Sextortion scam knows your password, but don’t fall for it

Someone has been sending sextortion scam emails with a new twist – one aimed at making it more likely you’ll be duped into paying a blackmail fee.

One of the emails arrived at Naked Security yesterday, via a diligent reader, just as Brian Krebs was breaking the story on his site.

It claims to have compromising images of the recipient and goes on to ask for payment in order to stop the images being released publicly. Attempting to manipulate victims by claiming to have compromising images of them is known as sextortion, and it’s been used for years. What makes this scam different is that it’s added something extra: it contains a real password used by the victim.

The email reads:

I do know, [PASSWORD REDACTED], is your password. You do not know me and you are probably thinking why you are getting this e mail, correct? 

actually, I placed a malware on the adult videos (pornography) website and do you know what, you visited this web site to experience fun (you know what I mean). While you were watching videos, your internet browser initiated working as a RDP (Remote Desktop) that has a key logger which gave me accessibility to your display and also webcam. after that, my software program obtained all your contacts from your Messenger, Facebook, as well as email. 

What exactly did I do?

I made a double-screen video. First part displays the video you were viewing (you've got a nice taste haha), and second part shows the recording of your webcam. 

exactly what should you do?

Well, I believe, $2900 is a reasonable price tag for our little secret. You'll make the payment via Bitcoin (if you don't know this, search "how to buy bitcoin" in Google). 

BTC Address: 19ZFj3nLSJCgoAcvZSgxs6fWoEmvJhfKkY
(It is cAsE sensitive, so copy and paste it)

Important:
You have one day to make the payment. (I've a unique pixel within this email message, and now I know that you have read this e mail). If I do not get the BitCoins, I will definitely send out your video to all of your contacts including relatives, co-workers, and so forth. Nonetheless, if I receive the payment, I'll erase the video immidiately. If you want evidence, reply with "Yes!" and I will send your video to your 9 friends. It is a non-negotiable offer, that being said do not waste my time and yours by replying to this e-mail.

Some details vary in different copies of the mail and if the campaign is successful it may evolve more over time. At the time of writing, the sender’s email address (either in the reply-to field or in one case included, in the text of the mail), the ransom amount and the bitcoin address all vary.

Update: later variations of this email that appeared after we first published this article have used passwords in the names of PDF attachments, or offered other forms of fake “proof”, like sending the email from your own email address.

The power of a password

Many people, even those who feel as though they could have been seen in a compromising position, would normally be too wary to fall for a sextortion scam with no evidence. Including a real password makes it seem more convincing, though, which might be enough to fool some people.

Several people mailed Krebs copies that they had received of this mail, and in all cases the passwords were more than 10 years old. The person who forwarded the message to us also said that the password was an old one.

But still, how did they get the old passwords?

The most likely explanation is that they’re passwords stolen in one of the many large data breaches that have occurred over the last decade. Passwords exposed by events like the 2012 LinkedIn breach are packaged up by criminals and sold and resold in their millions, even years after the event.

That’s because some data breaches take years to be discovered, and because the crooks know they can still get lucky with your password, even if you’ve changed it since the breach.

That’s because many of us like to reuse the same password over and over again, on lots of different sites. So, if a crook gets hold of a password you used for one website they’re likely to try it on other websites you might use, or sell it to somebody else who will – which is why you should never use the same (or similar) passwords on different sites.

And, as this scam shows, even an old password that doesn’t work anywhere still has value to the crooks, because they can use it to scare you. Just the fact that they know what one of your passwords used to be is very unsettling.

What to do?

  • Don’t panic, it’s a hoax. An email with an old password is NOT proof you’ve been hacked.
  • Use unique passwords for every site and app you use. If that sounds hard, then…
  • Use a password manager that can create and remember strong passwords for you.

Although this email comes from a criminal who hasn’t hacked your machine or spied on you, there is plenty of password-stealing, key-logging and webcam-using malware that wants to do exactly that. To keep it out we recommend you download Sophos Home.