Sometimes scammers just need to say
they hacked you to pull in the cash. Since July, cybersecurity researchers, journalists
and victims, have seen a spike in extortion letters and emails demanding hefty sums of bitcoin. The twist is that the scammers send the victim one of their own passwords, likely gleaned from an already public breach, and use that as an intimidation tactic. The blackmailers then claim they have hacked into the target’s webcam while they were watching pornography. Pay up, or they’ll release the (made-up) video.
Now, researchers have found this scam has been pretty profitable, especially considering the low-level of work involved on the fraudsters’ part.
“What is worrying is that, scammers were able to siphon off [$500,000], from old passwords dumps, with very little effort,” Suman Kar, CEO of cybersecurity firm Banbreach, told Motherboard in an online chat.
In July, cybersecurity journalist Brian Krebs reported on the new wave
of sextortion emails.
“I’m aware that [victim’s password] is your password,” one part of an example email Krebs published reads. “First part recorded the video you were viewing (you’ve got a fine taste haha), and next part recorded your webcam (Yep! It’s you doing nasty things!),” the version Krebs published adds, before demanding the victim sends $1,400 in bitcoin to a specific bitcoin address.
It’s an enticing, if not devilish, proposition. Banbreach looked at around 770 wallets in total, according to a spreadsheet the company shared with Motherboard. The majority of those, around 540, did not receive any funds. But the remaining ~230 had over 1,000 transactions, receiving a total of around 70.8 BTC.
This figure is also likely only a conservative estimate, considering Banbreach’s methodology would not have captured all, or perhaps even the majority, of sextortion emails. Kar said Banbreach collected different bitcoin addresses used in this style of extortion by scraping comments on related media coverage, and picking them out from journalists’ articles. Kar said the company also fielded reports from victims in India, where scammers appear to be targeting at the moment in particular.
“$1000 is a lot of money for the average Indian,” Kar said.
Banbreach believes some of the passwords used to trick victims came from the LinkedIn and Anti-Public Combo list data breaches, the latter being a large collection of various data caches
from multiple sources. Those two breaches turn up when entering sextortion victims’ email addresses into breach notification site Have I Been Pwned, Banbreach said in a write-up of its research provided to Motherboard. However, it is still difficult to fully determine where a password did ultimately come from, the company added.