Sextortion Scam Uses Hacked Passwords to Defraud Victims

There are a few different variants of the so-called 'sextortion' scam, and it's safe to say that some are more disgusting than others. We should note that the one we're about to describe isn't the worst of its kind because when they use it, scammers demand money rather than actual sexual favors. It goes like this.

A con artist contacts you via email and says that he has somehow obtained a collection of pictures and videos depicting you minus your clothes. He has also found the emails of all your friends, relatives, and colleagues, and if you don't send him some cash, the sensitive footage will end up in their inboxes.

It's not difficult to see how such a scam could work. Some people do take potentially compromising photos and videos of themselves, and they sometimes share them with other people or fail to secure them properly. At the same time, there are malicious programs that can steal such compromising material and lists of contacts.

The whole scenario is theoretically possible, but it's fair to say that it's getting old now, and fewer and fewer people are falling for it. That's why with the latest wave of sextortion emails, the crooks have added a clever twist that is supposed to make the con much more believable. Before we get to it, however, let's see how this particular campaign has unfolded so far.

The operation

The emails appear to come exclusively from Outlook accounts, and although the popularity of this type of scam is wavering, there seem to be quite a lot of messages flying around. The spamming has been going on for over a week now, so although we still see a few emails slip through the cracks, hopefully, all spam filters will catch up soon.

The scenario

The crooks weren't very original when they were writing this. They claim that they've put malware on the adult video website you frequent. Through it, they silently turned on the web camera on your device while you were watching the videos and filmed you doing things that you don't want others to see.

The malware also collected all your contacts from your Facebook and email accounts, and if you don't send them some bitcoins, the scammers will send the recorded footage to everyone you know and love, causing you enormous amounts of embarrassment and distress. If you pay up, the videos will be deleted, and the whole thing will remain a secret. Curiously enough, while all messages appear to be a part of a single campaign, different emails demand different sums. They range between $1,200 and $3,900.

The party piece

All this is pretty much standard for this type of cons, and although there are people who could fall for it, most will simply delete the message. There is one more thing that brings a rather substantial layer of fake credibility to this particular campaign, though.

Remember the malware they supposedly installed on your device? Allegedly, it also has the ability to steal your password, and the email starts with something along the lines of "I know that [a real password] is your password." The recipients have indeed used the password included in the email at one point or another, which suddenly makes the scenario a lot more realistic.

You shouldn't be fooled, though. The passwords, while real, are over ten years old, and most of them are no longer active. That's not because the victims first got infected with malware ten years ago. It's because the crooks found the passwords in a leaked database that's now a decade old. You could actually argue that they made a mistake by using data that was hacked such a long time ago. If the passwords were more recent, users would have felt even more scared.

The future of sextortion scams

The examples above show that even when you think that a scam is past its sell-by date, the con artists still find a way of updating their tactics and making their schemes more elaborate and sophisticated. We doubt that this is the last time we see leaked passwords being used for similar purposes, but if you use unique passwords for all your accounts, you likely won't be too worried, as you'll know that while the crooks might have a way of compromising one account, the rest of your data remains safe.

As for the matter of hackers silently recording videos of you, there is malware that can help them do that, and while you can (and should) make sure that your device is as well protected as possible, there can never be any guarantees that nothing will be able to breach your defenses. Here's the thing, though – hackers can't surreptitiously film you if there is a piece of tape over your camera when it's not in use.

If all users stick to this advice, this particular type of sextortion will probably be deemed too ineffective and will be dumped by the crooks. Until then, it's unlikely to disappear.