New Phishing Scam Uses Prior Passwords, Porn Threat to Drive Fear
CYBERSPACE – There’s nothing new about cyber-scam artists using the threat of exposing a person’s porn viewing to extort money from their targets. Small adjustments in the techniques used to frighten recipients of such emailed threats can go a long way to adding credibility to the threat, however, making an implausible claim seem far more likely to come to fruition.
In what he terms a “clever new twist on an old email scam,” security blogger Brian Krebs reports that scammers are sending users messages in which the cybercriminal claims to have “compromised your computer and used your webcam to record a video of you while you were watching porn.”
Again, there’s nothing new about this sort of claim; many prior scams have involved hackers claiming to have snapped incriminating images of web surfers using their own laptop’s camera. In the current scam, though, there’s a new wrinkle: “The email now references a real password previously tied to the recipient’s email address,” Krebs wrote.
“The basic elements of this sextortion scam email have been around for some time, and usually the only thing that changes with this particular message is the Bitcoin address that frightened targets can use to pay the amount demanded,” Krebs added. “But this one begins with an unusual opening salvo: ‘I’m aware that <substitute password formerly used by recipient here> is your password.’”
While the experience can be jarring, the three users who told Krebs that they’ve received such emails reported that in each case, the password in question was “close to ten years old.”
The vintage of the compromised passwords leads Krebs to speculate that “this improved sextortion attempt is at least semi-automated.”
“My guess is that the perpetrator has created some kind of script that draws directly from the usernames and passwords from a given data breach at a popular Web site that happened more than a decade ago,” Krebs wrote, “and that every victim who had their password compromised as part of that breach is getting this same email at the address used to sign up at that hacked Web site.”
Krebs added that he expects as the scam becomes more refined, “perpetrators will begin using more recent and relevant passwords — and perhaps other personal data that can be found online — to convince people that the hacking threat is real.”
Krebs said cyber criminals are likely to be able to get their hands on more recent password data because these days there’s a variety of “shady password lookup services online that index billions of usernames… and passwords stolen in some of the biggest data breaches to date.”
As Krebs and other researchers have pointed out, scams like these typically come to nothing when users ignore the emailed threats – because the criminals making the threat don’t really have control over a user’s computer, just enough information to frighten the recipient of the email.
In response to a previous, similar email-based scam, Comparitech researcher Lee Munson noted the “success rate for any scam email campaign is extremely low as the vast majority of such messages get nuked by anti-spam filters and security software, yet it remains a huge problem as the cost of entry is so very low.”
Munson observed one reason scammers use porn as a vector for extortion emails is the anxiety it creates in the recipient when they think their porn viewing habits are about to become a matter of public record – a concern which can overwhelm their ability to calmly consider their options in responding to the threat.
“Beyond believability and a false sense of urgency, the next greatest trick is to instill a sense of dread and panic, which is a massive motivating force,” Munson added. “Of course, the obvious answer is for people to completely disregard such messages or report them to ActionFraud or the police but many won’t due to the nature of the content.”