[IS&T Security-FYI] Sextortion Scam Email

Mon Jul 16 13:36:08 EDT 2018

Hello all,

For your awareness, a current scam email is using old compromised passwords to make the scam more credible. This “sextortion” email claims to have installed malware on a target’s computer and captured a video while the target was visiting adult sites [1].

If anyone in your department receives one of these emails, they may recognize the password as one they have used in the past. The passwords are from old data breaches and are compiled into combo lists like the Anti-Public list from last year [2]. There is no such malware on their computer and no video exists.

While this scam email is a hoax, the FBI recommends [3] the following steps to avoid becoming a victim of sextortion:
•  Never send compromising images of yourself to anyone, no matter who they are — or who they say they are.
•  Don’t open attachments from people you don’t know, and in general be wary of opening attachments even from those you do know.
•  Turn off [and/or cover] any web cameras when you are not using them.

A sample of the scam email is included below.

Best,
Jessica

Jessica Murray
Information Security Officer
MIT

[1] https://krebsonsecurity.com/2018/07/sextortion-scam-uses-recipients-hacked-passwords/
[2] https://www.hackread.com/anti-public-combo-list-with-billions-of-accounts-leaked/
[3] https://www.fbi.gov/file-repository/stop-sextortion-brochure.pdf/view

I will cut to the chase. I do know someoldpassword is your password. More to the point, I know about your secret and I've evidence of it. You do not know me and nobody hired me to investigate you.

It's just your bad luck that I stumbled across your blunder. Let me tell you, I actually installed a malware on the adult vids (sex sites) and you visited this web site to experience fun (you know what I mean). When you were busy watching video clips, your browser started out operating as a Rdp (Remote control desktop) with a key logger which gave me access to your display screen and also webcam. Right after that, my software program obtained all your contacts from your messenger, facebook, as well as e-mail.

After that I put in more time than I probably should have investigating into your life and generated a two screen video. First part displays the recording you had been viewing and 2nd part shows the recording of your web cam (its you doing dirty things).

Frankly, I want to forget details about you and let you move on with your daily life. And I will offer you two options that can accomplish that. These two choices either to ignore this letter, or just pay me $2900. Let’s understand these two options in more details.

Option One is to ignore this email message. Let's see what will happen if you pick this option. I will definitely send out your video to all your contacts including relatives, coworkers, and many others. It will not shield you from the humiliation your family will feel when relatives and buddies find out your unpleasant details from me.

Other Option is to send me $2900. We will call it my “privacy charges”. Now let me tell you what happens if you choose this path. Your secret remains your secret. I will delete the recording immediately. You continue on with your daily life like nothing ever happened.

At this point you may be thinking, “I will complain to the police”. Without a doubt, I have taken steps to ensure that this e-mail can't be traced returning to me and it won't prevent the evidence from destroying your daily life. I am not trying to steal all your savings. I just want to be paid for my efforts I placed into investigating you. Let's hope you decide to make pretty much everything disappear completely and pay me my confidentiality fee. You'll make the payment via Bitcoins (if you don't know this, search "how to buy bitcoins" in google)

Required Amount: $2900
Bitcoin Address to Send to: <bitcoin address>
(It is case sensitive, so copy and paste it)

Tell nobody what you would use the bitcoin for or they possibly will not give it to you. The procedure to have bitcoins will take a day or two so do not delay.
I've a special pixel within this email, and now I know that you've read this message. You now have 24 hours in order to make the payment. If I don't receive the BitCoins, I will definately send out your video to your entire contacts including relatives, colleagues, and many others. You better come up with an excuse for friends and family before they find out. Nonetheless, if I receive the payment, I will erase the video immediately. It's a non negotiable one time offer, so please don't ruin my personal time & yours. The clock is ticking.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.mit.edu/pipermail/ist-security-fyi/attachments/20180716/b86ccec7/attachment-0001.html