I have been hearing about the recent wave of sextortion emails (these are not a new phenomena) that many are receiving and I was feeling a little left out, as I haven’t received a single one of the new campaign…..until the other day!
Here’s an edited screen shot of the sextortion email I finally received on the 11th of October, 2018:
It included what it claims is not only my email address, but also my user ID and password for the site they claim I accessed.
Let’s look at this in a bit more detail…
Should I be worried, panic, and pay up?
Of course not, why?
- The credentials (user id and password) are ancient and lifted during one of the many data breaches over the last 10 years.
- I don’t visit porn sites (yes, really!)
- There is NO video, it is all a bluff to get you to panic and pay up, just in case…
- I stopped using FaceBook a while ago, in fact I closed my account and requested all my data to be deleted weeks ago (well before I got the sextortion email).
- I have been working in anti-malware and malware analysis for over 30 years, and I’m used to catching and analysing new malware; guess what, there is no malware on my systems (unless I put it there to analyse it, in a safe environment).
- There is NO unique pixel in the email (it is just pure plain ASCII text, no graphics, no HTML, no scripting, no risk). They do not know if you have received or read the email (there isn’t even a receipt request in the email).
- The Bitcoin address is not unique, it is used for the whole sextortion email campaign, so they have no way to see if you have paid or not. This is how many modern ransomware attacks and DDoS extortion attempts work; they have no intent in giving you back your data or actually carrying out any DDoS attack. It is all about getting you to believe in what they are telling you, so that they can make lots of money by frightening you in to paying up…
At the time of publishing this article, over 5 days had elapsed (so my pay up deadline had expired) and guess what happened?
NOTHING, NADA, ZILCH, etc.
Update 1st November, 2018: Well I checked out the Bitcoin Wallet this scammer was using, this wasn’t a very profitable scam as they had only two victims pay up, which is around 1,600 USD. A later variant of the scam I received managed to get thirteen victim to part with 700 USD each, netting around 9,100 USD.
I was at a conference last week and one of the delegates there approached me after my talk and showed me yet another variant of this scam, he was really concerned that his phone and system had been hacked (it hadn’t). I analysed the email and found no trace of any beacon, malware or any active content. This new scammer was more successful as he/she was asking for 803 USD per victim and eighteen paid up, netting the scammer almost 14,500 USD
Update 8th December, 2018:
More new campaigns and a few of them are starting to get more bitcoin payments, but others are getting almost nothing. Hopefully the word is getting out and less people are falling for this?
A new twist (but not unexpected), the Sextortion scammers are now including links to booby-trapped sites/files that contain Malware (mainly Ransomware, at the moment, but this will change). This means that clicking on ANY links in these Sextortion emails is now far more dangerous; just delete the email or report it, don’t click on any links in them, not even on how to buy Bitcoin!
Here is a screen shot of the activity for a number of Bitcoin wallets that were involved in Sextortion scams:
I will continue to monitor these Bitcoin Wallets and investigate new versions of this scam; stay tuned!
Update 18th March, 2019
A new version has just started to circulate, this time claiming to be from the CIA accusing you of accessing child pornography, I’m naming this new variant “pextortion”, see the screen shot below of the version I received overnight:
Where you see (victim-email-address) that will be your email address that you received the pextortion for.
You might want to add the following IP address to your blacklist: 126.96.36.199
Again, I am tracking the Bitcoin Wallet(s) linked to this new campaign. I’ll post updates if anything interesting happens.
Update 15th April, 2019
More new campaigns with many of them using graphics (of the text) instead of plain text; this is an attempt to bypass spam filters. I must have received over 50 of these new variants in the last few weeks. The problem is that because even the Bitcoin Wallet address is now graphical, the chances of anyone taking to time to write down or transpose it manually to actually pay is almost nil.
Here’s a screenshot of one of the all graphics version (not plain text at all), as you can see it is spoofing my own email address as the sender (this is not real, it is just spoofed):
I’m also seeing lots of versions with both plain text and graphics, including a QR code image!
There are also versions running around that have a password protected ZIP file attached, supposedly with “proof” of your naughty activities inside. As the ZIP is password protected you can only see the folder and file names inside, not the actual file contents. This is yet another smoke screen to make you believe the lies they are telling you.
However, this is a growing crime wave and victims do fall for it, look at the statistics below to see how bad it can be, and what you should do if you receive such as threat:
- What is sextortion?
– Being blackmailed by cyber-criminals that claim they have got hold of explicit material of you or one of your children, including: Photos, Video, Chat, Text messages, etc.
- How common is it and who are the main victims?
– Over 1,304 reported cases in 2017, up from 428 in 2015, although the number is likely to be significantly higher as many of these crimes go unreported. This is just in the UK (not globally, and it is a global scam).
–The target is usually male, in their teens or twenties. Although some girls have also been targeted.
- How do they work?
– Victims are usually groomed for weeks/months before the blackmail attempt.
– Often this happens via fake social media accounts or via targeted phishing emails.
– Occasionally this may start with a video call, such as via Skype.
– Many are just scams, they have no data/video of you or a family member.
- What should you do?
– Don’t Panic.
– Don’t Pay.
– Call the Police (sextortion is a criminal act). It is a form of blackmail.
– Don’t contact the blackmailers (stop all communication).
- What are the costs?
– Amounts requested vary, but typically between £300 and £3,000 is asked for
– At least 5 males have taken their own lives due to being a victim of this type of blackmail/extortion
Stay safe and educate yourself about the risks and ways to reduce your own attack surface; that will make it harder for the Bad Guys n Girls to succeed.