Here’s a clever new twist on an old email scam that could serve to make the con far more believable. The message purports to have been sent from a hacker who’s compromised your computer and used your webcam to record a video of you while you were watching porn. The missive threatens to release the video to all your contacts unless you pay a Bitcoin ransom. The new twist? The email now references a real password previously tied to the recipient’s email address.
The basic elements of this sextortion scam email have been around for some time, and usually the only thing that changes with this particular message is the Bitcoin address that frightened targets can use to pay the amount demanded. But this one begins with an unusual opening salvo:
“I’m aware that <substitute password formerly used by recipient here> is your password,” reads the salutation.
The rest is formulaic:
You don’t know me and you’re thinking why you received this e mail, right?
Well, I actually placed a malware on the porn website and guess what, you visited this web site to have fun (you know what I mean). While you were watching the video, your web browser acted as a RDP (Remote Desktop) and a keylogger which provided me access to your display screen and webcam. Right after that, my software gathered all your contacts from your Messenger, Facebook account, and email account.
What exactly did I do?
I made a split-screen video. First part recorded the video you were viewing (you’ve got a fine taste haha), and next part recorded your webcam (Yep! It’s you doing nasty things!).
What should you do?
Well, I believe, $1400 is a fair price for our little secret. You’ll make the payment via Bitcoin to the below address (if you don’t know this, search “how to buy bitcoin” in Google).
BTC Address: 1Dvd7Wb72JBTbAcfTrxSJCZZuf4tsT
8V72
(It is cAsE sensitive, so copy and paste it)Important:
You have 24 hours in order to make the payment. (I have an unique pixel within this email message, and right now I know that you have read this email). If I don’t get the payment, I will send your video to all of your contacts including relatives, coworkers, and so forth. Nonetheless, if I do get paid, I will erase the video immidiately. If you want evidence, reply with “Yes!” and I will send your video recording to your 5 friends. This is a non-negotiable offer, so don’t waste my time and yours by replying to this email.
KrebsOnSecurity heard from three different readers who received a similar email in the past 72 hours. In every case, the recipients said the password referenced in the email’s opening sentence was in fact a password they had previously used at an account online that was tied to their email address.
However, all three recipients said the password was close to ten years old, and that none of the passwords cited in the sextortion email they received had been used anytime on their current computers.
It is likely that this improved sextortion attempt is at least semi-automated: My guess is that the perpetrator has created some kind of script that draws directly from the usernames and passwords from a given data breach at a popular Web site that happened more than a decade ago, and that every victim who had their password compromised as part of that breach is getting this same email at the address used to sign up at that hacked Web site.
I suspect that as this scam gets refined even more, perpetrators will begin using more recent and relevant passwords — and perhaps other personal data that can be found online — to convince people that the hacking threat is real. That’s because there are a number of shady password lookup services online that index billions of usernames (i.e. email addresses) and passwords stolen in some of the biggest data breaches to date.
Alternatively, an industrious scammer could simply execute this scheme using a customer database from a freshly hacked Web site, emailing all users of that hacked site with a similar message and a current, working password. Tech support scammers also may begin latching onto this method as well.
Sextortion — even semi-automated scams like this one with no actual physical leverage to backstop the extortion demand — is a serious crime that can lead to devastating consequences for victims. Sextortion occurs when someone threatens to distribute your private and sensitive material if you don’t provide them with images of a sexual nature, sexual favors, or money.
According to the FBI, here are some things you can do to avoid becoming a victim:
-Never send compromising images of yourself to anyone, no matter who they are — or who they say they are.
-Don’t open attachments from people you don’t know, and in general be wary of opening attachments even from those you do know.
-Turn off [and/or cover] any web cameras when you are not using them.
The FBI says in many sextortion cases, the perpetrator is an adult pretending to be a teenager, and you are just one of the many victims being targeted by the same person. If you believe you’re a victim of sextortion, or know someone else who is, the FBI wants to hear from you: Contact your local FBI office (or toll-free at 1-800-CALL-FBI).
Received one of these this morning also, asked for $1600. I don’t think the password mentioned was ever used by me, but if so, it was a long time ago. Probably will call FBI also. I don’t have a cam on my computer.
I just received a similar email today from a “Kassey Alwine” Obviously it’s a fake name but it did shock me for a moment being that they did quote a correct password I used in the past (and still use on site’s I don’t care much for). That will now change.
This individual gave a BTC address and demanded $1200. I’m sure many people will fall for this – I work in fraud and immediately looked at my colleagues: “If you receive a video of me I’m either sorry or you can thank me later.” 🙂
I researched this today and discovered, sadly, that at least 3 victims already paid between $1900 and $3900.
More info on my research here:
https://blog.nviso.be/2018/07/13/sextortion-scam-with-leaked-passwords-succeeds/
I find so funny all those people specifying that they don’t are worried, because they don’t watch porn.
Probably any non-porn related extortion would work instead.
I got this scam a few days ago, and the password they grabbed was one that I used specifically for Pandora.
They wanted $2900 out of me. Interesting to see the amount changes from target to target.
Two people at my workplace also got it on their work email, and again, it was a password from ages ago that is no longer in use by anyone here.
I second reporting the extortionists to the FBI.
Bitcoin isn’t nearly as untraceable as some of the holders think it is and it would be nice to see these people nabbed.
We had a few user receive this phish. Best I can tell the commonality was they all had accounts with a specific cell phone carrier, suggesting that was the hacked account source. Also interesting to note that further down in the message there appears to be ‘poison’ hidden text to foul your Bayesian filtering if that is employed by your spam filter.
Got the same email. Was not in the mood to play.
https://julieneidlinger.blogspot.com/2018/07/i-hate-this-hacker-crap.html?m=1
Bravo!!! The vicarious thrill alone was worth the price of admission.
Got the email with small variation. Here is my input. IF someone supposedly takes your computer over “While you were watching the video, your web browser acted as a RDP (Remote Desktop) and a keylogger which provided me access to your display screen and webcam. Right after that, my software gathered all your contacts from your Messenger, social networks, and email. “, you would think it would be fairly easy to get your banking info with password (cookies, caches), versus recording camera and screen, and collecting emails. If they are this sophisticated, why don’t they just log into your bank account and transfer the money themselves?
Also, I checked https://haveibeenpwned.com, where you can enter your email address, and it tells you how many data breaches your email address is on, and whet did they collect. My email was on the Dropbox 2012, Bell 2017, LinkedIn 2016 hackers list. So, there you have it. Those emails were up for sale, and these scammers are simply sending these emails to all, throwing it like mud at a wall, and hoping some will stick. Apparently it does!
Got the same email too. Wanted $2900. Password was a very old one, must be 10 years old or older. If my camera on my mobile was ever compromised it would be me on the toilet since that’s is the only free time I have these days. Porn whats that? No time for that either….lol
I hope the FBI and DHS gets these crooks…
email came from a Sean Harnden
BTC Address: 18v6YPVEb8yxcPfAgV4rcuQu43LAHZhYxn
(It is cAsE sensitive, so copy and paste it)
Life imitates Art. This is a variation on the plot of a Black Mirror episode …
Season 3 Episode 3 “Shut Up and Dance”
https://en.wikipedia.org/wiki/Shut_Up_and_Dance_(Black_Mirror)
Perception is merely a reflection of reality across the distorting mirrors of the mind.
Some of the emails are from outlook.com; others from a domain hosted in Russia. No surprise there as Russia has organized cybergangs and cybercrime-as-a-service is offered. The latest DoJ indictment of 12 Russia hackers in the DNC hacks/DCLeaks shows nation-state involvement.
https://projectauditors.com/Papers/Investigations/2016_DNC_hacking_Russian_spies_GRU_netyksho_et_al_indictment.pdf
Also noticed the similarity to the methods used by Russian hackers (see text of latest Robert Mueller indictments.)
I didn’t get one. I feel left out. https://haveibeenpwned.com/ reports that I’ve been breached in Adobe, Dropbox, and LinkedIn hacks. In addition to the Yahoo account hack that I know about.
I’ve had the same email address for about 15 years. It’s been used all over the net. I wonder why I didn’t get this email? The only thing that I can think of is that I’ve never had a MySpace account.
I rec’d the scam email, and have never had a MySpace account.
Received this e mail yesterday. In checking, it appeared to be an old password from Golfnow.com
I never had a webcam
I received this e-mail yesterday. The part that was most unnerving about it was seeing one of my passwords in the e-mail and the threat that they may have my contact list.
It was a good wake-up call that I need to be more careful about my overall internet and computer security so maybe they did me a favor after all!
I sure do miss the way life was when we could trust most people to do the right thing. It’s beginning to feel like it’s the exception rather than the norm and that is sad.
Someone asked about the English word use.
Using google translate “masturbation and onanism” you can find at least three languages that seem to use onanism for both, Norwegian (onani), Hebrew, and Japanese:
https://translate.google.com/#auto/ja/onanism%20and%20masturbation
https://translate.google.com/#auto/no/onanism%20and%20masturbation
https://translate.google.com/#auto/iw/onanism%20and%20masturbation
he would have to pay me
https://k62.kn3.net/825CA8416.png
In days of yore.
https://www.youtube.com/watch?v=NFtFCODNY0s
Received the very same e-mail. In my case the referenced password was a (site specific unique one) that I used on LinkedIn a few years back.
I just got this email today and instantly went searching so thanks for this article. In my case it also was a password that I have not used in YEARS and have camera covers on all my laptops. My only “misadventures” would be googling random stuff like the goliath spider or screaming goats and then making weird faces. Nonetheless, I’m glad others are publicizing this so that hopefully others won’t fall for it.
Just got one, too, from Elvis Butler
Amount to be sent: $ 1900
Receiving Bitcoin Address: 19aJnFC6UdNjiMRtP766hVsn7Wg4KXQHbZ
Password mentioned was indeed one of my first ones for quite some time, but I’ve been using very strong unique and cryptic passwords across the board with a password manager for years now, so I positively know that this is a scam.
I hope they will get those lowlifes and push them over a cliff somewhere. Without a doubt enough people will pay for them to make the effort worthwhile, just as with any other scam.
Same email received – BTC address: 1KjxgUYw2QC53ZiGeAG9uohcSSRUWsSsQA
I got 1 sent out 8PM tonight. I don’t even have a webcam.
Received one earlier today as well. No webcam on my PC.
BTC address: 1KjxgUYw2QC53ZiGeAG9uohcSSRUWsSsQA
I got one variation of the email today. It looked so credible, but after reading this blog I’m at ease.
Bit Coin address: 19aJnFC6UdNjiMRtP766hVsn7Wg4KXQHbZ
I got a similar email , 7/14/18, with the same bit coin address. Receiving Bitcoin Address: 19aJnFC6UdNjiMRtP766hVsn7Wg4KXQHbZ
Saul, Do you have a sample of the body of the email? I want to compare.
“It’s just your bad luck that I came across your bad deeds. In fact, I placed a malware on the adult vids (sex sites) and you visited this website to have fun (you know what I mean). When you were busy watching video clips, your web browser started out working as a Rdp (Remote desktop) with a key logger which gave me access to your display screen as well as webcam. Just after that, my software gathered every one of your contacts from your fb, and mailbox.
Next, I put in more time than I probably should have looking into your life and generated a double-screen video. 1st part shows the recording you had been viewing and other part displays the recording from your cam (its you doing nasty things).
Frankly, I am willing to forget about you and let you continue with your daily life. And my goal is to give you two options that may accomplish that. These two choices are to either ignore this letter, or simply pay me $1900. Let’s understand above 2 options in more detail.
Option 1 is to ignore this message. Let us see what will happen if you take this option. I will certainly send your video recording to your entire contacts including family members, colleagues, etc. It does not shield you from the humiliation your household will feel when friends and family learn your dirty videos from me.
Option 2 is to make the payment of $1900. We’ll name it my “privacy tip”. Now let me tell you what happens if you choose this path. Your secret remains your secret. I will destroy the recording immediately. You keep your routine life as if none of this ever happened.
At this point you may be thinking, “I will call the cops”. Without a doubt, I have taken steps to ensure that this e-mail can’t be traced to me plus it will not prevent the evidence from destroying your life. I’m not trying to steal all your savings. I am just looking to be compensated for my time I put in investigating you. Let’s assume you’ve decided to generate this all vanish entirely and pay me the confidentiality fee. You will make the payment via Bitcoin (if you don’t know how, type “how to buy bitcoins” in google search)
Amount to be sent: $1900
Bitcoin Address to Send to: 19aJnFC6UdNjiMRtP766hVsn7Wg4KXQHbZ
(It’s CASE sensitive, so copy and paste it)
Tell no one what you will be utilizing the bitcoin for or they might not provide it to you. The task to acquire bitcoin will take a day or two so do not wait.
I’ve a special pixel in this e-mail, and now I know that you’ve read this email message. You now have two days in order to make the payment. If I do not receive the Bitcoins, I will, no doubt send your video recording to all of your contacts including close relatives, colleagues, etc. You better come up with an excuse for friends and family before they find out. Having said that, if I receive the payment, I’ll destroy the video immediately. It is a non-negotiable offer, so please do not waste my time & yours. Your time is running out.”
This is a sample of the text:
“More to the point, I know your secret and I’ve evidence of this. You do not know me and no one paid me to investigate you.
It’s just your bad luck that I came across your bad deeds. In fact, I placed a malware on the adult vids (sex sites) and you visited this website to have fun (you know what I mean). When you were busy watching video clips, your web browser started out working as a Rdp (Remote desktop) with a key logger which gave me access to your display screen as well as webcam. Just after that, my software gathered every one of your contacts from your fb, and mailbox.
Next, I put in more time than I probably should have looking into your life and generated a double-screen video. 1st part shows the recording you had been viewing and other part displays the recording from your cam (its you doing nasty things).
Frankly, I am willing to forget about you and let you continue with your daily life. And my goal is to give you two options that may accomplish that. These two choices are to either ignore this letter, or simply pay me $1900. Let’s understand above 2 options in more detail.
Option 1 is to ignore this message. Let us see what will happen if you take this option. I will certainly send your video recording to your entire contacts including family members, colleagues, etc. It does not shield you from the humiliation your household will feel when friends and family learn your dirty videos from me.
Option 2 is to make the payment of $1900. We’ll name it my “privacy tip”. Now let me tell you what happens if you choose this path. Your secret remains your secret. I will destroy the recording immediately. You keep your routine life as if none of this ever happened.
At this point you may be thinking, “I will call the cops”. Without a doubt, I have taken steps to ensure that this e-mail can’t be traced to me plus it will not prevent the evidence from destroying your life. I’m not trying to steal all your savings. I am just looking to be compensated for my time I put in investigating you. Let’s assume you’ve decided to generate this all vanish entirely and pay me the confidentiality fee. You will make the payment via Bitcoin (if you don’t know how, type “how to buy bitcoins” in google search)
Tell no one what you will be utilizing the bitcoin for or they might not provide it to you. The task to acquire bitcoin will take a day or two so do not wait.
I’ve a special pixel in this e-mail, and now I know that you’ve read this email message. You now have two days in order to make the payment. If I do not receive the Bitcoins, I will, no doubt send your video recording to all of your contacts including close relatives, colleagues, etc. You better come up with an excuse for friends and family before they find out. Having said that, if I receive the payment, I’ll destroy the video immediately. It is a non-negotiable offer, so please do not waste my time & yours. Your time is running out. “
Received mine this afternoon.
From: Waldo Litt
Amount to be sent: $2900
Receiving Bitcoin Address: 1DcVgcbYZGuba9SDCmGMW2w6URtue2G8hm
Originating-IP: [40.92.2.34]
Got the email today….similar in nature
From Alfreda Kittle
Password referenced in the subject is so old it’s not used anymore.
Amount to be sent: $2900
Bitcoin Address to Send to: 1PjUiw2oesScKsba9uwVanMPzpzr3Fn1DX
I’ve received such scam mail. Now I’m wondering, if possesing and processing such data is sanctinable under the GDPR. Millions of EUR > some thousands of USD. 😀
Thank you for your post. Received a similar email this morning and spent most of the day trying to find out how to report the issue and identify the probably rootcause. Checked all my accounts with the specified user ID, and changed all password. I am also shutting own accounts I do not use often. In this days, less is more.
Send was : Dong Corkery
Receiving Bitcoin Address: 16Cq8aSzMvr9SigEE4Lmnp1dTURancp1YY