New take on old email scam references recipients' actual passwords in attempt to make bogus claims more believable.
What's happening? Criminals are sending out scam emails claiming they have recordings of the receivers watching porn.
Why is this any different than similar scams? The criminals are referencing real passwords associated with the recipient's email account. UPDATE 10/15/18: Criminals are also now spoofing recipient email addresses, too. As a result, the emails appear as though they're being sent from the recipient's own account.
In a new twist to an old scam, criminals are sending out emails claiming they've infected the recipients’ computers with malware and have used their webcam to record video of them watching porn. Unless the recipient pays the criminal in Bitcoin, the emails explain, the criminals will send copies of the video to the recipients’ contacts.
What’s different about this latest variation of the scam is that, in order to make it more believable, criminals are opening their emails by referencing a real password associated with the recipient’s email address.
I am aware [PASSWORD REDACTED] is your password. You don’t know me and you’re thinking why you received this e mail, right?
Well, I actually placed a malware on the porn website and guess what, you visited this web site to have fun (you know what I mean). While you were watching the video, your web browser acted as a RDP (Remote Desktop) and a keylogger which provided me access to your display screen and webcam. Right after that, my software gathered all your contacts from your Messenger, Facebook account, and email account.
What exactly did I do?
I made a split-screen video. First part recorded the video you were viewing (you’ve got a fine taste haha), and next part recorded your webcam (Yep! It’s you doing nasty things!).
What should you do?
Well, I believe, $1400 is a fair price for our little secret. You’ll make the payment via Bitcoin to the below address (if you don’t know this, search “how to buy bitcoin” in Google).
BTC Address: 1Dvd7Wb72JBTbAcfTrxSJCZZuf4tsT8V72
(It is cAsE sensitive, so copy and paste it)
You have 24 hours in order to make the payment. (I have an unique pixel within this email message, and right now I know that you have read this email). If I don’t get the payment, I will send your video to all of your contacts including relatives, coworkers, and so forth. Nonetheless, if I do get paid, I will erase the video immidiately. If you want evidence, reply with “Yes!” and I will send your video recording to your 5 friends. This is a non-negotiable offer, so don’t waste my time and yours by replying to this email.
To be clear: These emails are scams. Do not fall for them and do not make any payments.
The inclusion of what may very well be a valid password is a trick designed to make these emails more frightening and convincing, but it doesn’t mean the claims are actually valid.
This scam isn’t a sign that your computer has been infected, rather, it’s a sign that your email address and a password associated with it have been exposed in a previous data breach.
How criminals are able to reference a valid password
While the exact methods are unconfirmed, it’s very likely that criminals are referencing a database of passwords and email addresses collected from a large data breach that may have taken place years ago. Several of Krebs' readers who received variations of this email said the passwords the criminals referenced were ones they'd used close to ten years ago (even more reason to regularly update your password and avoid password reuse).
There are unfortunately a growing number of "megabreaches" these email addresses and passwords could be associated with, but a number of recipients (including readers of this blog post) have pointed to the LinkedIn hack of 2012, which included the theft of 167 million account details, as a strong possible source.
To check to see what breaches your email address has been exposed in, you can visit researcher Troy Hunt's site haveibeenpwned.com.
Unfortunately, these scams appear to be working
What makes these new scam attempts interesting is they represent a clever new approach to monetizing the email addresses and passwords obtained via data breaches. What makes them especially disturbing is that they appear to be (at least to some extent)working.
These may not be huge sums, but they serve as more than enough encouragement for criminals to continue investing in and widening the scope of these schemes. As a result, we can expect to see more of these emails and variations of them in the near future.
UPDATE, 7/19/18: As reported at Bleeping Computer, researcher SecGuru has been tracking Bitcoin addresses used in these campaigns and discovered that at least 30 victims have paid a total of over $50,000 so far.
UPDATE, 7/26/18: The latest count suggests the payment total is at least $250,000.
#extortion#SCAM Email update: 313 BTC Addressess, 151 Victims, 30,08 BTC Payments ($250k). Last run (last two weeks) with PW comes from @Outlook .com addresses (DKIM signed). The amount to be paid has now been increased to $8000, latest payment: today https://t.co/vka9qS6ZgK
With this initial success, it's virtually a guarantee more scams like this will be popping up.
UPDATE, 10/15/19: New variations of the scam are utilizing email spoofing, a tactic that makes it look like the emails are being sent from the recipient's own account. The goal is to provide recipients with another reason to believe their accounts may really have been hacked, even though that's not the case. To see screenshots of what the new variations look like, see our new blog post.
Thank you to the commenters below for drawing our attention to the new variants!