Recently many people people are being sent emails containing a new twist on an old e-mail scam, which could cause recipients to think the con is believable.
While the spam message has been around for some time (with some minor changes to the wording, spelling and grammar), the email now references a real password in the subject and beginning of the message that has been previously used by the recipients email address.
While this type of message is known as a sextortion scam email, the only item that changed in the past was the Bitcoin address that is asked to be used to pay the amount demanded. This new variant now begins with the line “<password formerly used by recipient> is your password.”
The content of the message is below:
Subject: <YOUR REAL PASSWORD>
<YOUR REAL PASSWORD> is your password and now Let me get straight to the
point. You do not know me whereas I know you and you are probably
thinking why you’re receiving this e mail, correct?
I actually installed malware on sex vids (sex sites) & guess what, you
visited this porn web site to have pleasure (know what I mean?). And
while you were busy enjoying those videos, your internet browser
started out working as a RDP (Remote Computer) with a keylogger which
allowed me accessibility to your display as well as your camera
controls. Immediately after that, the software obtained all of your
contacts from social networks, and e-mail.
What did I do?
It’s simply your bad luck that I got to know about your misdemeanor.
Next, I put in more days than I probably should have exploring into
your life and prepared a split screen sextape. 1st half shows the
video you were viewing and next half shows the recording of your
webcam (it is someone doing inappropriate things). Honestly, I am
ready to delete details about you and allow you to get on with your
daily life. And I am going to provide you a way out which will achieve
it. Those two choices are either to ignore this e mail (not
recommended), or pay me 1 BTC.
What should you do?
Let’s investigate those two options in depth. First Alternative is to
turn a blind eye to my message. You should know what will happen if
you take this path. I will, no doubt send out your sextape to your
entire contacts including friends and family, coworkers, and many
others. It won’t help you avoid the humiliation your self will feel
when relatives and buddies find out your dirty videotape in their
inbox. Option 2 is to make the payment of 1 BTC. We will name this my
“confidentiality charges”. Lets see what will happen if you go with
this way out. Your naughty secret Will remain private. I’ll keep my
mouth shut. Once you you pay me my fees, You can freely keep your
routine life and family as if none of this ever happened. You’ll make
the payment via Bitcoins
Transfer Amount: 1 BTC
BTC ADDRESS IS: <ADDRESS REMOVED>
(You need to Remove * from this address then note it carefully)
Note: You now have one day in order to make the payment. (I have a
unique pixel in this e mail, and right now I know that you’ve read
this mail). If I don’t get the BitCoins, I will definitely send out
your video to all of your contacts including close relatives,
colleagues, and many others. nevertheless, if I receive the payment,
I’ll destroy the video immediately. If you really want evidence, reply
with “yes!” and I definitely will send out your sextape to your 6
contacts. It’s a non-negotiable one time offer, so do not waste my
personal time & yours by replying to this e mail.
We have recently been contacted by customers who have received a similar email. In every case, the password shown had been previously used with an online account that was used with their E-Mail address.
It is likely the E-Mails are generated using automatic scripting, taking the email addresses (or usernames) and passwords as a result of a data breach from a popular website. There are a number of sites supplying stolen data that have listed usernames, email addresses and passwords stolen from data breaches. There are a couple of websites such as Have I Been Pwned which can be used to check to see if your email address may have been compromised in a known data breach.
While the senders could have obtained lists from multiple breaches, the only patten we have found so far was everyone was affected by the LinkedIn hack of 2012 where around 164 million email addresses and passwords were exposed 4 years after the data breach took place.
Here are some things you can do to avoid becoming a victim:
- Never send compromising images of yourself to anyone, no matter who they are, or who they say they are.
- Do not open attachments from people you do not know, and in general be wary of opening attachments even from those you do know.
- Use different passwords for different services and change them or a regular basis.
- Turn off and cover any web cameras when you are not using them. Some laptops have a tab which allows you to cover the webcam, and if it does not you could use a piece of black tape.
While most companies will contact you if your details have been compromised as a result of a data breach, there are also websites which list known breaches that can be used to check to see if you have used a service which has had a known breach.
Sextortion, even automated scams like this one is a serious crime and under no circumstances should you reply to the sender or send them any money. Further information on what to do if you have been affected can be found on the NCA Website.