Sextortion Scam E-mails: “I Know Your Password”

There are hundreds of sextortion victims annually in Luxembourg… Will you be the next one?

1. What is ‘Sextortion’?

Generally speaking, sextortion is a type of extortion involving sexual material. This cybercrime is a growing concern, can affect anyone, and the majority of cases become unreported since the victims are too embarrassed to act in any way.

Please note that this is an opportunistic attack, and you did not get hacked! Don’t worry and follow the instructions described in the section ‘What should I do?’

1.1. An example

Usually, the victim receives a malicious e-mail explaining that one’s PC has been compromised by a remote access malware. The scam message also states that the malware has activated your webcam of your PC and recorded a compromising video clip about you…

The attackers claim that you should pay a ransom, usually in cryptocurrencies such as Bitcoin, in order to get the video destroyed – refusing to do so would lead to the attackers spreading the video to all of your contacts.

1.2. Use common sense!

When you receive a mail from ‘Amazon’ stating that your order arrived (even if you have not ordered anything), do you open the letter? Do you think that this e-mail contains valid and very important information to you? If you do not have a webcam, how anyone could record a video clip about you?

2. How did the scammer get my password?

If an attacker has obtained your password, it was likely collected from one of the major online servers after a data leak. Check whether your e-mail address is listed on the ‘Have I been Pwned?’ website or not.

3. What is the aim of the scammer?

As often, it’s money. The attackers are trying to get bitcoins in return for not spreading some secrets they claim to have obtained.

4. What do the numbers show internationally?

This is nearly impossible to esteem how many sextortion e-mails are being sent over time and space. Due to the nature of the crime, a huge number of cases go unreported: the majority of scam e-mails are blocked on spam filters, or simply go unreported because of embarrassment, fear, or shame. The figures of reported cases are just the tip of the iceberg…

E-mail scams do not know borders, and so fighting against cybercrime always requires international effort and collaboration. Comprehensive studies about this topic are rare; rather, we can find sporadic articles like ‘snapshots’ on this ever-growing threat.

As per the article of SophosLab, millions of sextortion e-mails were sent between September 1, 2019, and January 31, 2020, and nearly half-million US dollars generated in profits for Internet criminals. An average mail asked $800 worth of Bitcoin (BTC) to be transferred to a wallet address. Although the majority of recipients did not pay, the scammers still were able to collect $473,000 during the five-month period.

The scam messages were sent in short peaks instead of continuous or steady streams, which also implies that they were sent as part of a scam mail campaign, and the activity was consciously and minutely planned. The spam e-mails were sent out after working hours: in the evenings, or at the weekends.

The scam e-mails were sent from botnets using compromised personal computers. The messages were written in English (81%), Italian (10%), German (4%), French (3.5%) and in Chinese (1.2%).

A recent study on an Emotet sextortion campaign shows that between January 23 and January 28, 2020, the campaign used 24 different Bitcoin wallets in the e-mails sent to potential victims. The study states that ‘Except for one address, all wallets were active in receiving payments, with amounts ranging from a few hundred to over $10,000 in each wallet. The campaign’s total was $57,000.’

5. What is the situation in Luxembourg?

Karin Basenach, director of the Centre Européen des Consommateurs, said that they do not have statistics on the number of incidents. She also added that ‘…not everyone is ready to talk to us and make a complaint’.

To the question, as to why the majority of cases remain unknown, Jacques Federspiel, BEE SECURE trainer, responded: ‘We’re a small country, everyone knows everyone. It’s easier to pay and not go to the police, who might also be your neighbour.’

Judith Swietlik-Simon, BEE SECURE coordinator, also added ‘It happens at all levels of society: you see it happening to people who are well-educated, directors, doctors, everyone.’ She said that there are several hundred sextortion cases annually in Luxembourg, and the country’s size and relative wealth also make its residents an easy prey for sextortion.

The CIRCL team has started recording incidents in June 2018. The team collects Bitcoin addresses used in scam campaigns and stores those addresses in MISP (Malware Information Sharing Platform). By knowing about the Bitcoin addresses, they can check whether the same address was used in different e-mail scams or not. Also, Bitcoin addresses are important to check how successful the campaigns were (i.e. how many victims paid the ransom).

6. What should I do?

1. Prepare yourself, hide your camera and use a password manager.
2. When you receive the threat: Do not panic!
3. Do not respond or send any payments to the scammer.
4. Immediately change your password on any online accounts that you think may have been breached.
5. Report the scam to CIRCL (forward the scam mail with the bitcoin address in it to info@circl.lu).
6. Mark the scam e-mail as spam and delete it.
7. To be on the safe side for the future: use different passwords for each online account.

7. Reference

1. Following the money in a massive ‘sextortion’ spam scheme.

2. Sextortion Scams Delivered by Emotet Net 10 Times More Than Necurs Sextortion - Here’s Why

3. Internet Dating Scams: ‘For me it was a real story’

4. TR-54 - Sextortion scam e-mails - I know your password.