An emerging fraud scheme leverages a combination of password reuse and fear to financially extort victims.
Rather than actually stealing evidence of embarrassing activities from victims, these schemes present victims with legitimate passwords from previous breach dumps as false evidence of compromise. The familiar and possibly re-used passwords are presented to convince victims that their most private online activities have been surveilled and recorded through a combination of methods described by the attacker.
However, the methods as described are not always technically accurate. But to a typical victim unfamiliar with cyber security, the veracity of attack is irrelevant. In truth, there are no recordings of private behavior and the methods as described are inaccurate or dubious.
However, our analysts have observed real examples these schemes, which are often successful. That’s because they need only play upon victims’ fear of embarrassment to work.
The actual ruse below was delivered via e-mail to a victim:
Let’s get straight to the point. I know Domino1 is your password. More importantly, I know about your secret and I’ve proof of your secret. You do not know me and no one paid me to check out you.
The e-mail goes on to describe in details how the attacker supposedly gathered information from the victim. The attacker claims to have operated the victim’s internet browser remotely as a remote desktop (RDP) while a keylogger provided them access to the webcam. These methods presumably provide the attacker access to video evidence of embarrassing activities while an unspecified malware program presumably gathers social media contacts:
It’s just your bad luck that I came across your misdemeanor. In fact, I placed a malware on the adult vids (sex sites) and you visited this website to experience fun (you know what I mean). While you were busy watching video clips, your internet browser initiated operating as a Rdp (Remote control desktop) having a keylogger which provided me with accessibility to your display as well as webcam. After that, my software program obtained your complete contacts from your fb, and mailbox.
The scammer then demands payment of $2,900 and warns that any complaints to the police will be unsuccessful due to the steps the scammer claims to have taken to maintain perfect OPSEC. The scammer provides a bitcoin address to send payments to and instructs victims unfamiliar with bitcoin to Google how to use a bitcoin wallet to submit the payment. Our analysis revealed that no funds had yet been sent through this particular bitcoin address.
Option 1 is to ignore this message. You should know what will happen if you pick this path. I will send out your video recording to your contacts including relatives, colleagues, and many others. It doesn’t save you from the humiliation your household will face when family and friends learn your dirty videos from me.
Option 2 is to send me $2900. We’ll name this my “confidentiality fee”. I will explain what happens if you opt this path. Your secret will remain your secret. I’ll destroy the video immediately. You move on with your routine life like nothing ever happened.
Now you must be thinking, “I will complain to the police”. Let me tell you, I have taken steps in order that this mail can’t be tracked back to me and it won’t steer clear of the evidence from destroying your lifetime. I am not looking to break your bank. I just want to get paid for time I place into investigating you. Let’s assume you have chosen to produce pretty much everything disappear completely and pay me the confidentiality fee. You will make the payment through Bitcoin (if you do not know how, type “how to buy bitcoins” in google)
Transfer Amount: $2900
Bitcoin Address to Send: 1A4ourztkWk*nHQpHwVC9gzAXB1ome4UgCk ( You must Edit * from this string then note it)
In reality, the methods as described are technically inaccurate. It is unlikely that an actor would be able to infect any one adult website in particular with the express purpose of entrapping an individual victim. In addition, a keylogger is a software program that covertly monitors and logs keystrokes, not a program which provides access to external devices such as displays or webcams.
Despite the scheme’s reliance on fear of embarrassment to extort funds from victims, this scam requires no access to a victim’s welcome or personal files. By showing victims their previously breached passwords, scammers are able to convince victims that they must have access to all of the services they use.
In the case of sextortion attempts, obtaining a previously compromised password is as easy as purchasing a block of e-mail and password combinations from a darknet market or directly from a reputable threat actor. Scammers can also use credential-stuffing tools like Sentry MBA in order to harvest and test new passwords against targeted web interfaces and mobile applications.
Judging by the numbers, recent sextortion scams have proven successful. Over 150 people have fallen victim to the scam thus far,yielding over $250,000 in gains for scammers. It’s critical to note that these profits are not the result of actual compromise or blackmail. This particular scam had only been in circulation for about a month before these profits were reported by Netherlands-based security researcher “SecGuru.” Threat actors need only present plausible evidence to the victim that he or she has been compromised.
The unfortunate success of this scheme and others like it highlights the broader problem of password reuse among typical internet users. Considering that nearly half of leaked user accounts resulted from password reuse, it’s no secret that compromising multiple accounts per identity is easier than ever.