A new sextortion phishing threat has been detected that is proving to have the desired effect. Many recipients of the emails have paid up to avoid being exposed.
On the face of it, this sextortion phishing scam is as simple as it gets. A threat actor claims to have taken control of the target’s computer and recorded them via their webcam while they were visiting an adult website. A threat is made to publicly release the video of them viewing pornography unless a payment is made.
For some recipients of such an email, such a threat would be enough to get them opening their Bitcoin wallet and making the payment without a second’s hesitation. Most people would likely see the email for what it really is. A scam and an empty threat.
However, a second variant of the email is being used that is a lot more personalized and includes a snippet of information to add credibility to the scam. The message includes the user’s password as ‘confirmation’ that it is not an empty threat. The attacker also claims, through compromising the target’s computer, to have obtained all the victim’s contacts including contacts in their social media accounts.
While the threat actor claims to have control of the user’s computer, that is not the case. The password has been obtained from a previous data breach and a list has likely been purchased on the darknet.
For many of the email recipients, the password will be old and will have been changed long ago. That may be enough in some cases to see payment made. However, for those who are still using that password, the threat may seem very real.
This is in reality a very simple scam that in many cases only works because despite the risk of failing to change passwords frequently, recycling old passwords, and reusing passwords on multiple sites, the practice is still commonplace.
It is not known how many emails have been sent by the scammers – most likely millions – but it only takes a handful of people to respond and make payment for the scheme to be profitable.
So far, at least 151 people have responded to the sextortion phishing scam and made a payment to one of 313 Bitcoin addresses known to be used by the scammers. So far, at least 30.08 BTC had been raised – Approximately $250,000 – from the scam as of July 26 and it has only been running for a few weeks. The researcher tracking the payments (SecGuru) pointed out that the attackers have made three times as much as the individuals behind the WannaCry ransomware attacks last year.
Even without the password, the sextortion phishing scam has proved effective. Payments have been made in both versions of the scam. The standard scam asks for a payment of a few hundred dollars, although the inclusion of a password sees the payment rise considerably. Some individuals have been told it will cost them $8,000 to prevent the release of the video. Some individuals have paid thousands to the scammers.
Given the widespread coverage of the scam, and its success rate, it is probable that many more similar schemes will be conducted. Variations along the same theme could direct recipients to a phishing website where they are enticed into disclosing their current password, to an exploit kit that downloads malware, or to another scam site.
Protecting against a scam such as this is easiest by using strong passwords, regularly changing them, and never reusing passwords on multiple sites. It is also worthwhile periodically checking to find out if their credentials have been exposed in a data breach on HaveIBeenPwned.com and immediately changing passwords if they have.
Anyone receiving a sextortion phishing email such as this should be aware that this is a scam. If the password included is currently being used, it is essential to change it immediately across all sites. And of course, set a strong, unique password for each account.