Sextortion scammers have started hijacking poorly managed or defunct hosted blog sites to expand an increasingly profitable business. They have now started posting their messages – which dupe people into believing they’ve been filmed watching porn and demand a bitcoin ransom – to WordPress and Blogger sites.
The messages, which appear as blog posts from the administrators, take varying forms but all say the same basic thing: We’ve accessed your computer and filmed you in a compromising position using your webcam. Send bitcoin to our address or we’ll spill the goods.
Bleeping Computer searched for phrases common to many of the sextortion posts and came up with almost 1,500 results on Blogspot, which is the free domain service provider frequently used to host Blogger blogs. It also found around 200 hits on WordPress sites. Both of these are online blog hosting services, but we did not find any hits showing compromised self-hosted blogs.
The posts carry titles like “High danger. Your account was attacked” and “Security Notice. Someone have access to your system.” They begin with messages like:
As you may have noticed, I sent you an email from your account.
This means that I have full access to your device.
This is a different modus operandi than the email versions of these scams, which usually contain one of the victim’s passwords gleaned from a hacked password list. The attacker might have hijacked the account used to manage the hosted site by either compromising an administrator’s machine, or more likely using a simple credential-stuffing attack.
A look at some of these blogs reveals not just one spam message but several, spanning not just sextortion but also everything from romance scams to car loans. One site we saw also redirected us to a fake antivirus page. Some of the blogs are still displaying spam posts made a year or more ago. We encourage readers not to search for such blogs or visit them, in case some of the attackers have embedded drive-by malware downloads in their posts.
The sites have something else in common: many of them have been abandoned. In some cases, there hadn’t been a legitimate post in a year or more.
We reached out to the owners of one such neglected WordPress-hosted site, which had lain dormant from 2014 to 2017. The most recent post, a sextortion attempt, is dated 26 February 2019.
“We don’t actually use it”, she said when we told her that someone else had been using it, going on to say that all the details to access the site were on a computer in the office but that the administrator wasn’t there. We advised her to check the site’s security, and she said: “I will do, if I get a minute, which I never get”.
Neglected sites like these, operated by those without the resources or expertise to manage them, seem to be the main target for these sextortion scammers and other spammers. Are they trying to fool the owners of the sites, or the visitors? Probably both, as long as someone clicks on a scam link or sends bitcoin to their address.
The current wave of sextortion scams started with crooks sending emails, sometimes from the victims’ own email addresses, that used old, long-exposed passwords as fake “proof” that the recipient’s computer had been hacked. Have the crooks now learned that using those same passwords to compromise unattended blogs is a more convincing form of proof?
The signs are that people are paying up. The address on the disused blog has collected 4.5 bitcoins (£32,780). It received the first payment on the same date that the sextortion post appeared on the site. It’s one of dozens of addresses appearing on different blogs. Those funds could also have come from email sextortion victims, of course, and from other sources, but sad to say, for these attackers crime really does seem to pay.
Watch now
The video below contains answers in plain English to:
- Is there anything at all behind these threats?
- Is it a worry if the crooks know my password or other personal information?
- Is it really possible to be tracked via email as the crooks claim?
- Is there still a risk if I don’t watch porn?
- Is it worth reporting these emails to my ISP?
- What to do next?
(Watch directly on YouTube if the video won’t play here.)
Has this happened to you? Let us know in the comments.
Anonymous
Please could you actually tell us in writing some of those plain-English answers you claim to have? The subtitles on that video ate truly lousy and watching it takes far longer than reading a transcript would.
Mark Stockley
Sure,
* Is there anything at all behind these threats?
No, they’re a pack of lies, you can safely ignore them.
* Is it a worry if the crooks know my password or other personal information?
The passwords come from large collections of old breached passwords. If you still use the password mentioned in the email, it’s out there on the public internet, so go and change it. Is is NOT proof that you have been hacked though, as the scam email claims.
* Is it really possible to be tracked via email as the crooks claim?
Yes. If your email software displays images by default, your email opens can be tracked.
* Is there still a risk if I don’t watch porn?
These emails are a scam. Whether you watch porn or not, you are at risk from drive-by malware though, so get yourself some good antivirus, a password manager, and keep your computer patched.
* Is it worth reporting these emails to my ISP?
Yes, but don’t expect it to have much, if any, short term effects.
* What to do next?
Forget the email and get on with your life!
For more on sextortion emails, take a look at this article:
https://nakedsecurity.sophos.com/2018/10/15/beware-sextortionists-spoofing-your-own-email-address/
Spryte
Yes, it’s happened to me. Not applicable so my motto is:
Ignore and Delete Ignore and Delete Ignore and Delete Ignore and Delete
Mark Sitkowski
If you go to the trouble of looking at the mail headers, you can follow the trail of servers through which the email passed, before reaching you. Some of the headers even include IP addresses, so look up the ISP and the country of origin, and send a copy of the complete email to the ISP, and the country’s CERT office.