of justice has no scabbard.
    James Magary~ Computers can figure out all kinds of problems except the things in the world that just dont add up.
    H.L. Mencken~ To die for an idea it is unquestionably noble. But how much nobler it would be if men died for ideas that were true
    Chinese Proverb~ With true friends…even water drunk together is sweet enough.
    Rudyard Kipling~ Funny how the new things are the old things.
    Treat anger like gold. Spend it wisely or not at all.
    I don’t find it hard to meet expenses. They’re everywhere.
    Doctor Luther’s shoes do not fit every parish priest. – German Proverb
    There is nothing so good for the inside of a man as the outside of a horse. – Darkovan Proverb
    Between saying and doing, many a pair of shoes is worn out. – Italian Proverb
    Kahlil Gibran~ We were a silent hidden thought in the folds of oblivion and we have become a voice that causes the heavens to tremble.
    Between whom there is hearty truth, there is love. -Henry David Thoreau
    Victory belongs to the most persevering. -Andre Norton
    Ella Wheeler Wilcox~ Love much. Earth has enough of bitter in it.
    John Fitzgerald Kennedy~ Those who make peaceful revolution impossible will make violen trevolution inevitable.
    No wonder lasts more than three days. – Italian Proverb
    Your gene pool needs a little chlorine!
    You don’t write because you want to say something, you write because you’ve got something to say. -F. Scott Fitzgerald
    Think of many things, do one. – Portuguese Proverb
    Save California! When you leave take someone with you.
    Buckets of bug blood, buckets of bug blood, buckets of bug blood
    Francis Bacon~ Some books are to be tasted others swallowed and some few to be chewed and digested.
    I haven’t spoken to my wife for 18 months! – I don’t like to interrupt her.
    You just may be a #catnut if: You plan your vacation around the cat show schedule.

  20. Vistar

    Just received the same threat. I don’t even own a web camera. (password was accurate)

  21. BSDLR

    This was mine.
    Tue 7/10/2018 8:52 AM

    paste:>

    Good morning, flopper.
    I text you because I uploaded the virus on a web page with porn which you have gone on.
    My malware collected all your private information and turned on your web-camera that captured the act of your onanism. Further my malware copied your contact list.
    I will delete the compromising video and info if you send me 390 USD in bitcoins.
    Use this bitcoin address to pay: 148J4VDozUegTsTPqHUdyzeQzupsjwok9J

    I give you 30 hours after clicking on this message to complete the transaction.
    There is no need to write me that you have sent money to me. This address is given only to you, everything will be deleted automatically after payment confirmation.
    You can get 48 h only write back +.
    You can visit the police station but they will not solve your problem.
    I am foreigner. So they can not catch me even for 8 months.
    All the best. Think about the shame.

  22. Craig

    I got one this morning at my business email address ; same wording, with an actual password from a social site where I do not use my real name. The attack email came to my business account but the password they were using was a real password from a social site and the social site never had my business email address. I have no idea how they put thay password together with my business email and that’s what scared me about it, because it seemed like the only way they could do that is if they were actually in my computer. For those posting here, has anyone’s information actually been released after a day or two?

    1. Chris

      I receive an almost identical email message to a work account that I have had for years. And the scary part was the password listed is almost identical to the password I use to login to my work computer. I had no idea how they linked the 2 but am guessing there is hacked data somewhere that provided the link. I did realize that the password I’ve been using is one I may have used about 8 years ago. It was a good reason to upgrade my anti-virus software and run a full scan on my laptop. Have also used the scare to update all my passwords so they are nothing like the old ones. Would be nice if the authorities put a trace on the source of this scam.

    2. BSDLR

      Ours was a business related email also. A 10 + year old address at that.
      It was a position titled email address. I am the “catch all”. We have had DNS filters at the edge for years here so i am extremely confident that the email that got hit did not visit porn:) haha.. yea i highly doubt there will ever be any releases of improper browsing habits. We have gotten a whole lot of fake GoDaddy “reset your password” to our domain name emails lately too. Scammers irritate the heck outa me!!

    3. Quid

      Craig,

      Just speculation on possibilities of how your two accounts were connected by the bad guy….

      Even if your real name and business email was not used on the social site in question, did you have a secondary email of any kind set up as a backup email address? If so, did that secondary site perhaps use your business email as *its* secondary/backup email address? In essence setting up a domino effect attack.

      Here is a 2012 article that is still pertinent today on the hazards of chained accounts, if not set up properly.
      Ref: https://www.wired.com/2012/11/ff-mat-honan-password-hacker/

      Have you searched all your various email addresses on HIBP for potential breaches? Ref: https://haveibeenpwned.com/

      From the HIPB site:

      “LinkedIn: In May 2016, LinkedIn had 164 million email addresses and passwords exposed. Originally hacked in 2012, the data remained out of sight until being offered for sale on a dark market site 4 years later. The passwords in the breach were stored as SHA1 hashes without salt, the vast majority of which were quickly cracked in the days following the release of the data.
      Compromised data: Email addresses, Passwords”

      Found out only last week that my old “clever” 13 character password originally setup on LinkedIn from the hack back in 2012 was available free and clear on the web. Fortunately, I dutifully changed it within a few hours after the announcement of the hack 6 years ago to something less clever, much longer and randomized.

      Also both the primary and backup email accounts need to have 2FA/MFA turned on.

      Ref: https://twofactorauth.org/

  23. Gary

    I got one yesterday that didn’t even use an old password, unless it was a throwaway from years ago. I do love that the the scammer is getting his money it Bitcoin, so we can all share the addresses.

    1Unoc4af6gCq3xzdDFmGLpq18jbTW1nZD

  24. Matt

    Thanks for the article Krebs!

    I got the same email this morning. Pure copy and paste from what you have posted above. The demand was 2900.

    I was suspicious though as
    – while we have a PC we do not use it at all. No web surfing. They are basically for file archives
    – we normally use our iPads
    – email adddress was an old email school account that I have not used actively for a full decade but for which I get forwarded notes from my alma mater.

    The password was correct but then again I have not changed it in a while.

    I have since changed my passwords at my old school account. Also remaining calm. Thank you for this tip.

    Anything else I should consider doing to safeguard other than the sticky tape on cameras? Also, malware possible on Apple products such as iPhone and IPads?

    Thanks again

  25. pjc

    I got one today as well. A few months ago I downloaded some giant database of hacked passwords. There was only one that I no longer use after Yahoo was hacked. Of course that was the one in the email message. A couple months ago I switched to a password manager and use very long passwords and use two factor authorization where available. I have been meaning to cover the camera lens.

  26. Ed

    Got one a well 11:40 est demanding $2900. Slight wariation on others, included an old password and also had this at the bottom.

    “It’s in your moments of decision that your destiny is shaped. -Anthony Robbins
    The gentle calf sucks all the cows. – Portuguese Proverb
    Elbert Hubbard~ The love we give away is the only love we keep.
    If the doors of perception were cleansed everything would appear to man as it is, infinite. -William Blake
    Choose the life that is most useful, and habit will make it the most agreeable. -Francis Bacon
    William Carlos Williams~ In summer the song sings itself.
    Patient (to cosmetic surgeon): Will it hurt me, doctor? Surgeon: Only when you get my bill, Mrs Brown.
    One man beats the bush, another catcheth the bird. – Spanish Proverb
    The great lie of the news media: “I am the public”.
    Man’s real life is happy, chiefly because he is ever expecting that it soon will be so. -Edgar Allan Poe
    I drive way too fast to worry about cholesterol.
    Michel de Montaigne~ I prefer the company of peasants because they have not been educated sufficiently to reason incorrectly.
    Alan Coren~ Democracy consists of choosing your dictators after theyve told you what it is you want to hear.
    The old saints are forgotten in the new. – Portuguese Proverb
    Allah gives and forgives, Man gets and forgets.
    Flies fly but a fly flies.
    Honey is not for the ass’s mouth. – Portuguese Proverb
    Man is a peculiar creature. He spends a fortune making his home insect-proof and air-conditioned, and then eats in the yard.
    Perpetual devotion to what a man calls his business, is only to be sustained by perpetual neglect of many other things. – Robert Louis Stevenson
    Why don’t ghosts make good magicians. You can see right through their tricks.
    George Bernard Shaw~ There are no secrets better kept than the secrets that everybody guesses.
    All be the same in a hundred years. – English Proverb
    Luck is not chance – It’s Toil – Fortune’s expensive smile – Is earned. – Emily Dickinson
    It is hard for an empty bag to stand upright. -Benjamin Franklin
    Raymond Holliwell~ Desire creates the power.
    Always yield to temptation. It may never pass your way again.
    Just Do It. -Nike
    Anger is a symptom, a way of cloaking and expressing feelings too awful to experience directly — hurt, bitterness, grief, and most of all fear
    Thomas Fuller~ Be not extravagantly high in expression of thy commendations of men thou likest it may make the hearers stomach rise.
    If someone says something unkind about me, I must live so that no one will believe it.
    Robert Townsend~ When you get right down to it one of the most important tasks of a leader is to eliminate his peoples excuse for failure.
    Who opened the cattleguard?
    Benjamin Franklin~ There never was a good war or a bad peace.
    There are some who see ill, and would like to see worse. – Italian Proverb
    Eat with him, and beware of him. – Portuguese Proverb
    Knock Knock. Who’s there! Bethany! Bethany who? Bethany good movies recently!”

  27. Erek

    I got one today, same wording. but the password was from an email account that was just hacked a few days ago. The password was in use at the time.
    The hacker deleted all 7K+ contacts I had and created a rule that deleted all incoming email. They also emailed a link to a google drive doc to all my contacts.
    Time to sign up with an encrypted password manager like the experts have been recommending for some time.

  28. John Fix

    Both my wife and I received the email, my password was a very old one from linkedin.com (a generated random password from Lastpass) while hers was an old throwaway password.

Comments are closed.