Here’s a rather salacious sort of email: a livid charge of “I saw you looking at naughty stuff online, and I’m gonna tell if you don’t pay up!”

Scam? You bet. This sort of extortion message – called a “extortion scam” by some – can be sent as spam to anyone (whether you’ve every looked at something dodgy online or not).

A scary twist!

But wait – while you might not be fooled by a message like that, there’s a twist to this sextortion scam that has panicked a lot of people. It’s an extortion message in which the scammer, as “evidence” of holding some sort of information about you, claims to know one of your passwords – and actually does reveal one!

I just received my first such message, and I admit that it gave me a jolt. Here’s what was sent to me (with the password redacted):

I‌ know [password redacted] on‌e of your pa‌ssphra‌ses. L‌ets get di‌r‌ectly to‌ po‌int. No‌n‌e ha‌s co‌mpensa‌t‌ed me to ch‌eck yo‌u. Yo‌u ma‌y no‌t kno‌w m‌e a‌nd you ar‌e pro‌bably wo‌nd‌eri‌ng why yo‌u’r‌e g‌etti‌ng thi‌s e ma‌i‌l?

a‌ctua‌lly, i‌ setup a‌ so‌ftwa‌re o‌n the X vids (s‌ex sit‌es) sit‌e and th‌ere’s more, you vi‌si‌t‌ed thi‌s w‌eb si‌t‌e to‌ ha‌v‌e fun (you kno‌w wha‌t i‌ m‌ea‌n). Wh‌en yo‌u w‌er‌e vi‌ewi‌ng vi‌d‌eos, yo‌ur i‌nt‌ern‌et bro‌ws‌er i‌ni‌ti‌a‌t‌ed wo‌rking a‌s a‌ R‌emot‌e Deskto‌p tha‌t ha‌s a‌ k‌ey lo‌gg‌er whi‌ch pro‌vid‌ed m‌e wi‌th a‌cc‌essi‌bili‌ty to‌ your di‌spla‌y a‌nd w‌ebca‌m. a‌fter tha‌t, my so‌ftwa‌r‌e ga‌thered a‌ll o‌f yo‌ur contacts from your M‌ess‌eng‌er, Fac‌eboo‌k, a‌nd ‌ema‌i‌la‌cco‌unt. a‌nd th‌en i‌ ma‌de a doubl‌e-scre‌en video‌. 1st pa‌rt di‌spla‌ys th‌e vi‌deo‌ yo‌u w‌er‌e wa‌tching (yo‌u’ve go‌t a‌ ni‌c‌e ta‌st‌e lma‌o), a‌nd 2nd pa‌rt displa‌ys th‌e vi‌ew o‌f yo‌ur ca‌m, & i‌ts yo‌u.

Yo‌u wi‌ll ha‌ve just two so‌lutions. Why dont w‌e ta‌k‌e a‌ lo‌o‌k a‌t ‌ea‌ch o‌n‌e o‌f thes‌e o‌pti‌ons i‌n a‌sp‌ects:

1st opti‌o‌n i‌s to dismiss thi‌s m‌essa‌g‌e. i‌n thi‌s sc‌ena‌rio‌, i‌ am go‌i‌ng to‌ s‌end out yo‌ur vi‌d‌eo‌ cli‌p to‌ a‌lmo‌st a‌ll o‌f yo‌ur co‌nta‌cts a‌nd thus just i‌magin‌e co‌ncerni‌ng th‌e emba‌rra‌ssment yo‌u fe‌el. K‌e‌ep i‌n mi‌nd sho‌uld yo‌u b‌e i‌n an affa‌i‌r, pr‌ecis‌ely ho‌w i‌t can a‌ff‌ect?

2nd alt‌erna‌tiv‌e will b‌e to‌ comp‌ensa‌te m‌e $7000. We ar‌e goi‌ng to thi‌nk of it as a‌ do‌na‌ti‌o‌n. Cons‌equ‌ently, i‌ will qui‌ckly d‌el‌et‌e yo‌ur vi‌d‌eo‌. Yo‌u wi‌ll k‌eep yo‌ur lif‌e li‌k‌e thi‌s n‌ev‌er o‌ccurred and yo‌u sur‌ely wi‌ll n‌ev‌er hea‌r back a‌ga‌i‌n fro‌m me.

You’ll make th‌e pa‌yment by Bi‌tcoi‌n (i‌f yo‌u do‌n’t kno‌w thi‌s, s‌ea‌rch fo‌r ‘ho‌w to‌ buy bi‌t‌coin’ in Go‌o‌gl‌e).

B‌T‌C‌ a‌ddress: 166ZywJzrfYPTZoiBKCqrQE4cKhrFNrCNk
[ca‌se-s‌ensi‌tiv‌e, co‌py and pa‌st‌e i‌t]

i‌n case yo‌u a‌r‌e lo‌o‌ki‌ng a‌t go‌i‌ng to‌ the la‌w ‌enfo‌rc‌em‌ent o‌ffi‌ci‌als, w‌ell, thi‌s m‌essa‌g‌e canno‌t b‌e trac‌ed ba‌ck to m‌e. I‌ ha‌ve co‌v‌er‌ed my mov‌es. i‌ a‌m no‌t att‌empting to d‌ema‌nd much, i‌ si‌mply wa‌nt to b‌e r‌ewa‌rd‌ed. i‌ ha‌v‌e a‌ sp‌eci‌fi‌c pix‌el i‌n thi‌s ‌ema‌il, a‌nd now i‌ kno‌w tha‌t yo‌u hav‌e r‌ea‌d through thi‌s ‌ema‌il messa‌g‌e. Yo‌u no‌w have o‌n‌e da‌y i‌n o‌rder to‌ pay. i‌f i‌ do‌ no‌t g‌et th‌e B‌i‌tC‌oi‌ns, i‌ defini‌tely wi‌ll s‌end yo‌ur vi‌d‌eo‌ reco‌rdi‌ng to a‌ll o‌f yo‌ur conta‌cts i‌ncludi‌ng r‌elati‌ves, co‌ll‌eagu‌es, and so‌ forth. N‌ev‌erth‌eless, i‌f i r‌ecei‌v‌e th‌e payment, i‌ will ‌era‌s‌e th‌e vi‌deo‌ i‌mm‌edi‌at‌ely. if yo‌u r‌ea‌lly wa‌nt pro‌o‌f, r‌eply wi‌th Yea‌! & i‌ wi‌ll c‌erta‌i‌nly s‌end o‌ut yo‌ur vi‌deo‌ r‌ecordi‌ng to‌ yo‌ur 10 fri‌‌ends. Thi‌s i‌s a‌ no‌nn‌ego‌ti‌a‌bl‌e o‌ff‌er, a‌nd thus do‌n’t wa‌st‌e mine tim‌e a‌nd yo‌urs by r‌espo‌nding to‌ this ‌e-ma‌i‌l.

Since then, these messages have come in steadily. My, it’s amazing how many “hackers” are “spying” on me! Like this one:

Btw, I a‌ctu‌a‌lly ca‌me‌ to‌ kno‌w a‌ll o‌f the‌ to‌o‌ di‌rty se‌cre‌ts. I wi‌ll no‌t te‌ll yo‌u‌ ju‌st wha‌t e‌xa‌ctly I ca‌me‌ to‌ kno‌w, I’ve‌ the‌ i‌nfo‌ a‌lo‌ng wi‌th me‌. To‌ pro‌ve‌ my po‌i‌nt, ju‌st le‌t myse‌lf re‌ve‌a‌l yo‌u‌ tha‌t o‌ne‌ o‌f yo‌u‌r pa‌sswo‌rds i‌s [password redacted. Pa‌y me‌ $‌1000 vi‌a‌ *Bi‌tco‌i‌n* to‌ the‌ a‌ddre‌ss 18oSeNBDxvrrFfMV7DVxyKRXXHw2jWLSo2 i‌n the‌ ne‌xt 41 hrs. I wa‌nt to‌ ma‌ke‌ o‌ne‌ thi‌ng cle‌a‌r, tha‌t I wi‌ll de‌va‌sta‌te‌ yo‌u‌r li‌fe‌ to‌ta‌lly i‌f I do‌ no‌t ge‌t the‌ pa‌yme‌nt. If I do‌ ge‌t the‌ pa‌yme‌nt, I’ll e‌ra‌se‌ e‌a‌ch a‌nd e‌ve‌ry i‌nfo‌ I ha‌ve‌ wi‌th me‌, a‌nd I wi‌ll go‌ a‌wa‌y a‌nd yo‌u‌ wi‌ll de‌fi‌ni‌te‌ly do‌ no‌t he‌a‌r a‌nythi‌ng fro‌m me‌. Thi‌s i‌s the‌ fi‌rst a‌nd a‌lso‌ la‌st e‌ma‌i‌l fro‌m me‌ a‌nd a‌lso‌ the‌ o‌ffe‌r i‌s no‌n ne‌go‌ti‌a‌ble‌, so‌ do‌ no‌t a‌nswe‌r to‌ thi‌s ma‌i‌l.

(Side note: “…in the next 41 hrs.”? Really? Not 24 hours, or 48 hours? That’s kind of original, in its own trivial way.)

Well. I’ve removed the password from the above (for the obvious reason of protecting my security), but it’s true: the password that both of these anonymous scammers placed in their messages is one that I’ve actually used in the past! What’s going on here? Should I panic?

No. Many security experts have responded to freaked-out recipients of such messages. Their explanation for the problematic password: The scammers are using email addresses and passwords that have been leaked in past security incidents. The kind of incident you hear about in the news all the time: some company or agency is attacked by a hacker, or leaks information through some sort of sloppy error, and thousands or millions of passwords leak out where scammers can get hold of them.

Maybe it was a shopping site, maybe some social media service, maybe some service for saving files, maybe something else entirely. Whatever it was, it suffered a leak of data at some point, and scammers obtained information from many (probably millions) of accounts. Not necessarily all data about the accounts’ users, not necessarily data they can use to meaningfully identify individual people, but they at least got the passwords of the users, along with email addresses associated with the users’ accounts. The scammers can now send out millions of extortion email messages to the leaked email addresses, with the scary-looking “I have a password of yours!” part added.

This is not a good thing, and if an extortion message like the above provides a password as “evidence” of having goods on you, and you recognize that it is indeed some password you currently use or once used, well, it’s understandable that you’d feel concerned!

But stay calm. Keep in mind that these sort of data leaks happen a lot; it’s an unfortunate part of modern digital life. It doesn’t necessarily mean that the scammers know much about you beyond that leaked password and associated email address (although, disconcertingly, you can’t assume that they do know only those things). It certainly doesn’t mean that the scammers have access to any information about other accounts of yours that haven’t been breached! And – most relevant to the specific claims of these email messages – it does not mean that the scammers have spied on your alleged visits to naughty web sites. That part is pure scam!

All right. What to do, then? If it’s just a scam letter like the top one above, there’s nothing you need to do but ignore it. But if you get one of the “I know your password!” scam messages, you do have a bit of a problem: whether this particular scammer can ever put that info to any use (other than to use in sending scary-looking email messages), the fact that your data was part of some leak of user account data, somewhere and somewhen, is not a good thing. Fortunately, you can do something about it, right away: change the password for any account using that compromised password.

What to do if you receive the “sextortion” email

Here’s a summary of what the experts say you should do if you get an extortion email like any of the above:

  1. Do not pay the demanded ransom. That’s the first and biggest thing. No matter how scary the message, it’s a scam. There is no incriminating video of you that will be sent to your friends and family.
  2. Do not respond to the message. There’s nothing for you to gain by replying in any way. All that’ll do is let the scammer know that your email address is “a live one” – an address in active use, and thus a prime target for escalation of the current scam, or for use in future scams, or – if nothing else – for lots and lots of junk mail.
  3. If the message contains some current or past password of yours, do not use that password any more, for any account. Don’t be shocked by the sight of that password; it’s just a ruse to shake you up. But do understand that that password is no longer safe to use, anywhere. Take inventory of where you might be using that password. Facebook account? Amazon.com account? Some other shopping site account? Online game site account? Check all of your accounts – and for any account for which that password is in use, change the password to some new password, right away. Seriously, do this.
  4. If the message contains any sort of attached file, do not open it. Messages like the above will sometimes contain an attachment claiming to be further evidence of your alleged activities, or an invoice for the ransom payment, etc. But there’s a good chance that the attachment is designed to infect your computer with some sort of nasty harmful software. Think of it as the scammers dangling multiple fishhooks: Maybe they’ll catch you with the payment scam, or catch you with the attachment that does something nasty to your computer – or (they hope!) maybe even catch you with both!
  5. Optional extra: If you’re bothered by the possibility of being spied on through your computer’s camera, cover it physically. It’s very unlikely that the sort of spying claimed by the above email scammers could happen to you – but, although not related to the scam above, there have been incidents of spying that have happened. To prevent even that tiny likelihood, you can physically cover your computer’s camera if you like. Just place a piece of electrician’s tape, or the sticky part of a Post-It Note, over the lens when you’re not using it. That’s it. No camera hacker, of any skill level, can defeat that piece of tape without physically removing it!

There. That’s not so tough; the first two items above are simply things to not do, and the remaining three are “if” items. In the end, scam messages like the above are nothing to worry over. It’s a hassle to change compromised passwords if you get one of the “I know your password!” messages – but you can (sort of) be a tiny bit grateful that the scam alerted you to the compromised password.

And with that done, just throw out the scam message and go back to looking at funny fail videos and cute kitten pictures. (Or whatever.)

Sources

An online search will turn up lots of good additional information on this sort of scam. A couple of short, easy-to-understand overviews:

 

Author

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.