TR-54 - Sextortion scam emails - I know your password

Overview

During the past few days, we have received an increasing number of reports about scam attempts.

Usually the malicious emails involved in the scam start with sentences such as I know that XYZ is your password, with the scary part being that XYZ is in fact a real password of the targeted user.

In one example, as displayed below, the attacker explains that they compromised the victim’s PC by infecting it with a remote access malware. They also state that they have activated the webcam of the PC and recorded a video clip of the victim.

The attackers claim that the victim is required to pay a ransom in Bitcoins in order to get the movie destroyed - refusing to do so would lead to the attackers spreading the movie to all of the contacts of the victim.

While these kind of sextortion scams are rather old, the quality of these recent occurrences has raised the bar massively, due to the fact that the attackers seem to posses and threaten with a real password of the victim.

One explanation

How is it possible that the attacker has knowledge of a real password without compromising the victims PC/laptop?

It turns out that often the attackers reused an older password of the victim which has already been changed several months or even years prior.

Furthermore, attackers often presented a password previously used for some 3rd party online accounts.

We are certain that the attackers use more or less recent data breaches to collect valid email address and password combinations, which they can use to send mass emails that look considerably more serious than before.

Data breaches occur much more frequently than one would expect, please take a look at our TR-46 to get an idea of the number of data breaches affecting victims in Luxembourg.

Scam example

You can view a sample scam email quoted below and whilst we have been seeing samples looking slightly different in regards to some details, the overall message was the same.

I do know xxxxxx is your pass word. Lets get straight to the purpose. You don't know me and you're probably wondering why you are getting this mail? Neither anyone has paid me to investigate about you.

actually, I actually placed a malware on the 18+ vids (pornographic material) website and do you know what, you visited this website to have fun (you know what I mean). While you were viewing videos, your browser started out working as a Remote control Desktop with a keylogger which gave me accessibility to your display screen and web cam. Just after that, my software program gathered all of your contacts from your Messenger, Facebook, as well as emailaccount. After that I made a double-screen video. First part shows the video you were viewing (you have a nice taste lol . . .), and 2nd part shows the recording of your web camera, yeah its u.

You will have not one but two options. Lets review each one of these choices in particulars:

Very first option is to disregard this e-mail. In such a case, I am going to send out your actual tape to every bit of your contacts and thus just consider regarding the humiliation you will see. And consequently if you happen to be in an important relationship, exactly how it would affect?

Other choice would be to compensate me $7000. We will think of it as a donation. Then, I will promptly remove your video recording. You can keep on going everyday life like this never took place and you would never hear back again from me.

You'll make the payment through Bitcoin (if you do not know this, search for "how to buy bitcoin" in Google).

BTC Address to send to: <bit coin address>
[CASE SENSITIVE copy and paste it]

Should you are planning on going to the cops, well, this mail cannot be traced back to me. I have taken care of my actions. I am also not attempting to ask you for so much, I only want to be rewarded. I have a specific pixel within this e-mail, and right now I know that you have read through this message. You have one day to make the payment. If I do not receive the BitCoins, I will definitely send your video to all of your contacts including close relatives, co-workers, and so on. Having said that, if I receive the payment, I'll erase the recording immediately. If you need proof, reply Yes! and I will certainly send out your video recording to your 15 friends. It is a nonnegotiable offer and so please do not waste my time and yours by responding to this email.

Email sent from own account

Recently we saw a new attack vector, where the attackers claim to have hacked the victim’s email accounts. As proof of the hack they makes the email look as if it were sent from the victim’s email account.

This is a simple attack which is possible via SMTP Internet email, where the attackers spoof the sender’s email address. This is as easy of a task to accomplish as sending a postcard in the name of somebody else.

Shortened example

The example is cut to save some space. The goal of the attack is the same as above, the attackers are trying to get some bitcoins in return for not spreading some secrets they claim to have obtained.

Date:17 Sep 2018 14:23:21 +0200
De:victim@circl.lu
Pour:victim@circl.lu
Objet:Ihr geheimes  heimliches Leben

Salut!

Wie Sie es Ihnen schon denken können, wurde Ihr Benutzerkonto (victim@circl.lu) gehackt, da ich Ihnen diese Meldung von geschickt habe. :(

Ich vertrete eine bekannte internationale Gruppe von Hackern
...
...

Fixing, re-mediation and mitigation

  1. Keep a unique, dedicated password for each online account. In case of a data breach your other accounts are still safe.

  2. If you receive this kind of scam, do not hesitate to contact CIRCL. We maintain a list of the BTC (Bitcoin) addresses in the MISP threat intelligence community operated by CIRCL.

  3. Delete the scam email. The attacker most likely does not have access to your computer.

  4. Be aware that emails are not anymore reliable than postcards.

  5. Teach others about what you have just learned.

References

Classification

TLP:WHITE information may be distributed without restriction, subject to copyright controls.

Revision

  • Version 1.0 - TLP:WHITE - First version - 20180803
  • Version 1.1 - TLP:WHITE - RCPT TO = MAIL FROM - 20180920