AttacksEmailsPasswords

The Sextortion scam where they have your password

Posted Eli

Or do they?

Maybe a year ago I was approached by one of my friends who told me he received a sextortion email.

A sextortion is a type of a social engineering attack where an attacker sends you an email telling you they have your password for, whether it be an email, banking account, your local PC, your phone, or if you reuse passwords, all of the above. They then tell you that they have infected your computer with malware and have gained access to your camera and have filmed you watching porn and presumably doing whatever you do while watching. They also say that they have all of your contacts and if you do not pay them a certain amount of crypto currency, they will send a video of you to all of your contacts.

Yes, I know, this is quite disturbing. I wouldn’t want that to happen to me. And I mean, can you imagine someone filming everything that is happening in the privacy of your own home? Yes it’s a very scary thought, and attackers are counting on you feeling this way, so that they can force you into paying them the extortion price.

To go back to my friend’s story, I was almost certain it is a scam, but he didn’t actually show me the email, so I couldn’t actually do the 5 basic fake email checks, so I approached it as if it was a legitimate attack. Read on to learn what to do if you suspect they really do have your videos.

I also received this email recently:

Actually, I placed a virus on the xXx vids (sex sites) site & guess what, you visited this web site to have fun. While you were viewing videos, your web browser started working as a Remote Desktop having a keylogger which gave me accessibility to your display and also cam recording.
Just after that, my software collected all your contacts from your Messenger, social networks, and email.
{*****redacted*****} is one of your passwords.
if you send me $995 as a donation through Bitcoin, I will erase the recording immediately.
(search for in Google “how to buy bitcoin”). my BTC Address: [redacted]
You have one day in order to pay. If I do not get the BitCoins, I will definately send your video to all of your contacts. Bjwy

First of all, great work by Google in fighting these attacks. The work they are doing with recognizing these types of attacks and warning users is impressive. As I’ve previously said, do not ignore these warning signs. It’s your first and foremost indicator that this is a scam.

If you don’t use Gmail, you might not get a warning as straight forward as this. You can do the 5 basic checks for spotting a fake email and you will see that this email fails most of them, including they don’t have your name, they have a lot of spelling and grammar errors, no use of encryption, etc. They are also calling the extortion “donation”, lol.

If you really think they do have your password and a video from you, here’s what you can do.

Ask for proof. If they really do have a compromising video of you, and they want a couple of thousand dollars to keep it private, then they should be able to show you what you are paying for. This is a somewhat risky, because by responding to them, you are only verifying your email address is active and used. But if you are really concerned, I guess it is a small price to pay in order to try to protect your privacy. If they do provide proof (very very unlikely) then think about paying this ransom, otherwise, keep calm and carry on!

Change your password. Change all your passwords. Do not reuse passwords. Use a password manager and instead of passwords, use password phrases. Use strong passwords. At least 12 characters, ICanCountTo6! is a much better password than 123456.

Think about when was the last time you used that password. It is a good practice to change your passwords occasionally. A lot of websites try to force you to do that by setting your passwords to expire, requiring you to use a new password every few months. So if you haven’t used that password in a while, or are not actively using it now, then you are very likely safe.

So if I am telling you to stay calm and not worry about this, how did they get your password? and should you be worried? They sure had my password in that email they sent me.

Well, in the history of time (or rather the history of the internet) there have been many many high profile data breaches where passwords and emails of hundreds of millions of people have been exposed … and many of these “dumps” of data are still publicly available for download today… So it’s entirely possible that you were using a password that was exposed in one of these breaches and attackers have been able to gain access to it. They are now trying to convince you that they have compromised your accounts, but in fact they got your password from a text file downloaded from a data breach darknet website.

In fact, there’s an invaluable website called Have I been Pwned? (legitimate, you have my word) where you can check whether your email address or password has been exposed in a data breach, and if you haven’t come across it, I wholeheartedly recommend you check if your credentials have been exposed, and if so, change them immediately.

So even while they do have my password, it’s more like they had my password, like 10 years ago when I was using it. It’s also my throw-away password, and I would have never used it to anything more serious than a newsletter subscription. So in my situation, I am not worried. You also shouldn’t be worried if you’ve never watched porn, obviously 🙂

But seriously, this is a scam and if you use any of the major email providers, you are likely to never even see this email as it will very likely go straight into Spam. If you do receive it though, be smart, use common sense, challenge it, keep it cool and do not allow yourself to panic.