12
Jul 18

Sextortion Scam Uses Recipient’s Hacked Passwords

Here’s a clever new twist on an old email scam that could serve to make the con far more believable. The message purports to have been sent from a hacker who’s compromised your computer and used your webcam to record a video of you while you were watching porn. The missive threatens to release the video to all your contacts unless you pay a Bitcoin ransom. The new twist? The email now references a real password previously tied to the recipient’s email address.

The basic elements of this sextortion scam email have been around for some time, and usually the only thing that changes with this particular message is the Bitcoin address that frightened targets can use to pay the amount demanded. But this one begins with an unusual opening salvo:

“I’m aware that <substitute password formerly used by recipient here> is your password,” reads the salutation.

The rest is formulaic:

You don’t know me and you’re thinking why you received this e mail, right?

Well, I actually placed a malware on the porn website and guess what, you visited this web site to have fun (you know what I mean). While you were watching the video, your web browser acted as a RDP (Remote Desktop) and a keylogger which provided me access to your display screen and webcam. Right after that, my software gathered all your contacts from your Messenger, Facebook account, and email account.

What exactly did I do?

I made a split-screen video. First part recorded the video you were viewing (you’ve got a fine taste haha), and next part recorded your webcam (Yep! It’s you doing nasty things!).

What should you do?

Well, I believe, $1400 is a fair price for our little secret. You’ll make the payment via Bitcoin to the below address (if you don’t know this, search “how to buy bitcoin” in Google).

BTC Address: 1Dvd7Wb72JBTbAcfTrxSJCZZuf4tsT8V72
(It is cAsE sensitive, so copy and paste it)

Important:

You have 24 hours in order to make the payment. (I have an unique pixel within this email message, and right now I know that you have read this email). If I don’t get the payment, I will send your video to all of your contacts including relatives, coworkers, and so forth. Nonetheless, if I do get paid, I will erase the video immidiately. If you want evidence, reply with “Yes!” and I will send your video recording to your 5 friends. This is a non-negotiable offer, so don’t waste my time and yours by replying to this email.

KrebsOnSecurity heard from three different readers who received a similar email in the past 72 hours. In every case, the recipients said the password referenced in the email’s opening sentence was in fact a password they had previously used at an account online that was tied to their email address.

However, all three recipients said the password was close to ten years old, and that none of the passwords cited in the sextortion email they received had been used anytime on their current computers.

It is likely that this improved sextortion attempt is at least semi-automated: My guess is that the perpetrator has created some kind of script that draws directly from the usernames and passwords from a given data breach at a popular Web site that happened more than a decade ago, and that every victim who had their password compromised as part of that breach is getting this same email at the address used to sign up at that hacked Web site.

I suspect that as this scam gets refined even more, perpetrators will begin using more recent and relevant passwords — and perhaps other personal data that can be found online — to convince people that the hacking threat is real. That’s because there are a number of shady password lookup services online that index billions of usernames (i.e. email addresses) and passwords stolen in some of the biggest data breaches to date.

Alternatively, an industrious scammer could simply execute this scheme using a customer database from a freshly hacked Web site, emailing all users of that hacked site with a similar message and a current, working password. Tech support scammers also may begin latching onto this method as well.

Sextortion — even semi-automated scams like this one with no actual physical leverage to backstop the extortion demand — is a serious crime that can lead to devastating consequences for victims. Sextortion occurs when someone threatens to distribute your private and sensitive material if you don’t provide them with images of a sexual nature, sexual favors, or money.

According to the FBI, here are some things you can do to avoid becoming a victim:

-Never send compromising images of yourself to anyone, no matter who they are — or who they say they are.
-Don’t open attachments from people you don’t know, and in general be wary of opening attachments even from those you do know.
-Turn off [and/or cover] any web cameras when you are not using them.

The FBI says in many sextortion cases, the perpetrator is an adult pretending to be a teenager, and you are just one of the many victims being targeted by the same person. If you believe you’re a victim of sextortion, or know someone else who is, the FBI wants to hear from you: Contact your local FBI office (or toll-free at 1-800-CALL-FBI).

Tags: , ,

476 comments

  1. Yes, I got one, also. It was demanding $2900.00. We also keep our cameras taped over.

    • I also got this email today, with a valid “throw-away” password that I use for non-value log ins. It also demanded 2900$. Since no evidence was provided (screen capture, etc) I dismissed it as a scam. Scary though, to include a valid password, even one meant to be hacked.

    • but dont you think one of these are actually real? I mean maybe someone actually recorded it and its a real threat?

    • Some asshole just tried the same thing with me.

  2. Got this myself today. The password I got was a partial password to what I’m currently using on my email. Was it everyone else full password?

  3. I received the same email and I have never gone on any porn sites here at work or at home. I received this at my worm, but the only scary thing is they had part of my password right for my banking. Changed that right away

    • Wow, I got one at my worm as well!

      • Dang, my worm only gets facsimiles. I feel so techdated!

        On the other hand, mine asked for $2,900, so at least I’m getting a more ambitious class of scammer. Although I’m somewhat jealous that some here actually got a black mail threat using the word ‘onanism’; maybe I’m just getting a greedier class of scammer. 8(

  4. Just received this email today.
    It shows an actual password that I only use to log on forums but I use it since years.
    I’m glad that I’ve found your article.
    By the way, scammer asked for 1.900 $

  5. The solution to this is simple, the era of the password is coming to an end, Multi-Factor Authentication is the key to our salvation. Two Factor is a good start if you really can’t shake the password habit. If you want to get crazy add biometrics to the mix.

  6. Got one today and freaked me out. Used an old password. The email you post is almost identical.

  7. I received this 2 days in a row now.

  8. I just got one of these and the ironic thing was, the password was the one I use to access PORN SITES.

  9. Thank you for the informative and reassuring article.
    I have gotten two of the same extortion emails in the last week, along with an old password associated with my account to make it seem like they have something on me that they do not. They asked for $1900 from me lol.
    The only twist that may or may not be related is that right after i opened these emails, i started getting several calls on my cell phone from a caller who was listed as “Unknown.” Four in a row last night after I opened the email.
    Then later last night the unknown caller called again at 442 am and 446 am, waking me up. I tried to block them but my attempts so far did not work. I cannot say it is related to the email threat extortion, but it seems awfully coincidental.
    I knew it was a scam because I have an external webcam on the computer I usually use and it sits in my drawer unused 99% of the time, and has been unused for six months at least, with the lens right up against the inside of my drawer I keep it in.
    Nonetheless, along with the phone calls the email threats are a bit unsettling. I had to get a new credit card a month or so ago because my info was leaked in a major security breach on line too.

    • Get yourself a copy of the app Mr. Number, it will stop scam callers dead in their tracks. I use it on all of my phones, works like a charm. If you get a call that slips through you can report it as spam so other people don’t get the same call.

    • Camera in your drawers? No wonder you got hit. : )

  10. Andrew Gerber

    I got one too; I didn’t even recognize the account or password.
    And I don’t have a webcam at all on my home computer! I bet they still get money from this scam.

  11. one victim has fallen for this version of the scam https://www.blockchain.com/en/btc/address/1Dvd7Wb72JBTbAcfTrxSJCZZuf4tsT8V72 as of 7th July

  12. Also got this today. Old email address still viewed at times. Pass was legit variation of pass I’ve been using a long time so can’t pinpoint the breech it’s from. Changing everything to new password scheme. Was concerned until I saw the address was old. I’m happy for folks they are finding this site rather than panicking and feeding into this jackass. Thanks Krebs

  13. Phew! Good thing I don’t go to porn sites! 😉

    It wouldn’t matter anyway, as my anti-virus blocks web-cams with a feature called web-cam shield. Avast is always ahead of the pack!!

  14. Got the very same one today only my password is a recent password. What do I do?

    • Step 1: Change your password at any site that uses that password.

      Step 2: Enable Two Factor Authentication on any site that allows it.

      Step 3: Relax.

      • As part of step 1 I’d make each site use a unique password. That way if it happens again you’ll know exactly which site got compromised.

        Just say no to password reuse.

        • Different passworf for every site… which is why my password vault has 1800+ passwords in it.

        • Nothing wrong with using the same password for all sites that have 2+FA, as a matter of fact it may be a good idea. If a criminal gets your password and starts doing the rounds your e-mail will start filling up with warnings from all of the sites with multi-factor auth letting you know something is up. Not to mention the constant text messages from the same sites sending you codes you did not ask for.

  15. I received this too and glad I got this website. So people getting this 2 days in a row had no issues? How do you know if a key logger is on your sight.

  16. Does everyone have HP or Mac computers that have received this email?

    • I got it today on my HP. Current (and old) password. I am changing all of them, but I just feel like someone needs to be notified about this. It’s extortion, even if it is a scam. Is there anything we can do?

  17. I got this as well, and I have a Dell laptop. It happened the second after I registered on a game on Facebook using that password. The game was Forge Empires or something.

    • Everyone blames the porn sites but truthfully the gaming sites are where you will find most of the malicious stuff hiding. My 11 year old can tell you that.

  18. I got one too, without the old password, but demanding $1900.

    As to what to do about them:
    1) Ignore the email. It is a HOAX. It isn’t real. It’s a fantasy of a script kiddie who couldn’t do what he claimed. If he COULD make a side by side video of you and a porn site, don’t you think a screen capture, i.e. one incriminating frame out of the video, would result in more payments to him?
    2) If you don’t have your webcam covered with a sticky note when not in use, do it NOW.
    3) A keylogger only works on YOUR machine. Putting a keylogger on a website is useless. Putting malware that you might be tricked into downloading COULD put a keylogger on your machine.
    4) If you think your machine has ANY malware on it, get help from an expert, or just go ahead and reformat it. Once you have had malware, you can never be sure it is completely eradicated.

    • Putting a keylogger on a website basically means capturing passwords entered to that website. It’s far more likely for the password database to be compromised but ehhh whatever.

      I’d just disable the webcam’s driver, that way the OS doesn’t even see that a webcam is available for use. However it can come back during driver or OS updates so it’s a little less simple. Another option would be to open up the system or display and disconnect the camera. Then you rely on an external camera that you hook up when you need a camera and disconnect it when you don’t.

      My worry about the post-it notes of the world is that its not permanent and they can slip off. Well duh you notice it, but people aren’t always that observant.

      • You don’t need a whole post it note. Cut it to size, stick it over the camera, cover with a bit of scotch tape. Comes off easily if needed, but won’t fall off.

  19. I’ve not received an extortion threat. Why was I not invited to the party?

  20. I got one too. Old password and haven’t used in a decade. . If worried, don’t be. This is a trick to get you to pay up. If they net one person then they have won. Change passwords, use two factor authentication when possible, and I concur Mr Obvious’ post. Don’t be a victim, be proactive.

  21. Just received the same threat. I don’t even own a web camera. (password was accurate)

  22. This was mine.
    Tue 7/10/2018 8:52 AM

    paste:>

    Good morning, flopper.
    I text you because I uploaded the virus on a web page with porn which you have gone on.
    My malware collected all your private information and turned on your web-camera that captured the act of your onanism. Further my malware copied your contact list.
    I will delete the compromising video and info if you send me 390 USD in bitcoins.
    Use this bitcoin address to pay: 148J4VDozUegTsTPqHUdyzeQzupsjwok9J

    I give you 30 hours after clicking on this message to complete the transaction.
    There is no need to write me that you have sent money to me. This address is given only to you, everything will be deleted automatically after payment confirmation.
    You can get 48 h only write back +.
    You can visit the police station but they will not solve your problem.
    I am foreigner. So they can not catch me even for 8 months.
    All the best. Think about the shame.

  23. I got one this morning at my business email address ; same wording, with an actual password from a social site where I do not use my real name. The attack email came to my business account but the password they were using was a real password from a social site and the social site never had my business email address. I have no idea how they put thay password together with my business email and that’s what scared me about it, because it seemed like the only way they could do that is if they were actually in my computer. For those posting here, has anyone’s information actually been released after a day or two?

    • I receive an almost identical email message to a work account that I have had for years. And the scary part was the password listed is almost identical to the password I use to login to my work computer. I had no idea how they linked the 2 but am guessing there is hacked data somewhere that provided the link. I did realize that the password I’ve been using is one I may have used about 8 years ago. It was a good reason to upgrade my anti-virus software and run a full scan on my laptop. Have also used the scare to update all my passwords so they are nothing like the old ones. Would be nice if the authorities put a trace on the source of this scam.

    • Ours was a business related email also. A 10 + year old address at that.
      It was a position titled email address. I am the “catch all”. We have had DNS filters at the edge for years here so i am extremely confident that the email that got hit did not visit porn:) haha.. yea i highly doubt there will ever be any releases of improper browsing habits. We have gotten a whole lot of fake GoDaddy “reset your password” to our domain name emails lately too. Scammers irritate the heck outa me!!

    • Craig,

      Just speculation on possibilities of how your two accounts were connected by the bad guy….

      Even if your real name and business email was not used on the social site in question, did you have a secondary email of any kind set up as a backup email address? If so, did that secondary site perhaps use your business email as *its* secondary/backup email address? In essence setting up a domino effect attack.

      Here is a 2012 article that is still pertinent today on the hazards of chained accounts, if not set up properly.
      Ref: https://www.wired.com/2012/11/ff-mat-honan-password-hacker/

      Have you searched all your various email addresses on HIBP for potential breaches? Ref: https://haveibeenpwned.com/

      From the HIPB site:

      “LinkedIn: In May 2016, LinkedIn had 164 million email addresses and passwords exposed. Originally hacked in 2012, the data remained out of sight until being offered for sale on a dark market site 4 years later. The passwords in the breach were stored as SHA1 hashes without salt, the vast majority of which were quickly cracked in the days following the release of the data.
      Compromised data: Email addresses, Passwords”

      Found out only last week that my old “clever” 13 character password originally setup on LinkedIn from the hack back in 2012 was available free and clear on the web. Fortunately, I dutifully changed it within a few hours after the announcement of the hack 6 years ago to something less clever, much longer and randomized.

      Also both the primary and backup email accounts need to have 2FA/MFA turned on.

      Ref: https://twofactorauth.org/

  24. I got one yesterday that didn’t even use an old password, unless it was a throwaway from years ago. I do love that the the scammer is getting his money it Bitcoin, so we can all share the addresses.

    1Unoc4af6gCq3xzdDFmGLpq18jbTW1nZD

  25. Thanks for the article Krebs!

    I got the same email this morning. Pure copy and paste from what you have posted above. The demand was 2900.

    I was suspicious though as
    – while we have a PC we do not use it at all. No web surfing. They are basically for file archives
    – we normally use our iPads
    – email adddress was an old email school account that I have not used actively for a full decade but for which I get forwarded notes from my alma mater.

    The password was correct but then again I have not changed it in a while.

    I have since changed my passwords at my old school account. Also remaining calm. Thank you for this tip.

    Anything else I should consider doing to safeguard other than the sticky tape on cameras? Also, malware possible on Apple products such as iPhone and IPads?

    Thanks again

  26. I got one today as well. A few months ago I downloaded some giant database of hacked passwords. There was only one that I no longer use after Yahoo was hacked. Of course that was the one in the email message. A couple months ago I switched to a password manager and use very long passwords and use two factor authorization where available. I have been meaning to cover the camera lens.

  27. I got one today, same wording. but the password was from an email account that was just hacked a few days ago. The password was in use at the time.
    The hacker deleted all 7K+ contacts I had and created a rule that deleted all incoming email. They also emailed a link to a google drive doc to all my contacts.
    Time to sign up with an encrypted password manager like the experts have been recommending for some time.

  28. Both my wife and I received the email, my password was a very old one from linkedin.com (a generated random password from Lastpass) while hers was an old throwaway password.

  29. So I got the same email today and is the same as in the example asking for 2900……funny thing is, I haven’t used a personal home computer in 10 years, i do have a machine that is 15 years old and I have never been technically smart enough to use a web cam, I only use my phone. The password is an old password I haven’t used in several years, almost forgot it….and I don’t visit porn sites, so the joke is on then HAHA…..

  30. I got it on my work email today.

Leave a comment