An old but persistent email scam known as “sextortion” has a new personalized touch: The missives, which claim that malware has captured webcam footage of recipients pleasuring themselves, now include a photo of the target’s home in a bid to make threats about publishing the videos more frightening and convincing.
This week, several readers reported receiving sextortion emails that addressed them by name and included images of their street or front yard that were apparently lifted from an online mapping application such as Google Maps.
The message purports to have been sent from a hacker who’s compromised your computer and used your webcam to record a video of you while you were watching porn. The missive threatens to release the video to all of your contacts unless you pay a Bitcoin ransom. In this case, the demand is just shy of $2,000, payable by scanning a QR code embedded in the email.
Following a salutation that includes the recipient’s full name, the start of the message reads, “Is visiting [recipient’s street address] a more convenient way to contact if you don’t take action. Nice location btw.” Below that is the photo of the recipient’s street address.
The message tells people they have 24 hours to pay up, or else their embarrassing videos will be released to all of their contacts, friends and family members.
“Don’t even think about replying to this, it’s pointless,” the message concludes. “I don’t make mistakes, [recipient’s name]. If I notice that you’ve shared or discussed this email with someone else, your shitty video will instantly start getting sent to your contacts.”
The remaining sections of the two-page sextortion message (which arrives as a PDF attachment) are fairly formulaic and include thematic elements seen in most previous sextortion waves. Those include claims that the extortionist has installed malware on your computer (in this case the scammer claims the spyware is called “Pegasus,” and that they are watching everything you do on your machine).
Previous innovations in sextortion customization involved sending emails that included at least one password they had previously used at an account online that was tied to their email address.
Sextortion — even semi-automated scams like this one with no actual physical leverage to backstop the extortion demand — is a serious crime that can lead to devastating consequences for victims. Sextortion occurs when someone threatens to distribute your private and sensitive material if you don’t provide them with images of a sexual nature, sexual favors, or money.
According to the FBI, here are some things you can do to avoid becoming a victim:
-Never send compromising images of yourself to anyone, no matter who they are — or who they say they are.
-Don’t open attachments from people you don’t know, and be wary of opening attachments even from those you do know.
-Turn off [and/or cover] any web cameras when you are not using them.
The FBI says in many sextortion cases, the perpetrator is an adult pretending to be a teenager, and you are just one of the many victims being targeted by the same person. If you believe you’re a victim of sextortion, or know someone else who is, the FBI wants to hear from you: Contact your local FBI office (or toll-free at 1-800-CALL-FBI).
I received an email of this sort just this morning and will now be calling the FBI.
Thanks for the info
Man I sure hate when a million dollar NSO tool hacks me just to see my pp. Could the dirtbag come up with a better malware name? Probably not, cuss they’ve never used malware and couldn’t set it up if they wanted to.
Thank you for keeping us informed as this type of scam keeps evolving.
Got this same one today, had a small panic because the street view picture was almost an exact match with a picture I had taken of my backyard showing off some dumping my neighbors had been doing. Thankfully it was my old address and just a street view image.
They’re definitely getting clever
Why does a hacker do this? Because it works. It might not work for the people reading this article, but there are a lot of people who will panic and send this guy money. “There’s a sucker born every minute” is a phrase closely associated with PT Barnum, an American showman of the mid-19th century.
I get probably one of these per week mostly at my outlook account that is really bad at filtering spam. But in all honesty this is quite stupid. If they had the compromising photos that they claim they have wouldn’t they send you one of those photos instead of a Google street view? This probably hits the lowest of denominators as scams are concerned.
Dennis, these attacks are not the same. It is dangerous to say they are. These make it look like they’re standing directly in your driveway sometimes. Especially the ultra-targeted ones. Please don’t down-play the importance of the minor difference in this threat. It’s not minor, I can assure you. National Public Data was breached. This is the biggest security threat to the US and no one is talking about it.
The fact that the first email that comes in is just text of accurate information about the target essentially forces them to open the email. Please read my LinkedIn Post. If you learned something new, share it. This is a major disaster.
https://www.linkedin.com/feed/update/urn:li:activity:7236734330151084032/
I get annoying snail mail from “we want to buy your house” clowns all the time with a Google Street View photo. I doubt these people pay Google a nickel.
Regarding viewing onlone cameras, there are Google Dorking tips on how to find cameras that are not password protected.
This is s website of insecure cameras. I think the creators long left the website since so many links dont work. But they made their point.
http://www.insecam.org/
A secure csmera like an Axis is $500 on up. These homeowners are using made in China cameras at a tenth the price.
Yep — got a call from my brother earlier this AM for the very same thing.
We decided that going to the local authorities was a place to start but after reading this, I’m telling him about this timely note and the advice to contact the FBI.
My neighbor got one. They sent a picture of a neighbor’s house. Coincidently or not, we noticed someone in the neighborhood a couple weeks prior taking pictures. When confronted they stuttered, said they were taking pictures for their mother, and left. We have heard stories of scouts hired by looters to document homes, cameras, and lights. Figured this was it, but maybe not.
Check Google Maps streetview. I got the same email and the photo was 100% match with shadows and plant sizes and everything to the one on StreeView. They also took a picture of adjacent building too.
Yet another reason to blur the image of your home on Google Maps.
exactly
I’m curious, are there a large number/percentage of such scams where a stranger perpetrator actually has what they claim to have and actually do distribute? I don’t read many stories about that, but if they’re out there, I imagine it would make people more likely to think it’s a genuine threat and not just a mass scam hoping you’ll panic and pay.
If it is rare that this happens for real (the private content distribution), then I suppose hackers could use botnets to spread such stories and accounts on social media to keep it seeming plausible and salient.
This reminds me that our elders are usually much smarter than we are. Last year, my best friend‘s grandmother’s photo showed up in a Google maps image of her neighborhood. The picture was very clear and it was obvious that it was her walking through the neighborhood. We both thought it was cool but when we texted her the photo she got really upset. I ended up having to contact Google to ask them to blur the image — which they did almost immediately upon request.
Well done, Anna! Glad you took the initiative to help her with that. This is vastly different now that the National Public Data background check company was breached with basically every record of every US Citizen onto the Dark Web. I made a post 2 hours ahead of these guys on my LinkedIn:
https://www.linkedin.com/feed/update/urn:li:activity:7236734330151084032/
This reminds me that our elders are usually much smarter than we are. Last year, my best friend‘s grandmother’s photo showed up in a Google maps image of her neighborhood. The picture was very clear and it was obvious that it was her walking through the neighborhood. We both thought it was cool but when we texted her the photo she got really upset. I ended up having to contact Google to ask them to blur the image — which they did almost immediately upon request.
I just received one of these messages this morning – very unsettling! Came from a Gmail account and did not, I repeat, did not hit my spam box (also Gmail). This fact alone means Google needs to do more to stop the abuse of their platform.
One clue that it is a scam is that claim to use Pegasus. Pegasus is only sold to governments, military, and police. At that it is very expensive, reportedly over $1,000 per use. The idea that some hacker has it is VERY unlikely.
A study by Thron in partnership with the National Center for Missing & Exploited Children (NCMEC), examined more than 15 million reports made to the NCMEC CyberTipline from 2020 to 2023 to pinpoint sextortion cases. This heinous crime can affect any age group, but this report was focused on the sextortion of minors. The study found:
The vast majority of victims of financial sextortion submitted to NCMEC are male teenage victims; of minors in the NCMEC data with both age and gender, 90% were males between 14 and 17.15.
Historically, sexual predators would extort explicit images from victims, which they would use for their own perverted purpose or to trade with other sex offenders. This study found that an average of 812 sextortion reports per week in the last year of data analyzed, “with reason to expect that the vast majority of those reports were financial sextortion.” At 812 reports per week that amounts to 42,224 in a year. The majority of reports were received from Instagram and the report noted … “there are reasons to worry whether other platforms are underreporting.” This crime is often discovered tragically, not through NMEC reports, but when a sextortion victim commits suicide, and digital evidence is found on their devices as parents and law enforcement search for answers. As is often the case with the cybercrimes the offender and the victim don’t even have to be in the same country. The report identified two countries from which sextortion perpetrators are often operating, Nigeria and Cote d’Ivoire.
Art Bowker, coauthor of Surviving a Cyberattack
Securing Social Media and Protecting Your Home (Oct 2024)
Same exact thing with me!
I’m moving in the direction of using only aliases on the Internet based on the first and last name lists from the census.
For example, my Facebook account is not under my real name. I use it to check the daily special at some nearby restaurants. It is kind of surprising to see some of the suggestions for Facebook friends that I receive — a number of them are various relatives of mine! Their ability to do that is rather shocking.
Are we all receiving these emails on this exact day this morning? If I were a scammer I’d at least change it up a little? But my question is do we really have to contact the FBI? Can we just let people know that nothing will happen if you don’t seem the money. Like they didn’t ACTUALLY hack into your phone and have videos of you about to send to all your family. I knew it was a scam when they didn’t provide proof of the videos lol.
Yep. Just received this email within the hour. It’s just insightful because I am a cybersecurity professional and deal with this stuff on behalf of our clients.
I guess the FBI will be getting a call from me.
Many moons ago, when the going rate was $500ish, I asked the person on the other end what my $500 was buying me. That I wanted some significant post-production on that alleged video at that price. Lens flare. Filtering. I wanted 20 pounds taken off. He went away – never heard back, nor did any of my contacts.
Pretty much this….
https://en.wikipedia.org/wiki/Shut_Up_and_Dance_(Black_Mirror)
I received one of these this morning and my blood ran cold before my half awake brain finally registered it as a scam. With AI these scams will get more and more elaborate.
So helpful that you guys are with me I worked as a certified nurse aide and got this email and the whole job was adult brief changing and I was just like … is this my punishment for doing this
Got one yesturday. I figured it was a scam and disregarded it. Got a weird text today and said I’m not who u r looking for. They were trying to strike up convo. My kid comes in after school and complains that he hate school I hate it here. Next thing I know, the text said why do u hate it here. So weird and unsettling. I think they had control of my mic. I will report to the FBI. Scary!
let me guess.. you have a shaft and tennis cajones?!
we are like this.. son!
i could spot them in a crowd stadium, like if they were a needle in a haystack
i like pickles..
huu?.. what?
Ahhh.. i’ve seen it already, no bitcoin for YOU!!!
Soo0 glad i accidently mass emailed all my family and coworker money
shot pics last week.
guess NOO buttcoin for you hackers!!!
Score one for toxic behavior!?
I got the same message yesterday, it shook me up alot but it’s sad people have really resorted to trying tot scam people out of their hard earned money and going as far as sending a person a picture of their address really sad. smh.
Yep, got this exact one yesterday (it comes with a brief message and an attached PDF). The Google Maps photo however is obvious and much like in your example above, it’s only as good as what’s been provided. In my case it was an outdated photo and it pointed at a view from near my home rather than one of my home. Clowns! Pretty lame scam overall but definitely maddening that it might work on the less initiated.
Got One of these several days ago. It was threatening based on the home picture, cell number and address. If you check the properties of the email you will discover the outbound ip address has been reported for fraud before. Don’t pay thses people with Bitcoin or anything else. I have a fmaily member in the FBI and they are being overhwelmed with this stuff. Hard to catch anyone because the email address is usually bogus.
I too received this email today. It ruined my day. I thank you all so very much for sharing your experience so my panic could be put into perspective. The email I received (from Teri) was exactly as described with a house photo lifted from a real estate listing from three months ago.
These scams are killing people. Last year, young students, both high school and college, were scammed to the point of committing suicide. There are no words to describe the cruelty of the scammers.
Thank you to the creator of this article, Karen’s on Security, and to the generous people who shared their thoughts and experiences.
Sorry, it’s “Krebs on Security” who is to be thanked.
Krebs on Security is to be thanked.