The evil doers have launched a new sextortion scam on the internet. This one is interesting to say the least as it does use a technique to sucker you into believing it is real, without giving you any actual evidence of what they allege to have on you. You receive an e-mail at your current e-mail address with a subject line containing a User ID and Password from a very old account that belonged/belongs to you. The e-mail alleges that they have a video of you watching porn as well as the what porn you were viewing. They then look for money to not release the video to all of your friends, family and colleagues.
It is of course a scam, but having an old User ID and Password on the e-mail does seem to give it a sort of legitimacy, in that they may just have hacked your computer. If you happened to be somebody who recently viewed porn on that computer, one which has a webcam, then you may just fall victim to this sextortion scam. This is what a typical e-mail looks like:
The amount payable varies between the various e-mails, as does the Bitcoin wallet address (both circled above). There may also be a number of random words towards the end of the e-mail, which are used to defeat spam filters.
The bottom line here is, these people did NOT hack into your machine and record you watching porn. If they did, why wouldn’t they include a frame from said footage to prove that they had something on you.
The old User ID and Password that they included will have been picked up by the bad guys from a data breach sometime in the past. This stuff has been knocking around the internet for a loooonnng time. I did mention this last year when I talked about another scam e-mail that knew your name. They will have used other indexing techniques to associate the old account with your current e-mail address and then send you the scam e-mail.
Well known security reporter Brian Krebs, reckons that the evil doers may refine their technique and use more recent accounts that were part of a data breach.
As I always do in these e-mails I refer you to my fifth commandment. I’ll also throw in a shameless plug for the security awareness training that I provide, which, if you were interested in finding out more, just send an e-mail to info@L2CyberSecurity.com.
Let’s be careful out there.