UK +44 (20) 3761 8080 SA +27 (21) 203 2900 SG +65 (69) 298 220 USA +1 646 712 9910 [email protected]

Sextortion (It’s not that much fun)

So we’ve all heard of phishing right? And no one is going to click on funny emails from your bank asking for your username and password or that free pizza offer right? RIGHT?!

Well here’s a new twist on an old favorite. One of our customers received this email last week:

I am aware that is one of your passwords”

You don’t know me and you’re thinking why you received this e mail, right?

Well, I actually placed a malware on the porn website and guess what, you visited this web site to have fun (you know what I mean). While you were watching the video, your web browser acted as a RDP (Remote Desktop) and a keylogger which provided me access to your display screen and webcam. Right after that, my software gathered all your contacts from your Messenger, Facebook account, and email account.

What exactly did I do?

I made a split-screen video. First part recorded the video you were viewing (you’ve got a fine taste haha), and next part recorded your webcam (Yep! It’s you doing nasty things!).

What should you do?

Well, I believe, $1400 is a fair price for our little secret. You’ll make the payment via Bitcoin to the below address (if you don’t know this, search “how to buy bitcoin” in Google).

BTC Address: 1Dvd7Wb72JBTbAcfTrxSJCZZuf4tsT8V72
(It is cAsE sensitive, so copy and paste it)

Important:

You have 24 hours in order to make the payment. (I have an unique pixel within this email message, and right now I know that you have read this email). If I don’t get the payment, I will send your video to all of your contacts including relatives, coworkers, and so forth. Nonetheless, if I do get paid, I will erase the video immediately. If you want evidence, reply with “Yes!” and I will send your video recording to your 5 friends. This is a non-negotiable offer, so don’t waste my time and yours by replying to this email.

Firstly, although technically possible all of the above is completely fictitious – no one has any video of anyone doing anything – this is straight extortion created from assumptions. EXCEPT for the password.

Aside from being slightly frightening, this is also fascinating. Phishing has always been about trying to get your passwords – now they’re leading with your password straight of the bat as a means to establish credibility. That’s right – YOUR PASSWORD. The password used is actually correct (or at least was). We believe the password information in these recent instances has been either from the LinkedIn hack of 2012, or the Ashley Maddison hack of 2015 (maybe both).

Almost more concerning is the number of people on message boards and in the comments section of various articles that are still using the same password they did in 2012 or 2015.

There is also nothing ‘traditional’ in the email that causes it to be blocked – no links, no malware, no attachments.

I’ve also heard of a less digital version of this scam that has been used in LA recently, and this time delivered by good old fashioned post: “We know what you’ve been doing, we have evidence, and if you don’t pay x to this bitcoin address, we’ll send the videos to your wife”.

The worst thing about that is there is clearly a big enough target group in middle-class suburbia to make the scam worthwhile.

If you do end up on the receiving end of one of these horrible little scams, make sure you follow these steps:

7 things to remember if you get a ransom or extortion email

  • If there are any, DO NOT click on any links or attachments in the email.
  • If you still use that password anywhere, for goodness sakes change it now.
  • Do not re-use passwords (chat to us about a password manager for your business)
  • Enable 2 factor authentication for all online accounts that support it.
  • Do not respond to spam or phishing emails
  • Do not pay ransomware or extortionists.
  • Talk to us about automated security training for your company
Back To Top