Sunday, July 22, 2018

Porn Extortion Email tied to Password Breach

(An update to this post has been made at the end)

This weekend I received an email forwarded from a stranger.  They had received a threatening email and had shared it with a former student of mine to ask advice.  Fortunately, the correct advice in this case was "Ignore it."  But they still shared it with me in case we could use it to help others.

The email claims that the sender has planted malware on the recipient's computer and has observed them watching pornography online.   As evidence that they really have control of the computer, the email begins by sharing one of the recipient's former passwords.

They then threaten that they are going to release a video of the recipient recorded from their webcam while they watched the pornography unless they receive $1000 in Bitcoin.  The good news, as my former student knew, was that this was almost certainly an empty threat.   There have dozens of variations on this scheme, but it is based on the concept that if someone knows your password, they COULD know much more about you.  In this case, the password came from a data breach involving a gaming site where the recipient used to hang out online.  So, if you think to yourself "This must be real, they know my password!" just remember that there have been  HUNDREDS of data breaches where email addresses and their corresponding passwords have been leaked.  (The website "Have I Been Pwned?" has collected over 500 Million such email/password pair leaks.  In full disclosure, my personal email is in their database TEN times and my work email is in their database SIX times, which doesn't concern me because I follow the proper password practice of using different passwords on every site I visit.  Sites including Adobe, which asks for you to register before downloading software, and LinkedIn are among some of the giants who have had breaches that revealed passwords.  One list circulating on the dark web has 1.4 BILLION userids and passwords gathered from at least 250 distinct data breaches.)

Knowing that context, even if you happen to be one of those millions of Americans who have watched porn online.  DON'T PANIC!  This email is definitely a fake, using their knowledge of a breached password to try to convince you they have blackmail information about you.

We'll go ahead and share the exact text of the email, replacing only the password with the word YOURPASSWORDHERE.

YOURPASSWORDHERE is one of your passphrase. Lets get directly to the point. There is no one who has paid me to investigate you. You don't know me and you are most likely wondering why you are getting this mail?
In fact, I actually installed a malware on the X video clips (porn) web site and do you know what, you visited this site to experience fun (you know what I mean). When you were watching video clips, your browser initiated functioning as a RDP that has a key logger which provided me accessibility to your display screen and also cam. after that, my software obtained your entire contacts from your Messenger, Facebook, and email . After that I made a double-screen video. 1st part shows the video you were viewing (you've got a nice taste omg), and next part shows the view of your web cam, & its you. 
You have got not one but two alternatives. We will go through these choices in details:
First alternative is to neglect this email message. In such a case, I will send out your very own videotape to all of your contacts and also visualize about the embarrassment you will definitely get. And definitely if you happen to be in a romantic relationship, exactly how this will affect?
Latter solution is to compensate me $1000. Let us describe it as a donation. In such a case, I will asap delete your video. You can go forward your daily life like this never occurred and you surely will never hear back again from me.
You'll make the payment through Bitcoin (if you do not know this, search for "how to buy bitcoin" in Google). 
BTC Address: 192hBrF64LcTQUkQRmRAVgLRC5SQRCWshi[CASE sensitive so copy and paste it]
If you are thinking about going to the law, well, this email can not be traced back to me. I have taken care of my moves. I am not attempting to charge a fee a huge amount, I simply want to be rewarded. You have one day in order to pay. I have a specific pixel in this e-mail, and now I know that you have read through this mail. If I do not receive the BitCoins, I will definately send your video to all of your contacts including family members, co-workers, and so forth. Having said that, if I receive the payment, I'll destroy the video right away. If you really want proof, reply with Yes & I definitely will send out your video recording to your 5 friends. This is the non-negotiable offer and thus don't waste mine time & yours by responding to this message.
This particular scam was first seen in the wild back in December of 2017, though some similar versions predate it.  However, beginning in late May the scam kicked up in prevalence, and in the second week of July, apparently someone's botnet started sending this spam in SERIOUS volumes, as there have been more than a dozen news stories just in the past ten days about the scam.

Here's one such warning article from the Better Business Bureau's Scam Tracker.

One thing to mention is that the Bitcoin address means that we can track whether payments have been made to the criminal.  It seems that this particular botnet is using a very large number of unique bitcoin addresses.  It would be extremely helpful to this investigation if you could share in the comments section what Bitcoin address (the "BTC Address") was seen in your copy of the spam email.

As always, we encourage any victim of a cyber crime to report it to the FBI's Internet Crime and Complaint Center by visiting ic3.gov:



Please feel free to share this note with your friends!
Thank you!

UPDATE!!!

The excellent analysts at the SANS Internet Storm Center have also been gathering bitcoin addresses from victims.  In their sample so far, 17% of the Bitcoins have received payments totalling $235,000, so people truly are falling victim to this scam!

Please continue to share this post and encourage people to add their Bitcoin addresses as a comment below!

19 comments:

  1. This really was an ugly, threatening email. I got it Saturday morning, addressed to an old UAB alias email address I'd used in only one place, years ago - LinkedIn. Here's the Bitcoin address: 1US6tyTrabqsaBLjgsYnYLG72NCoxqZB5

    ReplyDelete
  2. got the exact same email! here is the bitcoin address. BTC Address: 1FhDahmGn1xhWFjYVvaCMitCBQHqZHFNhN

    ReplyDelete
  3. BTC address was: 1FCFMQTXMMYwoCPL5zyVsbbvxEKapn451E

    ReplyDelete
    Replies
    1. and a second email: 14Go1ptunSjFJV6sq5Myh3o2LVjEkTrzXx

      Delete
  4. BTC Address: 1J6EiYhkrTvSavUDbBhNjhDeCqg9Rn198a

    ReplyDelete
  5. BTC Address: 1J7wriCrgYtUFBx6ca1nEZnyMWZQXqSUX4

    Received 2018.07.24 05:41 UTC

    ReplyDelete
  6. BTC Address 1Dn66PpTcfnvdSW9s35xde4eWHNnMwVTem

    ReplyDelete
  7. BTC ADDRESS IS: 16XWRiNCTF9dMnKwjicEFVBNcfGoDYXdDh

    ReplyDelete
  8. BTC Address: 1K5ijACerGgGZFbL984DZu1thfw1T1Exky

    ReplyDelete
  9. from a neighbor:
    BTC Address: 15JyrpXeBYbueyBpP3QtfZeZQcmTKKsN6d

    ReplyDelete
  10. got it today :)

    BTC Address: 1HBCWEh4gq95hMaR3QMu2SezpQokimvEjn

    ReplyDelete
  11. Hi, same email
    BTC 19ohGfKV7teUoNUx231KCcHRKNQGm9MDWc

    amvinfe
    suspectfile.com

    ReplyDelete
  12. so far NONE of those 12 Bitcoin addresses has had any financial transaction against them. Please keep them coming though . . .

    ReplyDelete
  13. Same email this morning. Here is the Bicoin address

    BTC Address: 15WU1unBAv1ueAJrM7DVmWkeSLPrWa9rn9

    ReplyDelete
  14. 1CNHY7wmFV1uVhfYD1J45YS11j2kyCgqqt

    ReplyDelete
  15. 1CNHY7wmFV1uVhfYD1J45YS11j2kyCgqqt

    ReplyDelete
  16. Here's the BTC address: 1NDunAPWEV5K9fCqD85E8BZtR1wzRR8A7M

    Found this scam in my spam folder. They had an old password I used to use for websites I really didn't care about (Most Likely MySpace).

    A little sleuthing on clean-mx.com shows the scammer is using IP addresses in various countries. The sender was: Aaron931Smith@yahoo.jp, and I've seen multiple variations of this sender's address, but always using the formula: "Aaron[3 digit number]Smith"(at)yahoo.jp

    I really hope no one is actually paying these losers!

    ReplyDelete
  17. I'm getting two a day for the past 4 days. Here's today's 191vR5vdaTNqkktJF8xYseNkpFu5BFanmq
    1JTpByaMZHMkjCz9oJDnRXwKPGX8qU7GdP

    ReplyDelete
  18. BTC Address: 19fhoU6zAisuZPKLX6eGm3sAqYT4cE8p66

    ReplyDelete

Trying a new setting. After turning on comments, I got about 20-30 comments per day that were all link spam. Sorry to require login, but the spam was too much.