“I know your password” and other sextortion email scams are back. To make things worse, they have evolved from one-off, low-tech coercion emails to more sophisticated attacks, capable of bypassing spam filters.
“I Know Your Password”
Most sextortion email scams start the same. Often, the cybercriminal includes a password the victim may have used at some point in the past or possibly is still using. The criminal may also add other personal information, to appear more authentic and suggest they have more information than they actually do.
Next, the scammer reveals that he possesses photos or video recordings of the victim watching pornography or even engaging in sexual acts. Finally comes the threat: “Pay up or I will send these personal videos or images to all the contacts in your address list.”
Here are a few examples, straight out of my own inbox.
- “[…] is your password. You don’t know me and you’re thinking why you received this email, right? I placed malware on this website and guess what […]”
- “I am aware […] is your passwords. Lts get right to the pőint. No one has paid me tő chck you. You don’t know me ånd yőu ar probably thinking why yoũ ar gttİng this emåil?
i setũp å malware on the X vİdeo clips (pornographic matriål) web-sİt and do yőu know what […]”
- “Your ρassword is […] Ι knοw a loτ mοre τhηgs αbouτ yοu thαn τhατ. Hοw? Whιle you were wαtching the video, yοur web brοwser acτed as αn RDP (Remοte Desκtορ) aηd a κeylοgger, whιch ρroιded me αccess το yοur dιsplαy screen aηd webcam. Right αfter that, my sofτwαre gathered all your contacτs frοm yοur Messenger, Facebοok accounτ, and emαil αccounτ. […]”
Making Empty Treats
In most cases, the emails are empty threats. The cybercriminal may have obtained the victim’s password from a recent or old large-scale data breach. In subsequent emails, he may even reveal more personal information, such as your phone number or address. Again, it is likely that this information has been leaked, was up for grabs on the dark web or simply publicly available on the internet.
Nonetheless, it can be very intimidating. Especially when the threats increase in subsequent emails. And definitely if the password is indeed the victim’s, the victim has shared intimate videos or photos and/or has visited a website like pornhub, that offered new subscribers free premium accounts during the coronavirus crisis.
Some examples of these “follow-up e-mails”:
- “Do you really think this was some kind of a joke or that you can ignore me? I can see what you are doing. I have been observing you […]”
- “You think you are smarter and can disregard me? I you do not fund this bitcoin address within next 2 days I will […]
- “Yοu haνe 24 hοurs τo maκe the ραymeηt. (I hαve a uηιque ριxel wιthιn this email messαge, αηd rιght ηow I kηow τhat you have reαd thιs emαιl). If I don’t geτ τhe paymeηt […]
Bypassing Spam Filters
Sextortion emails are generally sent from automated Hotmail or Outlook email addresses, launched from botnets using compromised personal computers around the world. Most of the messages contain enough trigger words to be blocked by email spam filters. However, cybercriminals are finding new ways to bypass these barriers.
They may, for example, use Cyrillic characters throughout the message or disguise the message in a text-based image. This way, the email filter no longer recognizes the threat. Some emails only contain an attachment or use QR codes to bypass detection.
Sextortion campaigns seem to come and go in waves. Each time a threat is blocked, things quiet down a bit until a new threat emerges.
Unfortunately, sextortion and other types of email scams seem to especially prevail in the weeks leading up to major events, such as Valentine’s Day or the holiday season. Or in times of crisis, such as the one we are currently experiencing, when people across the globe are experiencing anxiety and economic hardship.
Low Success Rate, Still Costing Millions
The success rate of sextortion email scams is as low as 1 to 2%. However, cybercriminals are still creating millions of campaigns that cost relatively little time and effort to run. Most of the money is funnelled to exchanges, dark markets and cryptocurrency wallets tied to other criminal transactions.
According to the FBI’s 2019 Internet Crime Report, approximately 43,000 victims lost a combined figure of $100 million through digital extortion. The report does not define how many of these are sextortion scams.
Analysts from the technology company Sophos revealed that “millions of sextortion spam messages sent between September 1, 2019 and January 31, 2020 generated nearly a half-million US dollars in profits for internet criminals”.
And across the globe, the UK’s national reporting service, Action Fraud, has received close to 10,000 reports of sextortion in April 2020 alone.
What to Do?
The general advice is not to panic, do not reply to the email or click on any attachments or links, and to assess the situation. Victims can check if their email has been compromised at websites such as haveibeenpwned.com or dehashed.com.
If the password is still in use, it is important to secure these accounts asap. We have put together this ultimate guide to creating strong passwords to help users with this.
If you want to watch adult content, it is best to be aware of the privacy risks and to stay anonymous when online.