Back in July, Krebs on Security reported on a rather novel scam, where the threat actor would use credentials from old data dumps to suggest that they had directly hacked the victim and obtained the victim’s presumably sensitive browser history. Stolen credentials aside, sex-based extortion scams are actually fairly old and not all that sophisticated. A user on the Malwarebytes Forums recently reported a classic variety of the scam:
Hello. Don’t consider on my grammar, I am from China. We loaded our virus on your OS. Now I thiefted all personal data from your device. In addition, I have some more evidence. The most amusing compromising which I have- its a videotape with your masturbation. I put malware on a porn website and after you downloaded it. When you picked the video and clicked on a play, my deleterious soft instantly downloaded on your Operating System. After adjusting, your web camera shoot the videotape with you self-abusing, furthermore I captured the video you chose. In the next few days, my deleterious soft collected all your social and work contacts.
The threat actor then goes on to list a Bitcoin (BTC) address that the user is supposed to pay in return for their compromising data being deleted. These messages can sound intimidating, especially if the scammer is able to add details about the victim gleaned from public data. As a result, the scam is rather lucrative. Bitcoin Who’s Who covered the scam listed above, and some Bitcoin wallets running variants of it have received hundreds of transactions.
Someone who had actually gained access to compromising photos would most likely not reveal themselves to a victim for any reason, and would never delete the data. Further, the most common interaction between real extortionists and their victims is to compel further compromising pictures—not shut off the data flow permanently by demanding money. So if you get an extortion email similar to that posted above, the threat is most likely an empty bluff.
But they have my password!
Change your password, and continue not engaging. Most passwords seen in these scams appear to be drawn from previously leaked databases compiled from breaches of old—often years old, in fact. If an attacker had genuinely hacked your password, there are more lucrative, faster-paying options for them than sending an extortion email. If you receive an email with a currently-used password referenced in it, it’s time to both change it, and consider a password manager to reduce the odds of an easily-cracked password being leaked to begin with.
But they have pictures of me!
In this case, you’ve got more than a scammy phishing email on your hands. Call the police, and if you’re in the United States, report the threat to the FBI. Sex-based blackmail of this sort most commonly targets minors and other vulnerable populations, making it of the utmost importance to not engage with the actor and report to authorities immediately. Do not pay any requested ransom, and do not send any further information or pictures to the scammer.
Sex-based extortion schemes are not the most technically sophisticated we see, but they do tend to be psychologically damaging, as the voyeurism of these criminals amounts to a massive invasion of privacy. The scammers sending out these faux sextortion emails, then, are merely using the potential for this kind of psychological damage to drum up enough fear in recipients to overcome their good senses. The important takeaway from the scams referenced above is to never engage and report to local authorities as soon as you can. Stay safe, and stay vigilant.