There’s a twisted new sextortion scam going around.
Some reports have been shared by Bleeping Computer, Krebs on Security, and TechCrunch of a new scam in which the perpetrators send people emails claiming they know the recipient’s password and have used that password to install malware on their computer and captured a video of them watching porn and masturbating.
One such email, which programmer Can Duruk shared on Twitter, reads:
I’m aware that XXXXXXX is your password.
You don’t know me and you’re thinking why you received this e mail, right?
Well, I actually placed a malware on the porn website and guess what, you visited this web site to have fun (you know what I mean). While you were watching the video, your web browser acted as a RDP (Remote Desktop) and a keylogger which provided me access to your display screen and webcam. Right after that, my software gathered all your contacts from your Messenger, Facebook account, and email account.
What exactly did I do?
I made a split-screen video. First part recorded the video you were viewing (you’ve got a fine taste haha), and next part recorded your webcam (Yep! It’s you doing nasty things!).
What should you do?
Well, I believe, $1400 is a fair price for our little secret. You’ll make the payment via Bitcoin to the below address (if you don’t know this, search “how to buy bitcoin” in Google) .
BTC Address: 1Dvd7Wb72JBTbAcfTrxSJCZZuf4tsT8V72
(It is cAsE sensitive, so copy and paste it)
You have 24 hours in order to make the payment. (I have an unique pixel within this email message, and right now I know that you have read this email). If I don’t get the payment, I will send your video to all of your contacts including relatives, coworkers, and so forth. Nonetheless, if I do get paid, I will erase the video immidiately. If you want evidence, reply with “Yes!” and I will send your video recording to your 5 friends. This is a non-negotiable offer, so don’t waste my time and yours by replying to this email
Bleeping Computer shared a screen grab of virtually the same email sent to someone else, and shared a tweet by security researcher SecGuru, showing a version of the email sent to them.
The scam can be convincing because the password sent in the email may be one of the recipient’s actual current or former passwords. Both Duruk and SecGuru said the passwords quoted were ones they had actually used. Duruk tweeted, and SecGuru told Bleeping Computer, that they believe these were passwords that were compromised by a data breach.
Security journalist Brian Krebs wrote on his blog that this is a new twist on an old scam. Krebs posted that three of his readers reported receiving similar emails using the same tactic, but he said all three told him the passwords cited in the emails were about 10 years old.
“I suspect that as this scam gets refined even more, perpetrators will begin using more recent and relevant passwords—and perhaps other personal data that can be found online—to convince people that the hacking threat is real,” Krebs wrote.
The password may be one that the recipient has used, but it’s very unlikely that the scammer has actually installed any malware 0n your computer. While sextortion scams like this have been attempted for years, there are no reports of any scammers using this tactic and actually installing malware to film someone pleasuring themselves while watching porn. It’s much easier to just lie about it and convince people that this has happened.