TR-54 - Sextortion scam emails - I know your password

You can report incidents via our official contact including e-mail, phone or use the Anonymous reporting form.

Search


CIRCL is accredited TI CIRCL is a FIRST member CIRCL is an OASIS member

Overview

During the past few days, we have received an increasing number of reports about scam attempts.

Usually the malicious emails start with sentences such as I know that XYZ is your password, with the scary part being that XYZ is in fact a real password of the targeted user.

In one example, as displayed below, the attacker explains that they compromised the victims PC by infecting it with a remote access malware. They also state that they have activated the webcam of the PC and recorded a movie of the victim.

The victim is required to pay a ransom in Bitcoins to get the movie destroyed - refusing to do so, the attacker states that they will spread the movie to all of the contacts of the victim.

While this kind of sextortion scam is rather old, the quality of these recent occurances has raised the bar massively, due to the fact that the attackers seem to posses and threaten with a real password of the victim.

One explanation

How is it possible that the attacker knows a real password without compromising the victims PC/laptop?

It turns out that often the attackers presented an older password of the victim which has already been changed several month or even years prior.

Futhermore, attackers often presented a password previously used for some 3rd party online accounts.

We are sure that the attackers use more or less recent data breaches to collect valid email address and password combinations. They can then use the obtained data to send mass emails which are looking much more serious than before.

Data breaches occur much more often than expected, please take a look at our TR-46 to get an idea of the number of data breaches affecting victims in Luxembourg.

Scam example

You can view a sample scam quoted below and whilst we have been seeing samples looking slightly different in regards to some details, the overall message was the same.

I do know xxxxxx is your pass word. Lets get straight to the purpose. You don't know me and you're probably wondering why you are getting this mail? Neither anyone has paid me to investigate about you.

actually, I actually placed a malware on the 18+ vids (pornographic material) website and do you know what, you visited this website to have fun (you know what I mean). While you were viewing videos, your browser started out working as a Remote control Desktop with a keylogger which gave me accessibility to your display screen and web cam. Just after that, my software program gathered all of your contacts from your Messenger, Facebook, as well as emailaccount. After that I made a double-screen video. First part shows the video you were viewing (you have a nice taste lol . . .), and 2nd part shows the recording of your web camera, yeah its u.

You will have not one but two options. Lets review each one of these choices in particulars:

Very first option is to disregard this e-mail. In such a case, I am going to send out your actual tape to every bit of your contacts and thus just consider regarding the humiliation you will see. And consequently if you happen to be in an important relationship, exactly how it would affect?

Other choice would be to compensate me $7000. We will think of it as a donation. Then, I will promptly remove your video recording. You can keep on going everyday life like this never took place and you would never hear back again from me.

You'll make the payment through Bitcoin (if you do not know this, search for "how to buy bitcoin" in Google).

BTC Address to send to: <bit coin address>
[CASE SENSITIVE copy and paste it]

Should you are planning on going to the cops, well, this mail cannot be traced back to me. I have taken care of my actions. I am also not attempting to ask you for so much, I only want to be rewarded. I have a specific pixel within this e-mail, and right now I know that you have read through this message. You have one day to make the payment. If I do not receive the BitCoins, I will definitely send your video to all of your contacts including close relatives, co-workers, and so on. Having said that, if I receive the payment, I'll erase the recording immediately. If you need proof, reply Yes! and I will certainly send out your video recording to your 15 friends. It is a nonnegotiable offer and so please do not waste my time and yours by responding to this email.

Fixing, re-mediation and mitigation

  1. Keep a single dedicated password for each online account. In case of a data breach your other accounts are still safe.

  2. If you receive this kind of scam, do not hesitate to contact CIRCL. We maintain a list of the BTC (Bit Coin) addresses within the MISP threat intelligence community operated by CIRCL.

  3. Delete the scam email. The attacker most likely does not have access to your computer.

  4. Teach others about what you have just learned.

References

Classification

TLP:WHITE information may be distributed without restriction, subject to copyright controls.

Revision

  • Version 1.0 - TLP:WHITE - First version - 20180803