Author: Craig Taylor, Chief Information Security Officer, Neoscope

A recent spate of bogus sextortion blackmail attempts by hackers is this months’ Cybersecurity blog topic. In this latest blackmail scheme, hackers use an individual’s old password, found on the dark web, to add credence to their claims that they have compromised your computer, recorded images of you surfing pornography, and then demand a bitcoin payment to prevent public release.

Unlike many other real-world sextortion cases you may have heard about including revenge porn1, the misuse of Sexts2, this latest threat is 100% a hoax.

But How Could a Hacker have my Password?

The website ‘https://HaveIBeenPwned.com’ is a legitimate and useful white-hat website you can visit to see if any of your email accounts and passwords are part of more than 5 Billion sets publicly disclosed in breaches at Linked In, Drop Box, Yahoo, and many others. The unfortunate truth is that this is just the tip of the iceberg when it comes to compromised credentials with many more accounts and passwords available on the “Dark Web” in private forums where cyber-criminals sell these credentials for profit.  This is where your Sextortion email likely secured that “really old password” you barely remembered having!

In this Sextortion scheme, hackers mine the dark web for credential pairs (email and password) and craft the message (shown below) to induce panic and convince you to pay a bitcoin ransom to prevent the release of photos to your social media accounts.

I do know, [password redacted], is your password. You do not know me and you are probably thinking why you are getting this e mail, correct?

Actually, I placed a malware on the adult videos (porno) website and do you know what, you visited this web site to experience fun (you know what I mean). While you were watching videos, your interner browser initiated working as a RDP (Remote Desktop) that has a key logger which gave me accessibility to your display and also webcam. After that, my software program obtained all your contacts from your Messenger, Facebook, as well as email.

What exactly did I do?

I made a double-screen video. Fist part displays the video you were viewing (you’ve got a nice taste haha)(, and second part shows the recording of your webcam.

exactly what should you do?

Well, I believe, [insert various dollar amounts], is a reasonable price tag for our little secret.  You’ll make the payment via Bitcoin. (if you don’t know this, search “how to buy bitcoin” in Google).

BTC Address: [redacted]

(It is cAsE sensitive, so copy and paste it)

Important:

You have one day to make the payment. (I’ve a unique pixel within this email message, and now I know that you have read this e mail). If I do not get the BitCoins, I will definitely send out your video to all of your contacts including relatives, co-workers, and so forth. Nonetheless, if I receive payment, I’ll erase the video immediately. If you want evidence, reply with “Yes!” and I will send your video to your 9 friends. It is a non-negotiable offer, that being said do not waste my time and yours by replying to this e-mail.

I’ve received a few nervous inquiries about this scam and whether hackers could really pull off this sextortion attack.  The answer to this question is a resounding 99.9% no! Technically, everything the email purports to have done could be done.  But the presence of a password is a dead give-away that this hack is a HOAX – with 99.9% certainty.  This scam works because it strikes fear from the power of presenting your old password, on a topic you’re not likely to talk to anyone else about.

Now that I know this is a Hoax, What should I Do?

A good response is to delete the message and never give it another thought, however, the best response, would be to read my article on Passwords, Passphrases, and the importance of learning how to use a Password Manager3 and learn how to use a Password Manager, Pass Phrases, and replace all your old passwords floating around the dark web with strong, long, random passwords managed by your Password Manager. You’ll be more confident, secure, and productive!

For more articles on this topic see these online resources:

FBI Podcast: August 10th, 2018: Sextortion Reports on the Risk
https://www.fbi.gov/audio-repository/ftw-podcast-sextortion-scam-081018.mp3/view

KrebsonSecurity: Sextortion Scan Uses Recipients Hacked Passwords:
https://krebsonsecurity.com/2018/07/sextortion-scam-uses-recipients-hacked-passwords/

Facebook Article: Scammer Witch: placing a curse on all scammers
https://www.facebook.com/The.Curse.Of.The.Witch/posts/sextortion-seems-to-be-on-the-rise-and-most-days-in-the-news-there-are-stories-a/709080232576984/

[1] https://en.wikipedia.org/wiki/Revenge_porn
[2] https://en.wikipedia.org/wiki/Sexting
[3] https://www.neoscopeit.com/2016/07/password-managers-modern-security-necessity/