What Is Sextortion?
Recently, news of a widespread sextortion phishing scam has surfaced. Sextortion occurs when someone threatens to distribute your private and sensitive material if you don’t provide them with images of a sexual nature, sexual favors, or money.
It Hit The News Mid-July.
July 12th Brian Krebs broke the story online. Many of his followers commented about getting the same email with a part of their phone number.
July 23rd My friend, and colleague, Robin Besotes, received the email.
July 24th Newsweek published an article. It quotes a security researcher monitoring the bitcoin address listed as being a successful $125,000.00 received from victims as a result of the scam in its two-week life.
August 7th The FBI’s Internet Crime Center posted a Public Service Announcement.
After doing research, I was beginning to feel left out. So, I perused through my spam folder and found a variety of similar threatening emails sent beginning August 5th.
What Is ‘The Email’?
The sextortion email in question boldly proclaims the following:
- The sender knows your username and password from an adult website.
- They hacked your computer and accessed illicit photos and videos.
- They know all your friends and their contact information.
- You must pay in bitcoins (dark web).
- A notification is sent to the sender when you open the email and you have one day to pay.
- If you don’t pay, the sender will release all the damaging photos and videos to all your contacts.
Scams Capitalize On Fear.
The email is a widespread scam that preys on the emotional triggers of fear. The receiver immediately goes into question mode: Do I have a webcam? Has it captured pictures? Have I taken illicit pictures? The concerning questions keep coming and the fear keeps growing.
Let’s Break This Down.
- This is not the work of one person sending out personalized emails. More likely, it is an automated message sent out randomly by many. The email I received was addressed to “Recipients.” My friend Robin’s, on the other hand, was more specific in using her actual name, user name AND password.
- The sender is not asking for a huge amount of money. In fact, the amounts on the email vary. Robin’s was $7,000.00, but mine was $750.00. The varying, low amounts are an indication an email is neither targeted nor valid. If they had any valuable bribery material, they would be asking for a lot more.
- The writer uses poor English. A big tip-off an emails may not originate in an English-speaking country is a low grasp of the English language. However, it could also be disguised to appear that way.
- A variety of email servers produce the emails. I saw Outlook being the sender on quite a few, with mine being from an unknown source. An array of emails sent from a variety of sources is a fear-based scam. Nothing is valid.
- The email address, user name and/or password displayed were gained through a hack of some site. The information was probably then sold on the dark web and purchased by many different people. With so many different buyers, the usernames & passwords were either viewed as recently obtained and, thus, valid; or the information was sold cheap and in bulk.
- Fear begets fear. The emails start with making you wonder what porn site you have been to, progresses to it has hacked your computer, then to it found images on your computer and knows all your contacts, wrapping up with they know you are having an affair. If any of those strikes a nerve, then the fear will grip you, as it should.
What To Do If You Receive A Threatening Email.
The sexploitation scam fell on the heels of another scam and is paving the way for the scams that will come after it. The days are full with notices of new scams, new means to strike fear and con you out of your hard earned money.
If you received one like mine, with no email and password listed, to a list of general “Recipients,” the scam email should land in your spam folder. If it does not, tighten your email options for spam.
If you received this email and your head is telling you it is a scam, but your fear is screaming “what if?” tell your fear to take a hike. Do NOT pay any ransom. It would only be your initial payment, but not the last. It is a bait and hook scheme as in all bribery instances.
Also, do not respond, do not reply, do not do anything. Period.
Implement Stronger Passwords.
On my blog post Welcome to the Information Age, I provide the details about setting strong passwords. A password is the one thing standing between a hacker and all your information. Do not be lax or apathetic when it comes to creating a strong safeguard, or you may not like the results.
The Two-Factor Authentication Works.
Use the two-factor authentication offered on secure websites when available. When someone in a practice embezzles, my job is compiling evidence for law enforcement. I must have access to financial sites to be thorough in my analysis, spreadsheets, and reports. I know the two-factor authentication works because I cannot get in to most financial institutions without being provided that information by the doctor. It is the internet’s chip technology, as long as the website itself stays secure.
Unplug Your Cameras.
If you have cameras connected to the internet, unplug them when you are not using them. If a camera is on your laptop, you can disconnect it through the Control Panel (Windows) or System Preferences (Mac). Alternatively, you can do the quick and cheap method, what I do on my laptop – tape a piece of paper over the lens. Pretty simple fix.
Never Open An Email Attachment From Anyone You Do Not Know.
Let’s take it one step further: if you know the person, but you’re not expecting an email from them, do not open. Call them first. I received a DocuSign email supposedly sent from a doctor that wanted me to read it and tell me what I thought. I had not heard from this particular doctor in quite a while. Tip-off number one. So, I called the practice. The doctor was on vacation and had his email compromised. I suspect it was due to logging in from an unsecured internet site while on vacation in Mexico.
Assuming Someone Is Trying To Gain Your Information is a Safe Assumption.
In addition to Malwarebytes, I use Hotspot Shield VPN (a Virtual Private Network) on all my devices, which encodes and encrypts my internet usage. No information can be hacked. It is most assuredly the only safe way to use the hotel internet, for a relatively low annual cost.
At least every 5 weeks I am blogging about a breach of some kind. Read the links in this blog. Learn and act on the suggestions provided. Now is not the time to ignore the possibilities. Assume your information, logins, passwords will be hacked.
What Are Your Vulnerabilities?
Implement protection today, not tomorrow after you have experienced a crisis. We can all rest safe – there are no compromising photos of me that would crash the internet. I did land on a porn site one time accidentally while researching for an article. That was a quick click to close the site, and the last time I don’t thoroughly read the Google description before clicking.
If you do not visit porn sites or take/send compromising photos to anyone, then you don’t have to worry, right? But still, let’s all be safe and do what we need to do to protect ourselves, our families and our information.