Sextortion – financially motivated sexual extortion – is a form of digital blackmail, where the attacker either holds or claims to hold compromising information and threatens to publish or share that information with others unless a payment is made. One of the most common types of sextortion scams involves a cybercriminal making contact, usually via email, claiming they have accessed the victim’s computer and found sexually explicit material such as photographs or viewed the victim’s browsing history of adult web content. The emails claim that the victim’s webcam and microphone have also been hacked, and the victim has been recorded while viewing sexually explicit content. Threats are issued to share that information with the victims, friends, family members, spouse, or employer and a demand is issued for payment. These hacking-based sextortion scams are usually empty threats, as the scammer has not managed to hack the user’s device.
New tactics have been identified in recent sextortion scams. In one campaign, the cyber threat actor impersonates a cybersecurity company and claims they have found evidence that indicates the victim’s spouse has been cheating on them. Rather than demand payment to prevent the publication or sharing of that information, the messages ask for payment to provide evidence of the infidelity. The company claims to have obtained full copies of the spouse’s address book, social media communications, website viewing history, dating app activity, and more, and that the information will be provided as a package if payment is made. The messages are addressed to the victim by name and include the spouse’s name, which adds legitimacy to the claim. That information is thought to have been obtained in a data breach.
Another sextortion tactic has been identified that uses a photograph of the victim’s home in the initial communication. In this scam, the targeted individual is sent an email with a PDF file that uses the victim’s first and last name for the file name. If the file is opened, the victim will see a photograph of their house along with their address. The sextortion scam follows a similar pattern to the hacked computer scam, where the victim is told that their computer has been hacked and the hacker has viewed their browsing history and recorded them browsing filthy videos using the laptop’s camera and clicking on links to unsafe websites. In one scam, the user is told that the well-known Pegasus spyware was used to covertly record and remotely monitor the user’s laptop and mobile, and that access has been gained to the user’s email account, social media accounts, and their full contact list has been downloaded.
The house image is a novel twist that is intended to make the scammer’s claim even more realistic and suggests that the scammer has visited the user’s home and knows where they live. While the latter is true, the image has been screenshotted from Google Maps Street View, and in all likelihood, the user’s email address and home address have been obtained from a publicly available source or a data breach.
These scam emails are intended to make the victim panic and make payment; however, these scams rarely involve actual hacking. Any payment is likely to lead to further blackmail attempts. The best approach is to simply not respond to the email and delete it.