What are the people in this photo looking at with such concern?  It could be a lot of things, but this month it’s a good bet one of them received a porn extortion scam email, and they’re trying to decide just how much they should freak out.

This scam has been floating about for a while, but we have seen a recent increase in its frequency this summer, combined with a new twist that makes it much more effective and dangerous.

The basic idea is you receive an email that says they have recorded your activity on porn web sites, and if you don’t pay an extortion fee they will release the information to your contacts.

The nastier threats claim they have gained control of your computer and recorded your, um, activity, through your webcam.  They threaten to release a side-by-side video of what you watched and what you did.  The very idea of this is terrifying to most people, even if they know it cannot be true.  After all, technology has made fake videos very possible.

Something New

And now the new twist: the messages we have seen this week tell the user they know their password, which they include in the message.  Almost everyone we have heard from says they recognize the password as one they have used (or are currently using) on one or more web sites.  What’s going on here?  Does this mean the they really have control of your computer?

Thankfully, no, it probably does not.  What we believe is happening is the extortionists have gathered up user passwords and email addresses that became available after various big data breaches in the past few years.  After big data breaches of companies like TJ Maxx, Target, Yahoo (1 *billion* accounts!), Equifax and others, the data often goes up for sale on the dark web.  For example, after the largest biometric database in the world (Aadhaar in India) was compromised, a newspaper found they could purchase the data of any of over a billion Indian citizens for less than $8.

So, the criminal includes that one juicy tidbit, a password you have actually used in the past, in their threat.  This makes it seem like they might really have control of your computer, and the threat might be real.  This surely causes some people to start googling “how to bitcoin” just in case!

Show Me A Sample

Here is a snippet of one of these threat messages just so you will know what they look like if you get something similar.  This is the most common flavor we have seen, but there are others as well:

I am aware, 98cats4gr8ness, is your pass word. You may not know me and you are probably wondering why you are getting this e mail, right?

Well, I actually placed a malware on the adult vids (porno) web-site and do you know what, you visited this website to have fun (you know what I mean). While you were watching videos, your browser began operating as a RDP (Remote control Desktop) having a key logger which provided me with accessibility to your screen and web cam. after that, my software program collected all of your contacts from your Messenger, Facebook, and email.

It goes on to demand a BitCoin payment ($300 to $5000 usually) to keep your secret.

What To Do?

First, you can probably relax.  It is very unlikely this particular scam is legitimate.  However, this type of “sextortion” IS a real thing, and it does happen.  So please take some steps to protect yourself.  Here is a quick checklist:

  • Are you using good password hygiene? If you recognized the password they sent and you are still using it anywhere at all, change it right now. Use a new password for every different web site or service.  Many of the people who suffer identity thefts have reused the same password on many sites.  Web services are big targets and they will continue to be compromised.  Don’t let one web service’s data breach cause the unraveling of your entire life.  A password manager such as LastPass (or many others) can make this easier than keeping track of them by hand.
  • Cover that camera!  These days laptops, tablets, phone, and many PCs come with webcams.  The simplest way to know it’s turned off is to cover it with a sticker, piece of electrical tape, or even a little sticky note.  You don’t have to be doing anything illicit to still want privacy!  In fact, we wrote a recent article on this very topic – check it out.
  • Do a virus and malware scan on your computer, just to make sure.
  • As ever, be very careful clicking any links you receive in email.  Even if (you think) you know the sender, hover your mouse over the link to learn where it goes.  I saw a message supposedly from Apple today, telling the reader to click a link to re-enable their account.  The link went to a domain called “dryerlintwizard.org” … definitely not a legitimate link to Apple.

In short, a little calm common sense goes a long way in staying safe online.  If you receive any interesting variations on these extortion scans, please pass them along.

April 2019 Update: These scam emails are continuing (even increasing) and we are seeing 2 new twists in them:

  • Forged Sender – the crook forges the sender email address so the message looks like you sent it to yourself.  Sadly, forging the “From” address is still fairly easy to do, even with modern email systems.  This does NOT indicate that the scammer has access to your email account.
  • Text Images – We are seeing many of the messages come as a large JPG image of the screen of text.  This makes it much harder to block these messages as the spam filters cannot search for the usual text clues.