ETERNALBLUE sextortion scam puts your password where your name should be

Thanks to Richard Cohen of SophosLabs for his help with this article.

Remember sextortion?

That’s the name for the cybercrime where crooks blast you with spam claiming to know something about your sex life or sexuality that you’d probably want to keep private if it were true…

…and then threaten to tell the world (or at least your colleagues, friends and family) all about it.

Unless you send them money right away, usually in the form of a cryptocurrency like Bitcoin, and usually within 48 hours.

It’s all a pack of lies, of course – the crooks blast out millions of these messages in the hope that the contents will be close enough to the truth that at least some victims will pay up.

Generally, the crooks say they have taken screenshots of you viewing porn, synchronised with a recording they made at the same time via your webcam.

But even if you never watch porn, or don’t have a webcam, or both, this sort of email can still be alarming because the crooks also claim to have total control of your computer, typically including:

  • Access to your passwords.
  • Access to you what you type in even if you go and change your passwords.
  • Access to your email and social media contact lists.

Also, to increase your fear, the crooks may offer “proof” that they’ve already stolen private data from you by including one or more snippets of personal information in the email.

The crooks often include your phone number or one of your passwords recovered from an existing data breach, or they pretend that they sent the email directly from your own account.

(Watch directly on YouTube if the video won’t play here.)

In the latest sextortion campaign we’ve seen, the crooks have another trick – they’re using your password as your name (or what they think is your password) in to TO: field in the email headers, so it shows up even when you are just previewing your email:

TO: pa55word <>
FROM: <madeupsender>
SUBJECT: Security Alert. Your account was compromissed. Password must be changed.

Sometimes, the password is garbage; sometimes it’s a password for an old account that you changed long ago.

But often it really is a password you once used, which certainly lends a touch of credibility to the claims that follow:

Hi, dear user of [YOUR DOMAIN NAME]

We have installed one RAT software into you device 
For this moment your email account is hacked too.
I know your password for this account [YOUR USERNAME]: [YOUR PASSWORD]
Changed your password? You're doing great!

But my software recognizes every such action. I'm updating passwords!
I'm always one step ahead....

So... I have downloaded all confidential information from 
your system and I got some more evidence. The most interesting moment 
that I have discovered are videos records where you masturbating.

Intriguingly, the crooks behind this scam campaign include a bogus explanation of how they sneaked the RAT (short for Remote Access Trojan, a type of malware that does exactly what its name suggests) onto your system, saying:

I posted EternalBlue Exploit modification on porn site, and then
you installed my malicious code (trojan) on your operation system.
When you clicked the button Play on porn video, at that moment my
trojan was downloaded to your device.

ETERNALBLUE is a genuine attack vector, and it’s quite well-known because it was originally developed (or at least obtained by) the US intelligence services and used for law enforcement and surveillance purposes.

But it was subsequently stolen from the US government, offered for sale and ultimately published on the internet for free so anyone with evil intentions could use it.

And they did – ETERNALBLUE was the primary trick used by the infamous WannaCry virus to jump around on and between networks.

The crooks finish by demanding that you pay $600 in Bitcoin within 48 hours:

For the moment, the software has harvrested all your contact 
information from social networks and email addresses. If you need to 
erase all of your collected data, send me $600 in BTC (crypto currency).
You have 48 hours after reading this letter.

The Bitcoin address mentioned in the email has received two payments worth approximately $550 each at current rates, but we have no idea whether the funds came from real victims who were frightened enough to pay, or from unrelated sources.

What to look for?

The subject lines and message bodies of spam and scam campaigns change all the time, so don’t rely on specific details when trying to figure out whether an email is genuine or not.

However, the samples we’ve seen of this particular scam have similar content in the message body itself, but the subject lines vary considerably, and include:

Your account was under attack! Change your access data!
Your account is being used by another person!
Your account has been hacked! You need to unlock.
The decision to suspend your account. Waiting for payment.
Security Notice. Someone have access to your system.
Security Alert. Your accounts was hacked by criminal group.
Security Alert. Your accounts was compromised. You need change password!
Security Alert. Your account was compromissed. Password must be changed.
High level of danger. Your account was under attack.
High danger. Your account was attacked.
Hackers know password from your account. Password must be changed now.
Frauders known your old passwords. Access data must be changed.
Caution! Attack hackers to your account!
Be sure to read this message! Your personal data is threatened!

What to do?

From a technical point of view, given the inclusion of a real password and the mention of a genuine security exploit, this scam certainly sounds possible, and even plausible, but it’s all a bunch of made-up nonsense.

So you can delete it without further ado.

Nevertheless, there are some useful security reminders mixed in with this story, namely:

  • Patch early, patch often. The ETERNALBLUE exploit was patched way back in March 2017, so no one should be able to attack you successfully with it any more.
  • Prefer two-factor authentication (2FA). We’re assuming you already pick proper passwords, for example by using a password manager to help up, but the one-time login codes typically required for 2FA add another layer of difficulty for crooks.