What would you do if a stranger claimed to have compromising webcam footage of you and threatened to share it with your contacts? A new, very convincing email scam is making some users very nervous.
The Sextortion Scam
It’s as bad as it sounds. A scammer emails you saying they got access to your passwords, and started to run amok to see how much trouble they could get you into. They even show you one of your passwords to prove it (the password will likely come from lists found on the dark web from online businesses and services that have been hacked and stolen over the years). The scanner then admits they’ve been watching what you do on your computer and recording your webcam, and they happened to catch you at a very inopportune time. See the following example.
“You don’t know me and you’re wondering why you received this email, right?
Well, I actually placed a malware on the porn website and guess what, you visited this website to have fun (you know what I mean). While you were watching the video, your web browser acted as a RDP (remote desktop) and a keylogger which provided me access to your display screen and webcam. Right after that, my software gathered all your contacts from your Messenger, Facebook and email accounts.
What exactly did I do?
I made a split-screen video. First part recorded the video you were viewing (you’ve got a fine taste haha), and next part recorded your webcam (Yep! It’s you doing nasty things!).
What should you do?
Well, I believe $1400 is a fair price for our little secret. You’ll make the payment via Bitcoin to the below address (if you don’t know this, search “how to buy bitcoin” in Google).”
The reader is then given the address to a Bitcoin wallet, where they are to send the ransom.
The email continues:
You have 24 hours in order to make the payment. (I have an unique pixel within this email message, and right now I know that you have read this email). If I don’t get the payment, I will send your video to all of your contacts including relatives, coworkers and so forth. Nonetheless, if I do get paid, I will erase the video immidiately [sic]. If you want evidence, reply with “Yes!” and I will send your video recording to your 5 friends. This is a non-negotiable offer, so don’t waste my time and yours by replying to this email.”
This email comes in a few different versions in the wild, but all of them follow the same pattern and end with the same threat, to fork over the cash or everyone will see you in your most private moments.
Is This a Serious Threat?
This is a very real concern for many people who will be relieved to hear that, no, there is no indication that these threats are for real. The first clue is the fact that the passwords that the email provides are usually a decade old, indicating that they came from some ancient database from some long-forgotten hack.
However, in some ways, this is even worse news, because this threat has made a tidy sum of money. As of July 31, the scam had brought in $250,000. Clearly, this scam has been plenty effective for the perpetrators, and this won’t deter others from following its example.
Keeping Yourself Safe from an Actual Attack
Granted, this attack is just an unfair wager, but scams like this are more than possible for a criminal who actually means what they say or threaten. As a result, the security lessons we can take away from this particular attack still apply.
The first thing to remember is also the first rule of passwords: Change them frequently. Again, this scam has made quite a bit of money based on a total bluff. A bluff that, paid in increments of $1,400, was worth $250,000, and counting. From this, we can infer that quite a few people who received this message had online activities they wanted to hide, and more critically, that their passwords had remained the same for all those years.
This is an excellent example of why it’s so crucial to regularly update your passwords, without repeating them. If an old database is hacked, you won’t have to worry if your password is revealed, because it won’t be any good anymore.
The second thing to remember? If you aren’t actively using your webcam, keep its lens covered up.
The third thing to remember? Don’t open email attachments from people you don’t know, and in general, be wary of opening attachments even from those you do know.
Finally, never send compromising images of yourself to anyone, no matter who they are or who they say they are.
For more best practices to follow, including those that will improve your business’s security, make sure you keep checking in to our blog, and if you want to take more action, reach out to us at 844.671.6071.