Here’s a rather salacious sort of email: a livid charge of “I saw you looking at naughty stuff online, and I’m gonna tell if you don’t pay up!”
Scam? You bet. This sort of extortion message – called a “extortion scam” by some – can be sent as spam to anyone (whether you’ve every looked at something dodgy online or not).
A scary twist!
But wait – while you might not be fooled by a message like that, there’s a twist to this sextortion scam that has panicked a lot of people. It’s an extortion message in which the scammer, as “evidence” of holding some sort of information about you, claims to know one of your passwords – and actually does reveal one!
I just received my first such message, and I admit that it gave me a jolt. Here’s what was sent to me (with the password redacted):
I know [password redacted] one of your passphrases. Lets get directly to point. None has compensated me to check you. You may not know me and you are probably wondering why you’re getting this e mail?
actually, i setup a software on the X vids (sex sites) site and there’s more, you visited this web site to have fun (you know what i mean). When you were viewing videos, your internet browser initiated working as a Remote Desktop that has a key logger which provided me with accessibility to your display and webcam. after that, my software gathered all of your contacts from your Messenger, Facebook, and emailaccount. and then i made a double-screen video. 1st part displays the video you were watching (you’ve got a nice taste lmao), and 2nd part displays the view of your cam, & its you.
You will have just two solutions. Why dont we take a look at each one of these options in aspects:
1st option is to dismiss this message. in this scenario, i am going to send out your video clip to almost all of your contacts and thus just imagine concerning the embarrassment you feel. Keep in mind should you be in an affair, precisely how it can affect?
2nd alternative will be to compensate me $7000. We are going to think of it as a donation. Consequently, i will quickly delete your video. You will keep your life like this never occurred and you surely will never hear back again from me.
You’ll make the payment by Bitcoin (if you don’t know this, search for ‘how to buy bitcoin’ in Google).
BTC address: 166ZywJzrfYPTZoiBKCqrQE4cKhrFNrCNk
[case-sensitive, copy and paste it]
in case you are looking at going to the law enforcement officials, well, this message cannot be traced back to me. I have covered my moves. i am not attempting to demand much, i simply want to be rewarded. i have a specific pixel in this email, and now i know that you have read through this email message. You now have one day in order to pay. if i do not get the BitCoins, i definitely will send your video recording to all of your contacts including relatives, colleagues, and so forth. Nevertheless, if i receive the payment, i will erase the video immediately. if you really want proof, reply with Yea! & i will certainly send out your video recording to your 10 friends. This is a nonnegotiable offer, and thus don’t waste mine time and yours by responding to this e-mail.
Since then, these messages have come in steadily. My, it’s amazing how many “hackers” are “spying” on me! Like this one:
Btw, I actually came to know all of the too dirty secrets. I will not tell you just what exactly I came to know, I’ve the info along with me. To prove my point, just let myself reveal you that one of your passwords is [password redacted. Pay me $1000 via *Bitcoin* to the address 18oSeNBDxvrrFfMV7DVxyKRXXHw2jWLSo2 in the next 41 hrs. I want to make one thing clear, that I will devastate your life totally if I do not get the payment. If I do get the payment, I’ll erase each and every info I have with me, and I will go away and you will definitely do not hear anything from me. This is the first and also last email from me and also the offer is non negotiable, so do not answer to this mail.
(Side note: “…in the next 41 hrs.”? Really? Not 24 hours, or 48 hours? That’s kind of original, in its own trivial way.)
Well. I’ve removed the password from the above (for the obvious reason of protecting my security), but it’s true: the password that both of these anonymous scammers placed in their messages is one that I’ve actually used in the past! What’s going on here? Should I panic?
No. Many security experts have responded to freaked-out recipients of such messages. Their explanation for the problematic password: The scammers are using email addresses and passwords that have been leaked in past security incidents. The kind of incident you hear about in the news all the time: some company or agency is attacked by a hacker, or leaks information through some sort of sloppy error, and thousands or millions of passwords leak out where scammers can get hold of them.
Maybe it was a shopping site, maybe some social media service, maybe some service for saving files, maybe something else entirely. Whatever it was, it suffered a leak of data at some point, and scammers obtained information from many (probably millions) of accounts. Not necessarily all data about the accounts’ users, not necessarily data they can use to meaningfully identify individual people, but they at least got the passwords of the users, along with email addresses associated with the users’ accounts. The scammers can now send out millions of extortion email messages to the leaked email addresses, with the scary-looking “I have a password of yours!” part added.
This is not a good thing, and if an extortion message like the above provides a password as “evidence” of having goods on you, and you recognize that it is indeed some password you currently use or once used, well, it’s understandable that you’d feel concerned!
But stay calm. Keep in mind that these sort of data leaks happen a lot; it’s an unfortunate part of modern digital life. It doesn’t necessarily mean that the scammers know much about you beyond that leaked password and associated email address (although, disconcertingly, you can’t assume that they do know only those things). It certainly doesn’t mean that the scammers have access to any information about other accounts of yours that haven’t been breached! And – most relevant to the specific claims of these email messages – it does not mean that the scammers have spied on your alleged visits to naughty web sites. That part is pure scam!
All right. What to do, then? If it’s just a scam letter like the top one above, there’s nothing you need to do but ignore it. But if you get one of the “I know your password!” scam messages, you do have a bit of a problem: whether this particular scammer can ever put that info to any use (other than to use in sending scary-looking email messages), the fact that your data was part of some leak of user account data, somewhere and somewhen, is not a good thing. Fortunately, you can do something about it, right away: change the password for any account using that compromised password.
What to do if you receive the “sextortion” email
Here’s a summary of what the experts say you should do if you get an extortion email like any of the above:
- Do not pay the demanded ransom. That’s the first and biggest thing. No matter how scary the message, it’s a scam. There is no incriminating video of you that will be sent to your friends and family.
- Do not respond to the message. There’s nothing for you to gain by replying in any way. All that’ll do is let the scammer know that your email address is “a live one” – an address in active use, and thus a prime target for escalation of the current scam, or for use in future scams, or – if nothing else – for lots and lots of junk mail.
- If the message contains some current or past password of yours, do not use that password any more, for any account. Don’t be shocked by the sight of that password; it’s just a ruse to shake you up. But do understand that that password is no longer safe to use, anywhere. Take inventory of where you might be using that password. Facebook account? Amazon.com account? Some other shopping site account? Online game site account? Check all of your accounts – and for any account for which that password is in use, change the password to some new password, right away. Seriously, do this.
- If the message contains any sort of attached file, do not open it. Messages like the above will sometimes contain an attachment claiming to be further evidence of your alleged activities, or an invoice for the ransom payment, etc. But there’s a good chance that the attachment is designed to infect your computer with some sort of nasty harmful software. Think of it as the scammers dangling multiple fishhooks: Maybe they’ll catch you with the payment scam, or catch you with the attachment that does something nasty to your computer – or (they hope!) maybe even catch you with both!
- Optional extra: If you’re bothered by the possibility of being spied on through your computer’s camera, cover it physically. It’s very unlikely that the sort of spying claimed by the above email scammers could happen to you – but, although not related to the scam above, there have been incidents of spying that have happened. To prevent even that tiny likelihood, you can physically cover your computer’s camera if you like. Just place a piece of electrician’s tape, or the sticky part of a Post-It Note, over the lens when you’re not using it. That’s it. No camera hacker, of any skill level, can defeat that piece of tape without physically removing it!
There. That’s not so tough; the first two items above are simply things to not do, and the remaining three are “if” items. In the end, scam messages like the above are nothing to worry over. It’s a hassle to change compromised passwords if you get one of the “I know your password!” messages – but you can (sort of) be a tiny bit grateful that the scam alerted you to the compromised password.
And with that done, just throw out the scam message and go back to looking at funny fail videos and cute kitten pictures. (Or whatever.)
An online search will turn up lots of good additional information on this sort of scam. A couple of short, easy-to-understand overviews:
- Sextortion Scam: What to Do If You Get the Latest Phishing Spam Demanding Bitcoin (Electronic Frontier Foundation)
- Fake Blackmail Sextortion Scam Emails Using Real Passwords (Hoax-Slayer)
- “Hacked Account” Blackmail Spam on the Rise—Beware! (TidBits)