Sextortion - A new use for previously hacked passwords

There are a lot of old web sites and servers used in the past that are no longer valid but are very valuable to scammers.  These older sites, which are often easy to hack, contain a treasure trove of passwords linked to our old email addresses.

Although an old email address and password no longer get you to the web site they were lifted from, the information is still useful to a scammer.

Their latest stunt,  which has become very common, is what’s being called 'sextortion'.

The hacker, with a huge number of email addresses and passwords, blast out bulk spam emails using the following ploy:

 

If an email is still valid and reaches the recipient, the potential trap is set.  The message starts with some variation of "I’m a hacker and I have your passwords."  For example, they tell you the old, and probably obsolete, password that they lifted which lends credence to their threats that follow. (hopefully you’re not using the same password as you did years ago). 

The letter typically goes something like this:

It starts with the hook

“I’m aware that (the password is inserted here) is your password...

The rest is the scam

You don’t know me and you’re wondering why you received this email, right?

Well, I actually placed a malware on the porn website and guess what, you visited this web site to have fun (you know what I mean). While you were watching the video, your web browser acted as a RDP and a keylogger which provided me access to your display screen and webcam. Right after that, my software gathered all your contacts from your Messenger, Facebook account, and email account.

What exactly did I do?

I made a split-screen video. First part recorded the video you were viewing (you’ve got a fine taste), and next part recorded your webcam (Yep! It’s you doing nasty things!).

What should you do?

Well, I believe, $(some dollar amout) is a fair price for our little secret. You’ll make the payment via Bitcoin to the below address (if you don’t know how to do this, just Google it).

BTC Address: (a Bitcoin address is inserted here)

Important:

You have 24 hours to make the payment. (I have an unique pixel within this email message, and right now I know that you have read this email). If I don’t get the payment, I will send your video to all of your contacts including relatives, coworkers, and so forth. Nonetheless, if I do get paid, I will erase the video immediately. Etc, etc etc."

 

End of scam--which can, potentially, leave you scared out of your mind.

​

Clearly these emails are sent out via some sort of automated process and it costs a hacker nothing to send out thousands of them.  But if only a small percentage of people pay, the rewards are great.  While completely illegal almost everywhere, the risk of getting caught conducting a scam like this is very low, which makes it extremely lucrative and relatively risk free for the hacker.

Although this scam is still in it’s early stages, the complexity of it is growing as sophisticated hackers draw on recent data breaches to provide current passwords to the victim (as opposed to old ones) to prove their claims.

As we’ve informed people for years, cameras and microphones in devices rely on software switches to turn them off. You can never be sure that this software switch has not been turned on, remotely, by someone else.  Only the physical covering of cameras and removal of microphones can ensure you are not at risk - both now and in the future.