Many variations of so-called “Sextortion Scams” are on the rise in the past few months. The inbox wild-fire is fueled by past years’ data breaches, so much so that the FBI issued an alert. Some say…”Same song, different singer,” when referencing this particular variation. But, truth be told, hackers found a clever way to get attention. Victims quickly zero in on panic, rather than reason. By adding a new twist, the tune of this con ignites a sense of urgency. Like so many other recent, viral phishing schemes, this one only needs a few dupes to be profitable.
Within the message, the hacker works to convince the recipient that they are being watched via webcam for over 4 months. It then blackmails the victim, threatening to expose incriminating video files, unless a hefty sum of Bitcoin is received. One email claimed:
“while you were watching the video, your web browser acted as a RDP (Remote Desktop) and a keylogger provided me access to your display screen and webcam. Right after that, my software gathered all your contacts from your Messenger, Facebook account and email account.“
It also claims, “If I don’t get the payment, I will send your video to all of your contacts including relatives, coworkers and so forth.”
This approach is not new, and with only this bit of information, you could see yourself quickly spotting the scam. However…Keep Reading.
What Causes Recipients to Worry Their Way Past Ridiculous Claims?
Research indicates that recipients of this email are NOT targeted because the attacker secretly knows of their hidden transgressions. And, this campaign is known to alarm the most innocent of recipients. Why? Most phishing campaigns aim to steal your password, whereas this one leads with it. Email address and passwords indexed in previous known data breaches are the bait. Victims are shocked to see a password they have legitimately created appearing in the email salutation. Even if the recipient of the email knows they haven’t done anything incriminating, “[your name] – [one of your passwords]” in the subject line spooks them into panic mode. Panic mode often leads to rash decisions.
Where Did They Get Your Password?
It stands to reason that most of the passwords referenced in this sextortion campaign are most likely pulled from any one of well-known data breaches over the past few years. For example, many recipients noticed the password referenced in the subject line was the same one leaked in LinkedIn’s massive 2012 data breach. To check if you have an account that has been compromised in a known data breach, visit https://haveibeenpwned.com/. Looking beyond what is currently identified, it is safe to assume more current breaches have taken place. We just don’t know about them.
If You Receive the Email
- Don’t panic. The hacker is bluffing. He/she has not been recording your every keystroke.
- Change passwords right away! Contact your service desk, so all of your accounts can be reset immediately.
- Have your computer scanned for credential-stealing malware.
- Resist the temptation to reply. Even if you didn’t fall prey to the email, sending a nasty-gram back to the hacker only validates that they have made contact. This action will most likely ensure your email address will be used for future scams.
- Don’t pay! We have said it before and will again. Rewarding the extortionists grows the problem. Unfortunately, even if a hacker does have incriminating information on you, paying a ransom will not guarantee you are threat-free.
Council-Seekers Preventative Advice
- Always be cautious when opening links and files that come via email, even when they appear to be sent from a known source.
- If you feel a strong sense to act quickly, be cautious. Most phishing scams are successful when folks fear dire consequences.
- If you are the type who uses the same password across multiple applications, implement a secure password manager.
- Take advantage of two-factor authentication whenever you can.
As you can imagine there are countless ways hacking schemes can and will become more sophisticated, camouflaged and personalized, especially when so much data is known to have been leaked. Also, as mentioned above, these attacks are, profitable and therefore likely to continue.