While sextortion email scams are an old trick, a recent wave claiming to have acquired the recipient's password is creating concern. Sextortion email scams are a type of phishing scam in which an individual claims to be a webcam hacker and threatens to release a video recording of the email recipient viewing pornography or otherwise embarrassing content. The message typically goes on to explain that unless the user pays a bitcoin ransom, the hacker will release the video recording to the user's contacts, including relatives and coworkers. The latest iteration of the scam is made more believable by including an old password belonging to the user, likely obtained from a previous data breach containing the user's old login information.
Here is an example of what the email might look like:
I'm aware that [insert user's previous password here] is your password. You don't know me and you're thinking why you received this e mail, right? I placed a malware on the porn website and guess what, you visited this web site to have fun (you know what I mean). While you were watching the video, your web browser acted as a RDP (remote desktop) and a keylogger which provided me access to your display screen and webcam, allowing me to record you.
What should you do? Well, I believe $1400 is a fair price for our little secret. You'll make the payment via bitcoin to the below address (if you don't know how to do this, search "how to buy bitcoin" in Google).
You have 24 hours to make the payment. (I have a unique pixel within this email message, and right now I know that you have read this email.) If I don't get the payment, I will send your video to all of your contacts, including relatives, coworkers, and so forth.
As shocking as it may be to receive this type of message, here are a few things to keep in mind if and when you see a sextortion scam in your inbox:
- Don't think that you are alone. This scam is widespread and is likely the result of an automated process that is casting a wide net. This is a common type of attack, and one that you should be aware of so that you can respond accordingly.
- Don't panic. It is unlikely that the perpetrators have the ability to execute the threats presented in the email. They are designed to shock you into responding, particularly with the use of a familiar password. In many cases, the password included in the email is several years old and may have been obtained from any number of online sources rather than the hacker's own handiwork.
- Don't pay. Now that you know what you are dealing with, do not take the bait and don't pay the bitcoin ransom.
The FBI has provided recommendations on ways to avoid becoming the victim of a sextortion scam, which include the following: (1) Do not send compromising images of yourself to anyone; (2) do not open attachments from people you do not know; and (3) turn off your electronic devices and web cameras when you are not using them. We also recommend covering your webcam when it is not in use.
If you have been affected by a sextortion scam or other malware, or have any cybersecurity-related questions or concerns, please contact us. We can help you pass along any relevant information to law enforcement and assist you in mitigating the risk. Venable's nationally recognized eCommerce, Privacy, and Cybersecurity Group brings together a unique combination of legal, policy, and technical experts to help our clients with a wide range of cybersecurity issues, including phishing and related attacks.