Beware sextortionists spoofing your own email address

Oh, no! A hacker (says he) planted a Trojan, (claims he) took over your computer’s camera and microphone, (purportedly) filmed you watching porn, (theoretically) has the password to your email account, and is threatening to forward the scandalous video to all your email and social media contacts unless you fork over Bitcoin!

“It must be true,” many people have unfortunately thought about this new twist on an established sextortion scam. After all, he’s (apparently) sending email from your very own email address!

Good news: thankfully, it’s not true. The sextorting phisher has not, in fact, demonstrated that he’s hacked your email. All he’s done is demonstrate that anyone can send an email claiming to be from anyone else.

That’s nothing new; it’s just the way email is designed, though plenty of phishers use this fact to send spoofed email that looks like it comes from a trusted party (like you!).

We’ve seen sextortion emails that have included an intended victim’s password – that the attackers actually found in a data breach dump – in order to make their claims to have taken over somebody’s computer seem legitimate. Those passwords are typically outdated. But with the latest spin, they’re also pretending to have access to their victim’s email account, by simply spoofing the sender of the scam email to make it look like the same email as that of the victim.

The new variant of this lucrative scam was first seen targeting people in the Netherlands. RTL Nieuws reported on Thursday that the scammers had thus far bilked people of €40,000 (USD $46,000).

The spoofed mail claims that victims’ computers have been hacked and that the targets have been filmed while watching porn. It gives them one day to cough up a €1000 ransom in bitcoin, or else the video will be sent to all of their contacts.

Here’s Google’s translation of the Dutch scam email:

Hey,

I've been watching you for a while because I hacked you through a trojan virus in an ad on a porn website. If you are not familiar with this, I will explain this. A trojan virus gives you full access and control over a computer, or any other device. This means that I can see everything on your screen and switch on your camera and microphone without you being aware of it.

That way I also got access to all your contacts. I made a video that shows how you satisfy yourself on the left half of the screen and on the right half you see the video you were watching. With the press of a button I can forward this video to all contacts of your email and social media. If you want to prevent this, transfer an amount of 1000 euros to my bitcoin address (If you do not know, search with Google "Buy Bitcoin".) Bitcoin address: xxxxxxxxxxxx

As soon as the payment is received, I will delete the video and you will never hear from me again. I give you 72 hours to make the payment. Then you know what happens. I can see it if you have read the email.

RTL Nieuws analyzed more than 100 of the bitcoin addresses from the emails and found that the crooks had managed to talk people out of seven bitcoins as of Thursday, making it one of the most successful extortion emails to have ever made the rounds in the Netherlands.

It may be just a slight tweak of an extortion scam, but people are unfortunately falling for it. You can see why: most people who watch online porn would be horrified at the notion that they’d been filmed while doing so and that their reputations could wind up in the gutter if embarrassing video of them were to be disseminated to friends, family and colleagues.

It’s not hard to believe that a hacker could take over your microphone and webcam, after all: Crooks can use a piece of malicious software called a remote access trojan (RAT) to take over your computer, record your conversations, and yes, to turn on your webcam and microphone to spy on you.

Victims of sextortionists have included those as famous as Miss Teen USA: Cassidy Wolf was blackmailed by a crook who used a RAT known as “Blackshades” to take nude pictures of her through her webcam.

We’ve seen plenty of stories about hijacked baby monitor webcams, too, and we’ve seen one couple who didn’t realize that they’d been joined by a peeping Tom who spied on them via their webcam as they snuggled together to watch Netflix.

Couple the too-real threat of RATs and hijacked webcams with an email that looks like it came from within your very own email account, and it’s easy to see how people can get strung along.

Like most scam email artists, these criminals are adept at playing on our fears. These “I have your email account” guys are piling fear on top of fear – “we recorded you watching porn!” “we have all your contacts because we have your email account!” – to make a sky-high, multi-layered fear sandwich.