Online frauds are quickly gaining traction among cybercriminals. The primary reason is that manipulating humans is much easier than exploiting software or hardware flaws. Although the success rate of Internet scams is low compared to the efficiency of sure-shot attacks relying on zero-day vulnerabilities, the simplicity of pulling them off is a lure that eclipses all the drawbacks.
A hoax dubbed sextortion (sex + extortion) is a dynamically growing vector of this abuse. Having debuted in 2018, it acts upon a victim’s natural commitment to avoiding embarrassment.
This technique mostly involves an email saying that a hacker has infiltrated the recipient’s device and captured a webcam video of the person watching adult videos. The bluffer threatens to upload this footage to a publicly accessible site. To prevent this from happening, the user is instructed to pay a ransom.
There are several mainstream techniques in sextortion scammers’ portfolios. Whereas they all follow basically the same logic, the themes of these fraudulent messages vary. Here is a summary of all these tricks known to date.
A Hoax Fueled by a Real Data Leak
A scam wave that broke out in July 2018 became the progenitor of this nasty trend. Its operators spawned a slew of spam emails stating that a malicious program has polluted the recipient’s computer when they were watching X-rated content. To add an extra techy element to the deceit, the felons mentioned an unsecured Remote Desktop Protocol (RDP) connection as an entry point to install a keylogger onto the system.
An additional catch was that the attackers claimed to have accessed the user’s screen, webcam, and the list of contacts from social networks and messenger applications. The unscrupulous senders additionally mentioned that they had tailored a two-screen video, where the first part rendered the adult content being watched and the second one showed what the user was doing in the meanwhile.
To keep these materials from being sent to the victim’s contacts, the scammers demanded about $3,000 worth of Bitcoin. The video would supposedly be leaked in 24 hours in case of non-payment.
Interestingly, the treacherous email also included the recipient’s real password for one of the web services they used. These details were intended to add some plausibility to the fraud. The truth is, though, that these credentials ended up on the Dark Web as a result of a data breach perpetrated in the past. Whereas the user could safely ignore this email, they had to immediately change the password if it were still in use.
EternalBlue Exploit as Part of the Scare Tactic
A newer hoax complements the classic sextortion logic with a little bit of spoofed technical sophistication. The email mentions that the user’s machine has been hacked via an exploit codenamed EternalBlue, the one that backed the WannaCry ransomware disaster in 2017. This way, the felons could allegedly deposit a Remote Access Trojan (RAT) onto the recipient’s system behind the scenes.
Here is some wiki knowledge on the subject: EternalBlue was created by the NSA and eventually fell into the wrong hands. It parasitizes security flaws in SMBv1 communication protocol to enable zero-click, or “interactionless,” attacks.
The scammers’ false claims about the use of this exploit make their story more persuasive and impose additional pressure upon victims. The email says that the RAT allowed the hackers to create an incriminating video of the user. To keep it from being leaked into the public, the person is instructed to pay $600 in Bitcoin.
As is the case with the above-mentioned stratagem, the message lists a password for one of the recipient’s web accounts. The source of this information is a database of dumped credentials stemming from a past data breach.
ZIP archives with Fake Evidence Inside
In another scam wave, malefactors embed a password-protected archive into the email. It supposedly includes evidence of the contamination plus an embarrassing video of the victim. The ZIP archive, when opened, shows a few files that the fraudster has purportedly obtained. Their names are Contacts.txt, Camera-Vid.avi, and Screenshot.jpg. To view the contents of these items, the user is supposed to buy the archive password for a $50 fee.
Email That Appears to Be Sent from Your Hacked Account
To make their messages look trustworthy, some fraudsters use a malicious mechanism known as email spoofing. It allows them to forge the recipient’s email address so that it appears valid in every detail. This trick is used to hoodwink a user into thinking the sextortion email comes from their own account that the crooks have allegedly accessed.
Early frauds of this kind exploded into the wild in the Netherlands in October 2018. Later on, the stratagems spread across the world. The email subject includes the target user’s real email address and mentions a 48-hour deadline for payment.
The rest of the message follows the well-trodden sextortion path. It says a piece of malware allowed the hacker to capture a video of the person during their naughty online pastime. To keep these materials secret, the ne’er-do-well asks for a ransom amounting to $800-$1,000 in cryptocurrency. The good news is, the compromise never actually took place, so the email can be disregarded and deleted without a second thought.
A Plot Featuring a Double-Dealing CIA Agent
Another sextortion hoax in active rotation deviates from the conventional scheme in several ways. The hook revolves around false accusations of storing and distributing child pornography. Furthermore, the scammer passes himself off as a CIA employee, namely a “technical collection officer.” The message includes the purported case number to add a hue of legitimacy to the ruse.
The rogue email says the evidence of the recipient’s misdemeanor was collected as a result of an international law enforcement operation. The pseudo-agent offers to erase the user’s profile from the list of suspects for $10,000 worth of Bitcoin.
Sextortion Used as a Decoy in a Malware Campaign
An unordinary wave of online fraud took root in March 2020. It uses sextortion-style bait to plague victims’ computers with an info-stealing Trojan called Raccoon. The scammers’ story is as follows: they tried to extort money from the recipient’s friend or co-worker but failed. The target allegedly refused to negotiate with them and pay for keeping nude photos of his girlfriend secret. Therefore, the hackers claim to be carrying through with their threats and sending these images to the victim’s contacts.
If the user falls for it and opens the Word attachment, the pics in this document turn out to be blurred and a pop-up recommends enabling macros to see the materials properly. Once macros are turned on, a surreptitious script kicks off and downloads the Raccoon malware from a remote server. The infection then amasses the victim’s sensitive information and sends it back to its operators.
Bluff Combined with Real Feed from Cameras
In January 2020, security analysts stumbled upon another offbeat hoax that instructs victims to log into multiple email accounts to find out what evidence the felons have. At the first stage of the brainwashing, a message says the hackers have recorded an embarrassing video of the user with the smartphone camera. To see some proof, the victim is instructed to sign into a specific email account using credentials listed in the original message.
If the person gets on the criminals’ hook and accesses the rogue account, they are told to open an email tagged “READ ME”. It includes a hyperlink leading to a web page that displays a live feed from connected Nest cameras in random public places. Whereas this clever trick adds a bit of extra persuasiveness to the felons’ narrative, the feed is fetched from the official site of Nest, the company that produces these cameras.
The landing page with embedded streaming videos additionally contains a ransom message and the scammers’ contact information. Ultimately, the user is told to pay $800 worth of Bitcoin within four days, otherwise, the NSFW materials will be leaked via an adult site. The whole complexity of this extortion scheme is probably aimed at demonstrating that the fraudsters are competent hackers. In fact, though, they are simply crafty swindlers.
A Surreal Mix of COVID-19 and Sextortion
An extremely weird scam campaign was spotted in April 2020. Its operators complement the usual sextortion repertoire with physical threats. In addition to false claims about the possession of incriminating adult content featuring the user, the malefactors use a strange scare involving the novel coronavirus. If the user refuses to cough up the ransom, they threaten to infect their family with COVID-19, no matter how odd it may sound.
One more thing that makes this incredibly bizarre campaign unique is that the criminals demand a huge ransom for not fulfilling their absurd threats. It amounts to $4,000 worth of Bitcoin. Also, the 24-hour payment deadline is unusually short.
Similarly, to some of the counterparts, the email includes the password that the recipient has used in the past. Again, the source of this information is a data breach that may have taken place years ago. The silver lining in this whole story is that the crooks went too far with their claims, and the outright nonsense dramatically reduces the likelihood of users falling for the fraud.
The Bottom Line: Do not Be Gullible
Every sextortion attempt is all bark and no bite. It is laced with bluff and a good deal of pressure. Such attempts are not harmful like ransomware extorsion viruses. The above rundown of the mainstream shady schemes should help you identify these giveaways in a snap. If you receive one of these emails, here are a few extra tips:
- Do not pay. It is a waste of money. Plus, it will encourage the black hats to move on with their dirty business.
- Do not be afraid. Keep in mind that the malefactors have no naughty content about you. Their story is a lie, period.
- Do not reply. Although you may want to reach out to the bad guys to err on the side of caution about your personal life, or just out of curiosity, you would be better off avoiding this. When contacted, criminals will do their best to scare you further and make you slip up.
Spread the word about the scam. Post the sextortion email on security forums so that other people know it is a scam when they receive it.
An additional recommendation is to change your password if it is listed in the fraudulent message and you are still using it. To enhance the security of your login practices, consider using a password manager. It may also be worthwhile to enable two-factor authentication (2FA) on your accounts.
Also, do not underestimate the power of spam filters provided by your email service. Update their settings to make sure they can identify the latest scams and prevent such messages from ending up in your inbox.