Scam Alert: Sextortion Email Using Real Passwords
By INFOGRESSIVE ENGINEERING TEAM | July 13, 2018
In the past 48 hours, security operators have seen a new ‘sextortion’ message begin popping up in client inboxes almost everywhere.
The most frightening part of this message is that it lists a password either in the subject line or the first sentence. This password probably looks familiar, and if you’re one of the (too many!!!) people who reuse the same password for multiple sites (or everything), then this email seems very concerning.
We received a notification from a client that they had received something much like the following message:
I’m aware that <substitute password formerly used by recipient here> is your password.
You don’t know me and you’re thinking why you received this e mail, right?
Well, I actually placed a malware on the porn website and guess what, you visited this web site to have fun (you know what I mean). While you were watching the video, your web browser acted as a RDP (Remote Desktop) and a keylogger which provided me access to your display screen and webcam. Right after that, my software gathered all your contacts from your Messenger, Facebook account, and email account.
What exactly did I do?
I made a split-screen video. First part recorded the video you were viewing (you’ve got a fine taste haha), and next part recorded your webcam (Yep! It’s you doing nasty things!).
What should you do?
Well, I believe, $1400 is a fair price for our little secret. You’ll make the payment via Bitcoin to the below address (if you don’t know this, search “how to buy bitcoin” in Google).
BTC Address: 1Dvd7Wb72JBTbAcfTrxSJCZZuf4tsT8V72
(It is cAsE sensitive, so copy and paste it)
You have 24 hours in order to make the payment. (I have an unique pixel within this email message, and right now I know that you have read this email). If I don’t get the payment, I will send your video to all of your contacts including relatives, coworkers, and so forth. Nonetheless, if I do get paid, I will erase the video immidiately. If you want evidence, reply with “Yes!” and I will send your video recording to your 5 friends. This is a non-negotiable offer, so don’t waste my time and yours by replying to this email.
Our customer indicated this was a password they currently used, and they were justifiably concerned that the threat was factual. We advised to customer to change all of their passwords to everything, being especially mindful to reset this password any place it was used in conjunction with the email address which had received the warning.
Upon conducting some research, we found that this customer’s password was compromised in two separate data breaches and associated with that email address as part of those breaches. We then found others who had received that same email—some indicating it was their current password which was compromised, others indicating it was a password they had used one time on one system years ago, but had long since been changed.
Our hypothesis is that the scammer has accessed data from a breached site and is mass mailing this threatening message to all email addresses contained in that data in order to extort money in the form of Bitcoin. This hypothesis seems to be born out by the facts above.
What you can do…
In order to avoid being victimized by such a scam, it’s important to take the following actions:
• Do not use the same password for multiple sites
• Change passwords regularly
• Review sites like https://haveibeenpwned.com/ in order to determine whether or not an account of yours has been compromised
• If you receive a suspicious or threatening email, do not click on any links or download any attachments. Contact your IT or security team immediately.
Thankfully this particular case seems to be a false alarm. In order to more fully protect your email system, please contact us about our Email Security solutions today.
Have questions? We can help. Contact us.