CYBER BLOG: Sextortion Scams

CYBER BLOG: Sextortion Scams


Recently there has been a reported increase in the number of ‘sextortion’ scams that are doing the rounds. Typically, these scams involve the attacker sending an email to a potential victim stating that they have placed some malicious software on their computer and know that they have been visiting various pornographic websites. Not only that, but the attacker claims to have taken a video using the victims webcam and if they do not pay a certain amount of money, usually in BitCoin, then the attacker will send out the video and a list of websites that the victim has supposedly visited to all of their contacts.

The attacker is hoping that the victim will be panicked in to paying the ransom in order to prevent any future embarrassment. Since July it would appear that someone has taken this extortion scam a stage further. Instead of a blanket email that is sent to everyone, the attacker is now sending more personalised emails with basically the same message. In order to add credibility to the email, the attacker claims to have ‘cracked’ the victim’s email account about six months ago and as a proof shows the victim their email address and a password that they have used at some point. This is supposed to make the victim believe that the attacker is genuine. The attacker also makes it look like the email has been sent from the victim’s email address. Again, the scammer will continue with the normal sextortion scam demanding a payment of $833 in BitCoin and provides a BitCoin address to pay the money too.

From looking at the address provided in one of the emails that I have seen, it is plain to see that there are plenty of people who are willing to pay the attacker in order to prevent them from being embarrassed. However, the chances are that the victim has not been compromised.

Firstly, it is very easy to ‘spoof’ an email address to make it look like it came from whoever you want. But how does the scammer know the password? Well, there are two possibilities here. The first being that they are simply guessing. Many of us use similar methods to create passwords. We choose a dictionary word and maybe add a number on the end. The National Cyber Security Centre published statistics earlier this year that showed 75% of businesses had accounts that used passwords which were in the top 1,000 common passwords. Ok, if this is the case then the attacker won’t get it right every time, but there is a reasonable chance that they will get it right enough times to make it worth their while.

The second possibility, and probably the more likely, is that the attacker has managed to source an old data breach from somewhere. This will include the username and password of possibly thousands of accounts. These data breaches can be found easily if you know where to look. Again, it is common for users to have the same passwords across multiple accounts. The victim might not even be aware that they were the victim of a data breach and probably haven’t changed that password. This way the attacker is much more likely to find a victim that believes his tale of woe.

What should you do if you get one of these emails? Well, to start, don’t panic. Then just hit the delete button. Also, please take 2 minutes of your time to tell someone else about this type of scam. The more people that know about it, the more people will just ignore them and the less successful they will become for the criminals.

Chief Ethical Hacker Gerry Grant

For more information and advice please email [email protected]

Related News

Member Log-In

Welcome to the SBRC Members Lounge, login details will be issued to members in due course.

Forgot password?