The sextortion scam knows your password, but make no mistake – Naked Security
Someone has sent out sextortion scam emails with a new twist – one aimed at making it more likely that you will be tricked into paying blackmail fees.
One of the emails arrived at Naked Security yesterday, via a frequent reader, just as Brian Krebs was break history on his site.
He claims to have compromising images of the recipient and then asks for payment in order to prevent the public release of the images. Attempting to manipulate victims into pretending to have compromising images of them is known as sextortion, and it has been used for years. What makes this scam different is that it adds something more: it contains a real password used by the victim.
The email states:
I do know, [PASSWORD REDACTED], is your password. You do not know me and you are probably thinking why you are getting this e mail, correct? actually, I placed a malware on the adult videos (pornography) website and do you know what, you visited this web site to experience fun (you know what I mean). While you were watching videos, your internet browser initiated working as a RDP (Remote Desktop) that has a key logger which gave me accessibility to your display and also webcam. after that, my software program obtained all your contacts from your Messenger, Facebook, as well as email. What exactly did I do? I made a double-screen video. First part displays the video you were viewing (you've got a nice taste haha), and second part shows the recording of your webcam. exactly what should you do? Well, I believe, $2900 is a reasonable price tag for our little secret. You'll make the payment via Bitcoin (if you don't know this, search "how to buy bitcoin" in Google). BTC Address: 19ZFj3nLSJCgoAcvZSgxs6fWoEmvJhfKkY (It is cAsE sensitive, so copy and paste it) Important: You have one day to make the payment. (I've a unique pixel within this email message, and now I know that you have read this e mail). If I do not get the BitCoins, I will definitely send out your video to all of your contacts including relatives, co-workers, and so forth. Nonetheless, if I receive the payment, I'll erase the video immidiately. If you want evidence, reply with "Yes!" and I will send your video to your 9 friends. It is a non-negotiable offer, that being said do not waste my time and yours by replying to this e-mail.
Some details vary depending on the copies of the mail and if the campaign is successful it may change further over time. At the time of writing, the sender’s email address (either in the reply field or in an included case, in the text of the mail), the ransom amount, and the bitcoin address all vary.
Update: later variations of this email that appeared after this article was first published used passwords in the names of PDF attachments, or offered other forms of fake “evidence,” such as sending e-mail from your own email address.
The power of a password
Many people, even those who feel they could have been seen in a compromising position, would normally be too suspicious to fall for a sextortion scam without any proof. Including a real password, however, makes it more convincing, which might be enough to fool some people.
Several people sent Krebs copies they had received of this mail, and in all cases the passwords were over 10 years old. The person who forwarded the message to us also said the password was old.
But still, how did they get the old passwords?
The most likely explanation is that these are passwords stolen in one of the many significant data breaches that have occurred over the past decade. Passwords revealed by events such as the LinkedIn breach in 2012 are plundered by criminals and sold and resold by millionseven years after the event.
That’s because some data breaches take years to be discovered, and because crooks know they can still get lucky with your password, even if you’ve changed it since the breach.
This is because many of us like to reuse the same password over and over again, on many different sites. So, if a scammer gets their hands on a password that you used for a website, they are likely to try it on other websites that you could use, or sell it to someone from. another will – that’s why you should never use the same (or a similar password). ) passwords on different sites.
And, as this scam shows, even an old password that doesn’t work anywhere is still of value to crooks because they can use it to scare you. Just the fact that they know what was one of your passwords is very unsettling.
What to do?
- Do not panic, this is a hoax. An email with an old password is NOT proof that you have been hacked.
- Use unique passwords for every site and app you use. If that sounds difficult, then …
- Use a password manager who can create and remember strong passwords for you.
Although this email is from a criminal who has not hacked into your computer or spied on you, there are plenty of password theft, key logging, and webcam use malware out there that want to do exactly that. To avoid this, we recommend download Sophos Home.
LEARN MORE ABOUT SEXTORTION
A video of our What to do When … nude security series Youtube channel.
(Watch directly on YouTube if the video is not playing here.)