Did you receive one of those “porn scam” emails in the past week or so?
Millions of people did – in fact, the number was probably more like tens or even hundreds of millions, with some Naked Security readers reporting phlegmatically that they’d had two, three and even five different flavours of scam in the past few days.
Even if you’ve never had a sextortion email sample of your own, you’re probably familiar with the “porn scam” scenario, where cybercrimals send a message out of the blue that says something along these lines:
- ATTENTION! We implanted malware on your computer, which means we have been keeping tabs on you, including grabbing your passwords and getting access to your accounts.
- We also used this malware to film you via your webcam and to take screenshots of your browser.
- We made a video of you on a porn site with the screenshots and the webcam footage side-by-side.
- Oh, and the clock is ticking, so pay us some money pretty darn quickly or we’ll send the video to your friends and family. (We know who they are, because we have your passwords, remember?)
The extortion demand is typically somewhere from $700 to $4000, payable to a Bitcoin address provided in the email.
The good news is that it’s all a bluff, because the crooks behind this scam don’t have malware on your computer, don’t have a video of you doing anything, don’t have screenshots of your browsing habits, and haven’t just stolen a list of your friends and family to send their non-existent video to.
The bad news is that this sort of email is extremely confronting, even if you don’t watch porn and don’t have a webcam, because blackmail is an odious and unsettling crime under any circumstances.
What makes it worse is that the crooks often include a password in the email as “proof” of their claim to have malware on your computer…
….and that password very often really is a password you once used, even if it’s a few years old now or for an account you’ve already closed.
In truth, the passwords sent out in these scams have typically been dredged up from old data breaches.
Although the password you see may have been your password once, the crooks didn’t get it from your computer recently. (Word of warning: if you are still using that password, or anything like it, on any online account, change it now!)
As you can imagine, once recipients of these emails realise it’s all a cruel and criminal hoax, and that some crook is simply preying on their fears, the pressure is off and they can relax.
Unanswered questions
But where do all these emails come from? Why can’t they be stopped? How many people end up paying? Where does the money go?
Our researchers at SophosLabs decided to find out.
By combing through five months’ worth of sextortion-spam data, they came up with some intriguing answers that you can read about in the latest SophosLabs report.
SophosLabs found that a very small proportion of recipients actually paid the blackmail demands, for what looks like just a few hundred victims worldwide over the five months of the research; but with the demands typically being in the range of $1000 to $2000 each, the crooks nevertheless made just shy of half a million dollars during this period.
Simply put: as well as intimidating and unnerving many millions of people around the globe with the offensive and scary nature of the email content, the crooks managed to pull in a cool $100,000 a month.
As to where the money went, you can find out more of the gory details in the report, but this diagram gives you an idea of how and where the crooks “reinvested” their ill-gotten gains:
As to where the emails came from, the answer is, for the most part, that these huge sextortion spam surges came from innocent users whose computers were infected with spam-sending malware known as bots (short for “computer robots”).
These infected “zombie computers” can be fed remotely by the crooks with lists of email addresses. Each bot in the so-called “robot network”, or botnet, will then send out its own burst of spam, independently of all the others.
That means that there is no single source of the spam; no single server that can be blocked; no country that is an obvious culprit; and that the spam blasts happen in parallel from all over the world at the same time, as the report reveals:
So if you’ve ever wondered why spam blasts are hard to shut down, and why there isn’t one service provider or email sender that can be identified and taken down to bring the problem under control, it’s because zombie networks present an ever-changing mix of countries, computers and IP numbers – as well as a dynamic supply of what is essentially free bandwidth to the crooks.
The best way you can help to stop these porn scammers from sending so much spam is to make sure that you aren’t infected with zombie malware yourself.
Remember: when it comes to spam, if you aren’t part of the solution, you’re part of the problem!
You may also find this video useful:
Latest Naked Security podcast
LISTEN NOW
Click-and-drag on the soundwaves below to skip to any point in the podcast. You can also listen directly on Soundcloud.
Kyle
So thinking about this a little and I just don’t understand how anyone falls for this. lets assume that you DO look at porn on your laptop, and have the camera exposed (no tape over it). really, who cares? all the video would likely show is your face, maybe shoulders. It seems unlikely that they would get any truly compromising footage. and as for there threat, does anyone really think there friends or family would trust some random person hacked into your computer in the first place? honestly i think these guys are doing it all wrong, they would be better served to make a ton of fake videos with that they are claiming to have and send them off to people. threaten to keep sending them unless you pay. maybe I’m an evil genius and didn’t even know it. LOL
Paul Ducklin
Blackmail is a scary and confronting crime – and it doesn’t always matter if the crooks really have any leverage over you or not, it’s the fact that they are prepared to say they do. And, yes, I think that many people would believe a so-called hacker over a friend or family member on the principle of “no smoke without fire”.
You only have to look at recent hoaxes such as Talking Angela (a harmless speech recognition app that was claimed by a rumour to be a front for child abuse) and Houseparty (people insisted that if you installed this app then your accounts would pretty much instantly be hacked). Millions of people around the world not only believed those ridiculous hoaxes based on the say-so of random strangers, but demanded that their friends and family accept these random claims as true.
The typical flawed “logic” to justify believing this sort of errant nonense went along the lines of “but why would [random person on the internet] confirm it if it were not true?” (The flaw in this logic is a misunderstanding of “confirm”, which means “to conduct an informed review, re-evaluate the evidence ojectively and end up with the same conclusions”, not “to copy and paste some text on a social network”.)
ParanoidCanuk
You should have let me know. I would have forwarded you all those letters I got !
Of course I knew what they were from the beginning and have always ignored/deleted them. You guys coulda had them. Sorry they’re gone now…
My microphone is turned off and there is a wee band-aid over my laptop’s and tablets cameras.
P.S.
What the Heck is a Payment Gateway? I hope not what I’m thinking…
Paul Ducklin
AFAIK, a payment gateway for Bitcoin is just like a payment gateway for credit cards (the part of your website that processes transactions, say when a visitor does a checkout and pays for the goods in their cart). You can think of it as a one-way BTC exchange where you trade BTC for, say, a bunch of bicycle parts (I made that up – I don’t know any bike shops that take cryptocurrencies) instead of trading BTC for money or other cryptocoins as you would at a general-purpose exchange.
Ryan
I received a second of the same email today from different addresses. I can forward if it would benefit…
Jan Willem Broekema
Yes Paul Ducklin, I’ve been (and probably will be) confronted with these porn scams. Everything you write is indeed correct and important to know, even more so if other people rely on you as internet specialist.
As former Data Protection Commissioner I have been working on many of these cases. The best defence against scams and malware in general is your brain. Do not rely on software to do this work for you.
Do not panic and do not click buttons in email. Make a backup of your files (you wanted to do that every day, remember?). Could this be true about you or is there no connection (you have no webcam, you do not do porn where you leave a password)? The password is ages old or unused? Forward the message to your local or national fake-email website.
Why will this scam work? Because scams with small payments are untraceable, they’re not worth the police troubles. The problem is: millions of small payments make scammers millionaires.
Gordon
I have received 2 in the last 3 days. The first was the typical as you described, and I ignored. Last night I received a second saying that it has been posted on Porn sites and that I have 20 hours 30 minutes to pay!
I could send them to you if wanted. Thanks for the site
Concerned husband
My WIFE has received three of these e-mails in the past week; the latest referred to the previous e-mails and expressed anger that we ignored the previous threats. Indeed, the e-mail we received tonight was quite confrontational, threatening and laced with profanity. Truly unnerving I must say. Is this a new evolution in the scam, i.e., follow-on threats?
Paul Ducklin
We’ve seen follow-on threats before, for example:
https://nakedsecurity.sophos.com/2019/12/24/sextortionists-return-for-christmas-price-goes-down-threats-go-up/
Bryan Henderson
What I thought was a good tipoff that it’s a bluff, even if you’ve actually watched porn in front of a webcam and use the password in the email, is that they don’t include a copy of the alleged video. What halfway competent blackmailer wouldn’t include proof that he had the goods?
I found these to be the highest quality scam emails I ever received. Near perfect English, with a technical description of the hack that was quite plausible. But they really should at least attempt to explain why the video isn’t attached. They could probably make up some technical B.S. that some people would buy.
Dennis Coburn
Several people have suggested improvements in the scam! What’s that all about? Are you trying to help scammers improve their approach? Are you trying to tell us how smart you are? Despite the fact that scammers have probably already thought of and rejected your suggestions, please keep these ideas to yourself, just in case an incompetent scammer happens to be reading these posts.