Threat Level: green Handler on Duty: Brad Duncan

SANS ISC: Internet Storm Center - SANS Internet Storm Center Internet Storm Center

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Latest Diaries

Sextortion Spam and the Infinite Monkey Theorem

Published: 2018-09-25
Last Updated: 2018-09-25 01:32:08 UTC
by Brad Duncan (Version: 1)
0 comment(s)

As early as 2018-09-05, I've seen daily waves of sextortion spam that have spoofed in the message headers and sending addresses.  Subject lines include a password the recipient allegedly uses.  Extortion prices range from $1,000 to $7,000 US dollars.

Back in July 2018, Johannes Ullrich wrote about an example here.  Brian Krebs also documented a wave earlier that month.  But recent sextortion emails appear to be mass-distributed without any real or current passwords.  Krebs indicated these criminals were using password lists from older data breaches.  However, these most recent waves don't seem particularly targeted.

Shown above:  An example of sextortion spam from Monday, 2018-09-24.

By now, many of us have probably seen or heard about these sextortion emails.  They are botnet-based spam, and emails from this latest campaign follow noticeably distinct patterns.  A different Bitcoin address is used for each message I've reviewed.  50 examples of this sextortion spam from Monday 2018-09-24 are available here.

Shown above:  Some metadata from my spreadsheet tracker for Monday, 2018-09-24.

These messages have different passwords for each recipient and different Bitcoin addresses for each message.  It's done on a massive scale of distribution, and I've only found English-speaking recipients.  I run across this type of spam at least every weekday.  I suppose criminals must find it cost-effective.

But does this actually work?

Criminals behind the campaign assume most people view pornography on their computers.  But the majority of passwords from this spam don't follow lists of most common passwords I've seen published.  The passwords in these messages appear to be somewhat random, even if they are based on information from data breaches.

I feel like this campaign is attempting to prove the infinite monkey theorem.  It states that a monkey hitting keys at random on a typewriter keyboard for an infinite amount of time will almost surely type a given text, such as the complete works of William Shakespeare.  The infinite monkey theorem has been referenced several times in popular culture over the years.  My favorite reference is this Simpsons cartoon scene.

Shown above:  "This is a thousand monkeys working at a thousand typewriters.
Soon they'll have written the greatest novel known to man."

The idea may not be so far-fetched.  Given the amount of sextortion spam I run across in my day-to-day work, it might hit on someone's actual current password.  I doubt it, but it's possible.

An example of the sextortion spam follows.

just4fun one of your pass word. Lets get straight to the purpose. You do not know me and you're probably wondering why you're getting this e-mail? No one has compensated me to investigate about you.

Well, I installed a software on the xxx video clips (porno) website and guess what, you visited this website to have fun (you know what I mean). While you were viewing video clips, your internet browser began working as a RDP with a key logger which provided me access to your display screen and also web cam. Just after that, my software gathered all your contacts from your Messenger, Facebook, as well as emailaccount. And then I made a double video. 1st part shows the video you were viewing (you've got a good taste hehe), and second part displays the recording of your webcam, yeah it is u.

You get two choices. Why dont we understand these types of possibilities in particulars:

1st option is to ignore this message. In this situation, I most certainly will send out your very own video clip to all your your personal contacts and thus think concerning the shame that you receive. Not to mention if you happen to be in an intimate relationship, precisely how this will affect?

Latter option would be to give me $7000. I will regard it as a donation. In this scenario, I most certainly will immediately remove your video footage. You can go on your life like this never took place and you surely will never hear back again from me.

You will make the payment by Bitcoin (if you don't know this, search "how to buy bitcoin" in Google).

BTC Address to send to: 13Uw4tqt31ar8RauE8AEtdTxYe52wD9Y3Z
[CASE-sensitive, copy & paste it]

Should you are wondering about going to the cops, very well, this email cannot be traced back to me. I have covered my moves. I am also not trying to demand much, I simply prefer to be rewarded.

You now have one day in order to pay. I have a special pixel within this email message, and now I know that you have read this email. If I do not get the BitCoins, I will, no doubt send out your video to all of your contacts including relatives, colleagues, etc. However, if I do get paid, I will erase the video immediately. If you need proof, reply Yup and I will send out your video to your 6 contacts. It's a nonnegotiable offer and so please do not waste my time and yours by replying to this email message. 


Final words

I'm not sure how effective this sextortion campaign really is.  But due to poor security practices of potential victims, and based on how vulnerable some people are to suggestion, I suppose someone might be tricked into paying the criminals.

If countless variations of the Nigerian Prince scam have convinced people to share their bank account information, this sextortion scam might also be viable.

50 email examples and a spreadsheet tracker associated with today's diary can be found here.

Brad Duncan
brad [at]

0 comment(s)

If you have more information or corrections regarding our diary, please share.

Recent Diaries

Analyzing Encoded Shellcode with scdbg
Sep 24th 2018
8 hours ago by DidierStevens (0 comments)

Hunting for Suspicious Processes with OSSEC
Sep 24th 2018
11 hours ago by Xme (1 comment)

Suspicious DNS Requests ... Issued by a Firewall
Sep 23rd 2018
1 day ago by DidierStevens (0 comments)

The danger of sending information for API consumption without adequate security measures
Sep 22nd 2018
2 days ago by Manuel Humberto Santander Pelaacuteez (0 comments)

Pre-Pwned AMI Images in Amazon's AWS public instance store
Sep 21st 2018
3 days ago by Johannes (0 comments)

Certificates Revisited - SSL VPN Certificates 2 Ways
Sep 19th 2018
5 days ago by Rob VandenBrink (2 comments)

Using Certificate Transparency as an Attack / Defense Tool
Sep 18th 2018
6 days ago by Rob VandenBrink (2 comments)

View All Diaries →

Latest Discussions

Attempting to report (msg body missing) -- Powershell malware in zip with jpg
created Sep 10th 2018
2 weeks ago by W60 (0 replies)

SSL Labs vs.
created Sep 7th 2018
2 weeks ago by Anonymous (0 replies)

SSL Labs vs.
created Sep 7th 2018
2 weeks ago by Anonymous (0 replies)

Has anyone any ideas what "glirote3" -- malware powershell link.
created Sep 4th 2018
2 weeks ago by W60 (0 replies)

Remote code execution attacks
created Aug 28th 2018
3 weeks ago by Anonymous (0 replies)

View All Forums →

Latest News

View All News →

Top Diaries

Wide-scale Petya variant ransomware attack noted
Jun 27th 2017
1 year ago by Brad (6 comments)

Using a Raspberry Pi honeypot to contribute data to DShield/ISC
Aug 3rd 2017
1 year ago by Johannes (16 comments)

Detection Lab: Visibility & Introspection for Defenders
Dec 15th 2017
9 months ago by Russ McRee (2 comments)

Maldoc with auto-updated link
Aug 17th 2017
1 year ago by Xme (2 comments)

Second Google Chrome Extension Banker Malware in Two Weeks
Aug 29th 2017
1 year ago by Renato (0 comments)