Threat Level: green Handler on Duty: Brad Duncan

SANS ISC: InfoSec Handlers Diary Blog - Internet Storm Center Diary 2018-09-25 InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
ISC Stormcast For Tuesday, September 25th 2018 https://isc.sans.edu/podcastdetail.html?id=6182

Sextortion Spam and the Infinite Monkey Theorem

Published: 2018-09-25
Last Updated: 2018-09-25 01:32:08 UTC
by Brad Duncan (Version: 1)
1 comment(s)

As early as 2018-09-05, I've seen daily waves of sextortion spam that have spoofed yahoo.jp in the message headers and sending addresses.  Subject lines include a password the recipient allegedly uses.  Extortion prices range from $1,000 to $7,000 US dollars.

Back in July 2018, Johannes Ullrich wrote about an example here.  Brian Krebs also documented a wave earlier that month.  But recent sextortion emails appear to be mass-distributed without any real or current passwords.  Krebs indicated these criminals were using password lists from older data breaches.  However, these most recent waves don't seem particularly targeted.


Shown above:  An example of sextortion spam from Monday, 2018-09-24.

By now, many of us have probably seen or heard about these sextortion emails.  They are botnet-based spam, and emails from this latest campaign follow noticeably distinct patterns.  A different Bitcoin address is used for each message I've reviewed.  50 examples of this sextortion spam from Monday 2018-09-24 are available here.


Shown above:  Some metadata from my spreadsheet tracker for Monday, 2018-09-24.

These messages have different passwords for each recipient and different Bitcoin addresses for each message.  It's done on a massive scale of distribution, and I've only found English-speaking recipients.  I run across this type of spam at least every weekday.  I suppose criminals must find it cost-effective.

But does this actually work?

Criminals behind the campaign assume most people view pornography on their computers.  But the majority of passwords from this spam don't follow lists of most common passwords I've seen published.  The passwords in these messages appear to be somewhat random, even if they are based on information from data breaches.

I feel like this campaign is attempting to prove the infinite monkey theorem.  It states that a monkey hitting keys at random on a typewriter keyboard for an infinite amount of time will almost surely type a given text, such as the complete works of William Shakespeare.  The infinite monkey theorem has been referenced several times in popular culture over the years.  My favorite reference is this Simpsons cartoon scene.


Shown above:  "This is a thousand monkeys working at a thousand typewriters.
Soon they'll have written the greatest novel known to man."

The idea may not be so far-fetched.  Given the amount of sextortion spam I run across in my day-to-day work, it might hit on someone's actual current password.  I doubt it, but it's possible.

An example of the sextortion spam follows.

just4fun one of your pass word. Lets get straight to the purpose. You do not know me and you're probably wondering why you're getting this e-mail? No one has compensated me to investigate about you.

Well, I installed a software on the xxx video clips (porno) website and guess what, you visited this website to have fun (you know what I mean). While you were viewing video clips, your internet browser began working as a RDP with a key logger which provided me access to your display screen and also web cam. Just after that, my software gathered all your contacts from your Messenger, Facebook, as well as emailaccount. And then I made a double video. 1st part shows the video you were viewing (you've got a good taste hehe), and second part displays the recording of your webcam, yeah it is u.

You get two choices. Why dont we understand these types of possibilities in particulars:

1st option is to ignore this message. In this situation, I most certainly will send out your very own video clip to all your your personal contacts and thus think concerning the shame that you receive. Not to mention if you happen to be in an intimate relationship, precisely how this will affect?

Latter option would be to give me $7000. I will regard it as a donation. In this scenario, I most certainly will immediately remove your video footage. You can go on your life like this never took place and you surely will never hear back again from me.

You will make the payment by Bitcoin (if you don't know this, search "how to buy bitcoin" in Google).

BTC Address to send to: 13Uw4tqt31ar8RauE8AEtdTxYe52wD9Y3Z
[CASE-sensitive, copy & paste it]

Should you are wondering about going to the cops, very well, this email cannot be traced back to me. I have covered my moves. I am also not trying to demand much, I simply prefer to be rewarded.

You now have one day in order to pay. I have a special pixel within this email message, and now I know that you have read this email. If I do not get the BitCoins, I will, no doubt send out your video to all of your contacts including relatives, colleagues, etc. However, if I do get paid, I will erase the video immediately. If you need proof, reply Yup and I will send out your video to your 6 contacts. It's a nonnegotiable offer and so please do not waste my time and yours by replying to this email message. 

 

Final words

I'm not sure how effective this sextortion campaign really is.  But due to poor security practices of potential victims, and based on how vulnerable some people are to suggestion, I suppose someone might be tricked into paying the criminals.

If countless variations of the Nigerian Prince scam have convinced people to share their bank account information, this sextortion scam might also be viable.

50 email examples and a spreadsheet tracker associated with today's diary can be found here.

---
Brad Duncan
brad [at] malware-traffic-analysis.net

Keywords:
1 comment(s)
Diary Archives