Sextortion, also known as “porn scamming“, is where the crooks send you an email claiming to have a video of you watching porn that they’ve acquired by implanting malware on your computer.
We suspect that you’ve not only heard of it but also received these odious and scary emails yourself – scary because no matter whether the crooks really have a video or not, the emails sign off with an aggressive blackmail demand for money…
…or else the video goes to all your family and friends.
The extortion amount varies, but it’s typically about $2000, payable via Bitcoin to a cryptocoin wallet specified in the email.
The idea is that if you pay up, the crooks will stop hounding you, delete the video and move on to another victim.
The thing is, there isn’t a video – after all, if there were, surely the crooks would send you a clip or still image from it as proof?
The criminals are just hoping that a few of the victims who receive their emails will pay up anyway out of fear, and at least some people do.
Indeed, a SophosLabs report published earlier this year found that although porn scamming crooks aren’t pulling in the millions-of-dollars-a-time that some ransomware gangs seem to be getting away with, sextortion scammers have nevertheless been pulling in as much as $100,000 a month simply by telling people to pay up.
LEARN MORE ABOUT SEXTORTION THREATS
Watch on YouTube if the video won’t play here.
You’re probably not terribly surprised, then, to hear that the sextortion crooks are now turning their hands to what we’re calling “breachstortion”.
Instead of claiming to have infected your computer and made off with video filmed from your own webcam, the crooks are claiming to have hacked your website and made off with your data.
As you probably know, ransomware crooks are no longer just scrambling your data and demanding you to pay up to get it back.
They’re now upping the ante by stealing your data first and only then letting loose with their ransomware to scramble it all.
That way the crooks can hit you up with a double reason to pay up: buy back the decryption key and prevent us from telling the world we hacked you.
So the “breachstortion” crooks are copying this data breach-based approach, except that they’ve not actually hacked your network or your computer at all – it’s all a pack of outright lies:
Subject: Your Site Has Been Hacked PLEASE FORWARD THIS EMAIL TO SOMEONE IN YOUR COMPANY WHO IS ALLOWED TO MAKE IMPORTANT DECISIONS! We have hacked your website [URL REDACTED] and extracted your databases. How did this happen? Our team has found a vulnerability within your site that we were able to exploit. After finding the vulnerability we were able to get your database credentials and extract your entire database and move the information to an offshore server. What does this mean? We will systematically go through a series of steps of totally damaging your reputation. First your database will be leaked or sold to the highest bidder which they will use with whatever their intentions are. Next if there are e-mails found they will be e-mailed that their information has been sold or leaked and your [URL REDACTED] was at fault thusly damaging your reputation and having angry customers/associates with whatever angry customers/associates do. Lastly any links that you have indexed in the search engines will be de-indexed based off of blackhat techniques that we used in the past to de-index our targets.
SophosLabs has received quite a few emails along these lines, some as recently as today and others going back one or two months.
In all of them, the crooks give you five days to pay up by sending cryptocurrency to a Bitcoin wallet given in the email.
The amounts we’ve seen vary from $1500 to $2000 (for what it’s worth, the most recent sample we saw had the lowest price).
There are no email or website contact details in the message – the crooks tell you not to bother replying to the email at all, and there’s no website where you can trace your payment and see whether they’ve received the money.
Ironically, as the crooks themselves point out, “please note that Bitcoin is anonymous and no one will find out that you have complied.”
Presumably that’s meant to set your mind at rest by convincing you that the act of paying will not itself draw attention to your “breach”, even though it means you’re relying entirely on the crooks to keep track of which payments were made to “protect” which website’s data.
What to do?
When ransomware crooks hit your network, you typically have no doubt about what just happened – in fact, the ransom demand typically ends up saved in a file right there on your desktop, often with a dramatic change in wallpaper to draw your attention to the attack.
In this case, there’s none of that – not least because there was no malware, no hack, no attack other than the extortion email.
As in the case of porn scams, the crooks don’t have your data, and so paying up is pointless.
Of course, in both sextortion and breachstortion cases, the claims the that crooks make are technically possible: webcams really do sometimes get hijacked by malware; and data breaches really do happen when crooks sneak in due to an unpatched security bug.
That raises the tricky question, “But what if it is true after all and the crooks really do have that video of me/all the data from my network?”
Well, even if you decide to believe the bluffers in cases like this, or have $2000 to spend and figure you might as well be safe than sorry, we nevertheless urge you not to pay up.
Firstly, if these crooks really did get your files, how do you know someone else didn’t get them too (we frequently write about crooks getting hacked by other crooks, after all), or how can you tell that the crooks didn’t already sell them on?
Secondly, what if they come back next week, next month or even next year, when the stakes are even higher?
Kyle
I can’t wait for the next round of these “We hacked your website AND like to wach you waching porn! pay us or else!” LOL
Mark Sitkowski
It’s not as silly as it sounds. A trawl through our logs shows dozens of wget and zgrab queries each month (all of which our IPS drops), some of which are probably intended to make fake phishing sites, and others may well be hopeful of snagging a database or email directory.