Thanks to Brett Cove of SophosLabs for his behind-the-scenes work on this article.
Sextortion is back in the news.
That’s where someone tries to blackmail you by telling you to pay up or else they’ll reveal something truly personal about your sexuality or your sex life.
Typically, sextortionists claim to have infected your laptop or phone with malware while you were browsing, and then to have kept their eye on both your browsing habits and your webcam.
You can imagine the sort of data they claim to have sniffed out – and even if you know jolly well they couldn’t have got it from you, it still makes you wonder what they might claim you’ve been up to.
Last month, for example, we wrote about an ongoing sextortion scam campaign that tried to amplify your fear by throwing a genuine password of yours into the email.
I do know, [PASSWORD REDACTED], is your password. You do not know me and you are probably thinking why you are getting this e mail, correct? actually, I placed a malware on the adult videos (pornography) website and do you know what, you visited this web site to experience fun (you know what I mean). While you were watching videos, your internet browser initiated working as a RDP (Remote Desktop) that has a key logger which gave me accessibility to your display and also webcam. after that, my software program obtained all your contacts from your Messenger, Facebook, as well as email.
The good news here is that the passwords revealed were old ones – typically from accounts that recipients had closed long ago, or where they’d already changed the password.
Even if you were still using the password they claimed to “know”, the crooks hadn’t acquired it by eavesdropping on you or hacking into your computer.
They’d bought or found a bunch of stolen data acquired in some breach or other, and were using it to try and convince you they really had hacked your device.
Well, these guys are back – or, more precisely, never went away, because we’ve seen bursts of this scam for many months already.
This time, the crooks seem to have got hold of a list that ties email addresses and phone numbers together, so they’re putting your phone number (or at least what they think is your phone number) into the email:
It seems that, +1-555-xxx-xx55, is your phone number. You may not know me and you are probably wondering why you are getting this e mail, right? . . . I backuped phone. All photo, video and contacts. I created a double-screen video. 1st part shows the video you were watching (you've got a good taste haha . . .), and 2nd part shows the recording of your web cam. exactly what should you do? Well, in my opinion, [AMOUNT FROM $100-$1000 THIS TIME] is a fair price for our little secret. You'll make the payment by Bitcoin (if you do not know this, search "how to buy bitcoin" in Google).
In the 5000 or so samples we extracted from this week’s reports, the amount demanded varied from $100 to $1000 (last time we saw amounts up to $2900).
Interestingly, all the phone numbers had a similar North American format, with five digits Xed out; some Naked Security readers outside North America have reported receiving UK-style numbers with all but the last four digits Xed out.
We can only guess, but it looks as though the stolen data that the crooks acquired this time was pre-redacted – they’d be more convincing if they could reveal your entire number, after all.
Has anyone paid up?
When you try to track down Bitcoin payments, all you can tell is whether someone sent something to the Bitcoin addresses specified.
The 5000 samples from the past week that we used to dig into this latest email campaign each demanded payment into one of just three different Bitcoin addresses, which showed payment histories like this:
Bitcoin address BTC received USD approx ------------------------ ------------ ---------- 1GYNxxxxxxxxxxxxxxxxxxLB 0.93094968 $6000 19Gfxxxxxxxxxxxxxxxxxxai 0.04491935 $300 1NQrxxxxxxxxxxxxxxxxxxrS 0.00047363 $3 [BTC1 = $6500, roughly correct at 2018-08-15T16:00Z]
In case you’re wondering, there have been 20 payments into those three addresses, roughly distributed as follows:
3 payments at $1000 1 payment at $940 1 payment at $780 1 payment at $300 1 payment at $210 2 payments at $200 1 payment at $150 1 payment at $100 2 payments at $90 1 payment at $80 1 payments at $10 5 payments at $1
Of course, we can’t tell whether any of the payments into these addresses came from victims of this scam – they could have come from anywhere, including from the crooks themselves.
What to do?
Regular Naked Security readers will know what we recommend in cases like this: DON’T PAY, DON’T PANIC, DON’T REPLY.
Even if the crooks had hacked your computer and recorded material you wish they hadn’t (it needn’t be porn, of course), why pay them not to reveal data that they already possess?
At least in a ransomware attack you are “paying for a positive” – you’re paying for a decryption key that will either work and do what you were hoping, or won’t work and that’s that.
But paying the crooks not to do something, they can just threaten to do it again next week, month, year…
…so it won’t get you anywhere, except to mark you out as someone who already knows how to buy and spend bitcoins.
Fortunately, in this case, the crooks don’t have any browsing logs or webcam footage at all, so it’s all just empty threats.
Hit [Delete] and you’re done with it – tell your friends.
Oh, and use this story to remind yourself, and to convince your boss, that any data breach can lead to ongoing trouble – even if the breach was “just” email addresses and phone numbers, and even if it happened long ago.
That’s the trouble with private data: once out, always out.