Demystifying “Sextortion” & Blackmail Scams
Have you or a loved one received blackmail or ”sextortion” emails lately? It’s frustrating, right?
Even though you know it’s fake, the fact that someone has personal information about you (like your real password and email) and is trying to use that to extort money with some vulgar scam is infuriating — at least it is for me. I received one a couple of weeks ago and it struck a chord of anger that a “stranger danger” email shouldn’t.
But here’s the thing: playing on fears, emotions and threatening people, especially now when we are all feeling vulnerable with the current pandemic, is just not cool. We have so many more important things (and people we love) on which to focus.
And this is not just a one-off occurrence. I reached out to my social networks to see if this is widespread, and sure enough, many people confirmed that they — or someone they know — have received these types of scams in the past five weeks.
So here we are. As we practice self-isolation, and maybe spend more time online than we normally do, we now have to process these fake (but could be partly true in some strange way?) threats in our minds.
We are reminded how data breaches we hear about every day in the news affect us personally. That scammers and malicious actors have somehow obtained our passwords and personally identifiable information (PII) and are now leveraging this stolen information in attempts to extort money.
Regardless of the fact that we are all trying to deal with our lives as best as we can during this crazy time, their “go-to” is to launch campaigns that exploit human emotions for financial gain. Nice.
So, let’s get back to that email. It’s probably the most basic tactic to leverage exposed emails and clear text passwords circulating from past data breaches.
The email, in all its glory, redacted.
The subject line includes my email and a previously used, clear text password. The scammer claims to have “infected my PC with a virus” and have recordings of me browsing “adult” sites. The email threatens that I have 24 hours to pay $1,000 to the provided Bitcoin address or they will send the video to seven, no wait, make that ALL of my contacts, which they claim they have. Because…the all-mighty virus.
The good news is that in checking the Bitcoin address (on blockchain.info), it appears that no transactions have been made and 55 reports of Bitcoin abuse were submitted.
Next, I checked the Bitcoin address details of the many sextortion scams forwarded to me from friends and family. Almost all of the email scams used an @outlook.com email address. Also, the sentences in these scams tend to be oddly worded and poorly written. (I used BitcoinAbuse.com for the screenshot below)
While most people get annoyed, roll their eyes and delete these blackmail e-mails, this is a numbers game. There will be a few people that fall for these low-level scams.
Out of the many sextortion scams forwarded to me by friends and family, one address received 0.270616 BTC, which equals $2,082.03 USD as of April 27, 2020. (see screenshot below)
You can file a report on Bitcoin addresses associated with blackmail threats and scams here.
This trend isn’t just happening in the United States, the problem is global. Here’s an example of a friend living in Spain (threat is poorly written in English):
Working at 4iQ, I am almost too aware of data breaches happening on a daily basis. We investigate, validate and report on breached data every day. In fact, I can probably accurately surmise that this scammer got my email and clear text password in the 1.4 billion clear text credentials trove our breach hunters found back in 2017. Same goes for many of the forwarded scam emails I received. Interesting to see this information run full circle.
Last year, 4iQ assessed that there are over 9 billion unique, real passwords exposed that circulated in underground communities. Our goal is to protect citizens, companies and organizations from malicious use of exposed PII and credentials.
To this end, my colleague, Alberto Casares, has created a grassroots, volunteer-based project to help with this rising problem by aggregating, investigating and reporting on these attempts. Please send your scam emails to report[.]email[.]threats@gmail[.]com.
He will even try to get back with some analysis and recommendations, as much as he is able.
Stay safe and sane, everyone.
Cheers!
