Sextortion Scam Uses Recipient’s Hacked Passwords

I am a fan of Kerb’s work and found he did a write up on an email I received a few weeks ago. In summary, the email I received in the subject had “your password is (my password), which was a really old password I have used in the past for accounts I don’t care about aka its a weak password. The email went on to make huge claims like they put malware on my computer, installed a remote desktop client (RDP), keylogger, enabled my camera, put on split screens, recorded me watching porn and have compromised my social media accounts. I was supposed to pay them a few hundred dollars in bitcoin or all of my contacts would get this video. They even added, “image what your wife or girlfriend would think”. Nice touch.

Funny thing about my situation is the computer I use has a sticker over the camera since I never use it. I also have multifactor authentication for everything I use. So it is impossible for this happen if all of these attacks indeed work. But even if my camera and social media accounts could be compromised, the attacks being described are close to impossible to do on modern systems that are fully patched.

Let’s look at the attack in more detail. First, I would have to have malware installed on my system, which is possible. Next, that malware would have to be able to install a RDP session “from the browser” … which I guess is like a browser vulnerability being exploited? Maybe using BEeF? Next, a keylogger was installed that could export my keystrokes to get my password. Somewhat possible but now we are talking about a LOT of moving parts. Next, my camera was enabled and a split screen was set up so you can see what I was watching and me at the same time? Ok, now we are entering magic land but sure. Next, my social media accounts were compromised. Well, most social media accounts will ask you to authenticate if you are not on a trusted system. So if the attacker attempted to do this, an alert would go out even if they have your password. An attacker with an active RDP session may claim they could use your trusted computer to access social media websites but that would be hard to do without being detected. In summary, this type of activity would take a ton of time to execute as well as require a lot of vulnerabilities to exist. On top of that, somebody that could pull this off would not ask for a few hundred dollars. That would be a huge waste of talent and time.

Here is the post from Kerbs that shows an example email. I agree with him that it is likely adversaries are downloading password lists from data breaches and emailing the associated accounts with this email. I have to admit it is clever. There are a lot of people that would believe this could occur and be willing to pay a few hundred dollars to make sure they don’t get embarrassed. This is fake so don’t fund this behavior.

Here is the post from Kerbs on security.

Here’s a clever new twist on an old email scam that could serve to make the con far more believable. The message purports to have been sent from a hacker who’s compromised your computer and used your webcam to record a video of you while you were watching porn. The missive threatens to release the video to all your contacts unless you pay a Bitcoin ransom. The new twist? The email now references a real password previously tied to the recipient’s email address.

The basic elements of this sextortion scam email have been around for some time, and usually the only thing that changes with this particular message is the Bitcoin address that frightened targets can use to pay the amount demanded. But this one begins with an unusual opening salvo:

“I’m aware that <substitute password formerly used by recipient here> is your password,” reads the salutation.

The rest is formulaic:

You don’t know me and you’re thinking why you received this e mail, right?

Well, I actually placed a malware on the porn website and guess what, you visited this web site to have fun (you know what I mean). While you were watching the video, your web browser acted as a RDP (Remote Desktop) and a keylogger which provided me access to your display screen and webcam. Right after that, my software gathered all your contacts from your Messenger, Facebook account, and email account.

What exactly did I do?

I made a split-screen video. First part recorded the video you were viewing (you’ve got a fine taste haha), and next part recorded your webcam (Yep! It’s you doing nasty things!).

What should you do?

Well, I believe, $1400 is a fair price for our little secret. You’ll make the payment via Bitcoin to the below address (if you don’t know this, search “how to buy bitcoin” in Google).

BTC Address: 1Dvd7Wb72JBTbAcfTrxSJCZZuf4tsT8V72
(It is cAsE sensitive, so copy and paste it)

Important:

You have 24 hours in order to make the payment. (I have an unique pixel within this email message, and right now I know that you have read this email). If I don’t get the payment, I will send your video to all of your contacts including relatives, coworkers, and so forth. Nonetheless, if I do get paid, I will erase the video immidiately. If you want evidence, reply with “Yes!” and I will send your video recording to your 5 friends. This is a non-negotiable offer, so don’t waste my time and yours by replying to this email.

KrebsOnSecurity heard from three different readers who received a similar email in the past 72 hours. In every case, the recipients said the password referenced in the email’s opening sentence was in fact a password they had previously used at an account online that was tied to their email address.

However, all three recipients said the password was close to ten years old, and that none of the passwords cited in the sextortion email they received had been used anytime on their current computers.

It is likely that this improved sextortion attempt is at least semi-automated: My guess is that the perpetrator has created some kind of script that draws directly from the usernames and passwords from a given data breach at a popular Web site that happened more than a decade ago, and that every victim who had their password compromised as part of that breach is getting this same email at the address used to sign up at that hacked Web site.

I suspect that as this scam gets refined even more, perpetrators will begin using more recent and relevant passwords — and perhaps other personal data that can be found online — to convince people that the hacking threat is real. That’s because there are a number of shady password lookup services online that index billions of usernames (i.e. email addresses) and passwords stolen in some of the biggest data breaches to date.

Alternatively, an industrious scammer could simply execute this scheme using a customer database from a freshly hacked Web site, emailing all users of that hacked site with a similar message and a current, working password. Tech support scammers also may begin latching onto this method as well.

Sextortion — even semi-automated scams like this one with no actual physical leverage to backstop the extortion demand — is a serious crime that can lead to devastating consequences for victims. Sextortion occurs when someone threatens to distribute your private and sensitive material if you don’t provide them with images of a sexual nature, sexual favors, or money.

According to the FBI, here are some things you can do to avoid becoming a victim:

-Never send compromising images of yourself to anyone, no matter who they are — or who they say they are.
-Don’t open attachments from people you don’t know, and in general be wary of opening attachments even from those you do know.
-Turn off [and/or cover] any web cameras when you are not using them.

The FBI says in many sextortion cases, the perpetrator is an adult pretending to be a teenager, and you are just one of the many victims being targeted by the same person. If you believe you’re a victim of sextortion, or know someone else who is, the FBI wants to hear from you: Contact your local FBI office (or toll-free at 1-800-CALL-FBI).

One thought on “Sextortion Scam Uses Recipient’s Hacked Passwords”

  1. It happened with me today, and I recall the password being they sent was my LinkedIn password 6+ years ago
    Very old and weak password indeed. I remember LinkedIn had a leak years ago, so they might now have started using this

Leave a Reply to Jack Cancel reply

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.