July 12, 2018

Here’s a clever new twist on an old email scam that could serve to make the con far more believable. The message purports to have been sent from a hacker who’s compromised your computer and used your webcam to record a video of you while you were watching porn. The missive threatens to release the video to all your contacts unless you pay a Bitcoin ransom. The new twist? The email now references a real password previously tied to the recipient’s email address.

The basic elements of this sextortion scam email have been around for some time, and usually the only thing that changes with this particular message is the Bitcoin address that frightened targets can use to pay the amount demanded. But this one begins with an unusual opening salvo:

“I’m aware that <substitute password formerly used by recipient here> is your password,” reads the salutation.

The rest is formulaic:

You don’t know me and you’re thinking why you received this e mail, right?

Well, I actually placed a malware on the porn website and guess what, you visited this web site to have fun (you know what I mean). While you were watching the video, your web browser acted as a RDP (Remote Desktop) and a keylogger which provided me access to your display screen and webcam. Right after that, my software gathered all your contacts from your Messenger, Facebook account, and email account.

What exactly did I do?

I made a split-screen video. First part recorded the video you were viewing (you’ve got a fine taste haha), and next part recorded your webcam (Yep! It’s you doing nasty things!).

What should you do?

Well, I believe, $1400 is a fair price for our little secret. You’ll make the payment via Bitcoin to the below address (if you don’t know this, search “how to buy bitcoin” in Google).

BTC Address: 1Dvd7Wb72JBTbAcfTrxSJCZZuf4tsT8V72
(It is cAsE sensitive, so copy and paste it)

Important:

You have 24 hours in order to make the payment. (I have an unique pixel within this email message, and right now I know that you have read this email). If I don’t get the payment, I will send your video to all of your contacts including relatives, coworkers, and so forth. Nonetheless, if I do get paid, I will erase the video immidiately. If you want evidence, reply with “Yes!” and I will send your video recording to your 5 friends. This is a non-negotiable offer, so don’t waste my time and yours by replying to this email.

KrebsOnSecurity heard from three different readers who received a similar email in the past 72 hours. In every case, the recipients said the password referenced in the email’s opening sentence was in fact a password they had previously used at an account online that was tied to their email address.

However, all three recipients said the password was close to ten years old, and that none of the passwords cited in the sextortion email they received had been used anytime on their current computers.

It is likely that this improved sextortion attempt is at least semi-automated: My guess is that the perpetrator has created some kind of script that draws directly from the usernames and passwords from a given data breach at a popular Web site that happened more than a decade ago, and that every victim who had their password compromised as part of that breach is getting this same email at the address used to sign up at that hacked Web site.

I suspect that as this scam gets refined even more, perpetrators will begin using more recent and relevant passwords — and perhaps other personal data that can be found online — to convince people that the hacking threat is real. That’s because there are a number of shady password lookup services online that index billions of usernames (i.e. email addresses) and passwords stolen in some of the biggest data breaches to date.

Alternatively, an industrious scammer could simply execute this scheme using a customer database from a freshly hacked Web site, emailing all users of that hacked site with a similar message and a current, working password. Tech support scammers also may begin latching onto this method as well.

Sextortion — even semi-automated scams like this one with no actual physical leverage to backstop the extortion demand — is a serious crime that can lead to devastating consequences for victims. Sextortion occurs when someone threatens to distribute your private and sensitive material if you don’t provide them with images of a sexual nature, sexual favors, or money.

According to the FBI, here are some things you can do to avoid becoming a victim:

-Never send compromising images of yourself to anyone, no matter who they are — or who they say they are.
-Don’t open attachments from people you don’t know, and in general be wary of opening attachments even from those you do know.
-Turn off [and/or cover] any web cameras when you are not using them.

The FBI says in many sextortion cases, the perpetrator is an adult pretending to be a teenager, and you are just one of the many victims being targeted by the same person. If you believe you’re a victim of sextortion, or know someone else who is, the FBI wants to hear from you: Contact your local FBI office (or toll-free at 1-800-CALL-FBI).


1,076 thoughts on “Sextortion Scam Uses Recipient’s Hacked Passwords

  1. Tanis Huston

    So I got the same email today and is the same as in the example asking for 2900……funny thing is, I haven’t used a personal home computer in 10 years, i do have a machine that is 15 years old and I have never been technically smart enough to use a web cam, I only use my phone. The password is an old password I haven’t used in several years, almost forgot it….and I don’t visit porn sites, so the joke is on then HAHA…..

  2. Ruben Dodge

    Personally, I can say that I know of at least a dozen cases where this was received. And in all cases it was directly correlated to the LinkedIn data break as the common denominator.

    I think at this point its pretty apparent the threat actor likely used the LinkedIn data to fill in the small number of changes to the template(username and password) and counted on password re-use to make the user believe their story was accurate.

    Also, I wouldn’t doubt that the threat actor decided that the best way to avoid Email Subject based spam filters was to include that highly unique data(username and password) in the subject. Further, in all dozen cases of the received emails the senders were from Outlook.com so either they setup all those accounts in advance or have access to a range of hacked outlook.com accounts.

    Also, just a few more points regarding this it obviously wasn’t meant to target those with technical understanding of how things work. It was meant to target the less tech savvy who would actually believe the extraordinary claims made in the email itself.

    To be honest theres a number of ways this could have been worse had the threat actor actually had some intelligence. But I will leave the finer points of how that could have been accomplished to the imagination. Since obviously they can’t come up with anything that amazing theirselves I dont need to spoon feed them ideas…. Hopefully their lack of intelligence gets them caught.

    1. Jay

      Interesting … I was caught by LinkedIn, but unfortunately that primary email address does not exist anymore (it was a Yahoo address, I moved all my accounts and deleted it for obvious reasons). I would have liked to see what password I was using and make sure I’m not using it anywhere now. Further into the looking-glass we go, this time I find myself feeling left out that I wasn’t blackmailed, lol

    2. JB

      Were the really from outlook.com or did it just appear that way? It is very easy to fake the sender of an e-mail and make it look like it came from somewhere legitimate. To know for sure you have to dig deep into the e-mail headers and figure out the path the e-mail took to get to you. If you have access to the e-mail and would not mind posting the headers here it may be interesting to some of us. Feel free to redact any sensitive personally identifiable information.

  3. JA

    Got the email today, password associated with recent Ticketmaster hack! SCAM

  4. Flower elf

    I got the same one today. Asked for $2900. I don‘t visit porn sites or even watch videos on my computer. Strangely, the email showed up on my iPad but not on my PC.

    1. Scott Fleming

      Ha, I got the exact same one. $2900.

  5. Nick

    I received one of these, about 10 hours ago. If you, or have a system administrator who does, maintain a Linux or UNIX server, and have access to spmassassin, add this to /etc/mail/spamassassin/local.cf

    body LOC_NO_EXTORT1_ALL /You have 24 hours in order to make the payment/
    score LOC_NO_EXTORT1_ALL 9.9
    body LOC_NO_EXTORT2_ALL /I made a split-screen video/
    score LOC_NO_EXTORT2_ALL 9.9
    body LOC_NO_EXTORT3_ALL /I actually placed a malware on the porn website/
    score LOC_NO_EXTORT3_ALL 9.9
    body LOC_NO_EXTORT4_ALL /I will send your video to all of your contacts including/
    score LOC_NO_EXTORT4_ALL 9.9

    That will flag it as SPAM and, depending how the server is set up, it will go to a SPAM folder.

    Also, if you have a facebook account, chances are, this is where they got your user id and password from.

    By the way, something more robust is probably required in the various tools that block SPAM. FYI, this is one of three places I have seen comments about receiving this particular e-mail. It is quiet possible this went out to thousands of people.

    1. Joe

      The password was for sure not from my FB account. I have used it only on sites I didn’t care much about.

  6. Linda Crabtree

    I received one last night: same wording, same $2,900. and then this afternoon a phone call telling me the Royal Canadian Mounted Police is going to come to my house and take me away for income tax evasion or something like that. I’m a quadriplegic. Porn sites don’t really do it for me and if the RCMP want me, well, let’s go boys, I haven’t had a vacation in 20 years. And yes, the password was correct but very old and one I only used for Skype, but not anymore. Thanks, Krebs, Apple put me on to you.

  7. Gra Gra

    Yep got one as well. Was requested to pay $2,900 and nearly did until I started reading more and subsequently popping a Prozac in to calm me. Great support online and thank you all for posting. At my age I hardly care if my activities get posted online but the thought that someone can get your information even if only 5 to 10 years old is scary stuff.
    (cant remember if the camera was on or not lol)

  8. Lynda

    I got one today, too. It had an old pw. Created new ones.
    Asked for $2;900.00
    BTC Address: 181JdCDdXKFeWZzueNHyp1SjYpJ93hesYn

  9. Tim Win

    Hello Krebs, My wife received this email today almost verbatim in her work email stating an old password which was correct. That thing that concerned us is a specified the number of contacts she had in her e-mail we confirmed the number matched….. She only has 12 contacts In her email was it is lucky guess? Was there actually somebody poking around inside our computer? Please Help! Thanks in advance.

    1. MaryHenry

      “12 friends” was the hard-coded count in the email I received. I have far more than 12 friends associated with that account. I’d dismiss it as coincidence.

      1. Tim Win

        Thanks Mary!!! We will sleep better tonight…

        1. Mark M

          The clock that is stopped is right twice a day!

  10. MaryHenry

    My daughter and I both received similar scam emails for the first time today. She was still using the same password for a credit union account, but mine was old. Based on the feedback here, we figured it went back to an old data breach, probably MySpace 2008.

    I like her take … she pointed out that, until she received the scam email, she hadn’t been aware that that particular password had been compromised. She figures they did her a favor by bringing that to her attention so she could update any remaining instances where she used it.

  11. EricC

    I got this just this morning. The password was one I used to use back when we thought a 6 digit password was good enough and re-used said password for multiple sites. In other words 1997. I did spend an hour resetting a couple of passwords, just in case.

  12. Jim

    I received the same email attempting to extort $2900 today. The “pass word” indicated in the message was only ever used for an old Text Link Ads account, which is now owned by MatomySEO.

    Password changed, scam reported to Matomy, FTC and IC3.

  13. Simon

    I got a $1900 one on the Jul12. I’m in the UK. The BTC A/c is1PMt2FWHb1yK8VHDzDsw4joonxzAXuXMMf

    The data breach source was AVAST forum. The email address (avast@[my domain] that received the sextortion email was, as is evident, unique to Avast. I stopped using Avast quite some time ago.

    1. mike

      Have just started using Avast on my MacBook! The email had me shaking for 30 minutes or more. Only calmed down when I found this page. Horrible. I don’t porn but the fact they had the right password and name is creepy. I really thought they could see my every key stroke. Cleverly written letter.

  14. Guy B. Meredith

    I got the email July 11.

    You folks got off cheap. My blackmailer wanted $3900. Is there some technical reason the amounts are all 4 figures with 900 being the last three?

    The password was one I use for specific forums. I don’t have a web cam which is one of the clues they were talking out their posterior orifice. Couldn’t care anyway. Giving in to blackmailers just tells them it will work again. And again. And again.

    I sent off extended header and message to FBI’s IC3 and a Federal Phish email tracking agency. Seems it is a Federal offense to commit crimes via internet.

  15. Mike B

    Writing this ONLY as a public service.I feel so dam dumb! I’ve been a consultant for 34 Years (Prehistoric! mostly telecom,but still…),Got the email wanting the $2900. Yep, Very old 6 digit password is correct. AND I tell others what to do, AND how secure I am. In checking it’s the one I’ve been using, since May 2008, on my DAM PASSWORD MANAGER!!! GEEZ. Reevaluate, Recheck, Take NOTHING for granted! Hate to say it, but in 10 years everything has changed. One overlooked mistake can cause Havoc & Disaster. Thanks for listening.
    “sheepish” Mike

  16. Marc

    Spoke to Action Fraud last evening. They already got many complaints on this.

  17. Philfy Phil

    This upset my Wife this morning. I hope the perpetrators of this scam die a slow death! Similar to MaryHenry, it worked well for us as it gave us an opportunity to review our internet security.

  18. P

    Did anyone see this on an episode of Black Mirror? Except in that episode, they weren’t asking for Bitcoin, it was much more dystopic than that. Definitely worth watching though.

    1. Josh Greenberg

      I don’t think this would have bothered me nearly as much if I hadn’t seen that episode.

  19. B

    Got one too – but I’ve been on the adult site they refer too….oops!

  20. Dan

    Interesting. I received such an email and did some checking around. First off I am wondering if anyone uses Jive communications? Mine was an old password but I suspect some form of data breach at Jive (which has a data center in Guatemala). Secondly I noticed someone tried to access my Facebook page using a iPhone in Ohio. As a result I set up two step security.

  21. Andy Ellarby

    I got one too, old password, and my PC at home has been switched off for three weeks as I am on vacation.

    The scammers reference RDP, but Windows 10 home edition does not have that functionality installed.

    I just deleted it.

    1. timeless

      I think the scammers are using RDP in a generic sense to scare people in a way people understand.

      Like most of the others, I doubt their claims are accurate. But, from a technical perspective, there are hacks and hackers who can get software into computers which does screen scrape/provide remote viewing. Telling someone “there’s a review access Trojan on your computer” would probably be less effective, since the target audience would probably be more likely to think of that second term as a prophylactic…

      Note that there is other public software that speaks RDP, including VirtualBox.

  22. sam

    I can confirm this address is also involved:

    1BsbsB92VLVQgNCQaLo7Z6LvS31CANJKpd

  23. Eileen H

    Yes, I have received one this morning and also one a couple of weeks ago. I don’t visit porn sites so I know he has nothing on me. Plus this person doesn’t do there homework very well , because I don’t deal in Bitcoins at all. I am calling the FBI though, as mentioned above.

  24. Ken

    I looked up the ones I got on HIBP, and the breach that they all had in common was the AntI Public Combo List…

  25. Richard

    Got the exact email on Monday July 9. I ignored it, sending it to spam folder. Got another one yesterday, July 12. Sender doubled down on the Bitcoins amount, giving another 24 hours to pay. Thank y’all for the great info on this subject…

  26. Andy Lester

    Something else to point out to someone who thinks this might be real: If they really did have incriminating video of you, why didn’t they send an image from the video?

  27. jbmartin6

    The lesson here is clear: only watch porn on someone else’s computer

  28. Eileen H

    I did call my local FBI. So if anyone is interested in catching this fraudster(s) you can go to:
    http://www.1c3.gov and fill out the complaint form.
    Mine’s already done!

Comments are closed.