Internet Storm Center

Participate: Learn more about our honeypot network
https://isc.sans.edu/tools/honeypot/

Handler on Duty: Didier Stevens

Threat Level: green

New Extortion Tricks: Now Including Your Password!
For a while now, we have seen sporadic extortion emails that claim to have a video of you watching pornographic material. The emails usually count on the guilt and shame of the victim to convince them to pay up. However, the bad guys, of course, do not have any evidence of their kompromat, which makes the extortion weak. You would expect them to at least include a frame from the video. Short of actually producing the video, I just saw another trick used to make the threat more plausible. The e-mail now includes a username and password that you used on some website. The bad guys are harvesting leaked account lists, and use them to make their threat more plausible. I include a screenshot of such an email below. "someoddpassword" was a password I used on some sites in the past. Kind of my throw-away password for a while, and I know it leaked in more than one breach. The emails also include some random text at the end which is typical for spam to evade spam filters. I did not reproduce that part in the screenshot. The copy I received was plain text and did not include any images or other trackers as promised. Currently, the bitcoin address in this email has not received any ransom payments. It is possible that each email uses a different address. (Update: Brian Krebs and others also received emails like this and wrote about it. Looks like each address is different) --- Johannes B. Ullrich, Ph.D., Dean of Research, SANS Technology Institute Twitter\| I will be teaching next: Application Security: Securing Web Apps, APIs, and Microservices - SANS San Francisco Winter 2022	Johannes 4602 Posts ISC Handler Jul 12th 2018
Thread locked Subscribe	Jul 12th 2018 4 years ago
We received a report of one of those messages with the address: 1AWKTr1vq3946tyuxG7Q1mLcJum4rjnmro and Krebs' article reports the address: 1Dvd7Wb72JBTbAcfTrxSJCZZuf4tsT8V72 so it looks like they are using different ones.	Anonymous
Quote	Jul 12th 2018 4 years ago
I investigated an instance of this as well with this bitcoin address. 1GavsHHQM42DxG4F8SVeW4uyTFeZAL8cRn	Anonymous
Quote	Jul 15th 2018 4 years ago
Very interesting. It occurs to me that this type of extortion might also be used in spear fishing type-attacks - again using the password or other previously leaked information to attempt to add credibility. This might then be used to gain a foothold inside organisations. Extortion through guilt/shame is, unfortunately, likely to be effective at least some of the time. From the bad guy perspective, it is a relatively easy way to get "extra value" out of leaked credentials. It doesn't matter that the victim might have changed all their passwords since the credential loss - if they have an old password floated in front of them, many will not be aware that the claims in the rest of the email are unlikely from a technical perspective, and follow through motivated by guilt/shame.	Sorren1969 1 Posts
Quote	Jul 15th 2018 4 years ago
I am currently tracking 15 addresses from this campaign. So far 6 of them have payments on them and 2 of those 6 have two payments on them. Total collected on these 6 BTC addresses is approaching $19000 USD. Average payment is $2358 USD. This information reveals some things about this campaign - the BTC addresses are not unique. While I do not have enough information to determine the size of the pool, I have seen two cases of two emails with the same BTC address and the fact that multiple people have paid using the same BTC address confirms that. While anecdotal, since none of the 15 addresses has more than two payments it is possible the addresses were not recycled a large number of times. - people are paying for this scam. This is not a surprise, but certainly disappointing. - none of the money has moved out of the BTC addresses, so the bad guys haven't started collecting their ill gotten gains yet.	Rick 324 Posts ISC Handler
Quote	Jul 15th 2018 4 years ago
I have seen 2 payments done for one of the BTC I am currently tracking. :/	Anonymous
Quote	Jul 17th 2018 4 years ago
1 address to add to the list: Amount to be sent: 0.8 BTC BTC ADDRESS: 14DesJvy9NieVDMbeJG4zEtELizzB9jKdG	Anonymous
Quote	Jul 30th 2018 4 years ago
Thanks. That is a new one. No payments on that one so far. They must think you are really naughty. That is the highest requested payment I have seen.	Rick 324 Posts ISC Handler
Quote	Jul 30th 2018 4 years ago
Received: from mail0.beckymiles.com (beckymiles.com [46.161.42.97]) by <> with ESMTP id 4D7A217A5 for <>; Mon, 30 Jul 2018 13:37:57 +0300 (MSK) Date: Mon, 30 Jul 2018 03:37:57 -0700 $1000 Bitcoin Address: 14oHpqvFLgi7Y4KDDD2ksUvpQFo4q4y8Dj	M IV 1 Posts
Quote	Jul 31st 2018 4 years ago
That one is new as well. No payments on that one so far.	Rick 324 Posts ISC Handler
Quote	Jul 31st 2018 4 years ago
A few new ones: 1Laj8VkobMn1BTQvvmUhABbAGf7N7QLTs3 https://bitcoinwhoswho.com/address/1Laj8VkobMn1BTQvvmUhABbAGf7N7QLTs3 - 0 BTC So Far https://www.reddit.com/r/Scams/comments/90tmo6/scam_they_have_a_password_of_mine/ 1GkqvGk6rWTwW1EqJooyZeNjC2T7aDAPHW - The one from the email that made me aware of this scam in the first place. https://bitcoinwhoswho.com/address/1GkqvGk6rWTwW1EqJooyZeNjC2T7aDAPHW/urlid/12689026 - 0 BTC So far 1QAVaukg4es84us9XRTaPqztYB1XXoXEdA https://bitcoinwhoswho.com/address/1QAVaukg4es84us9XRTaPqztYB1XXoXEdA/urlid/12655819 - They've got at least someone to bite. 0.77 BTC So far https://www.reddit.com/r/Scams/comments/908ax4/porn_blackmail_email_with_old_password/	Anonymous
Quote	Jul 31st 2018 4 years ago
The first two were new to me. The last one I had already and has shown up in a rather public Pastebin list. Now tracking 336 BTC addresses. Thanks!	Rick 324 Posts ISC Handler
Quote	Jul 31st 2018 4 years ago
Just got this one. Don't know if it's been reported yet. 13nyKnsKVsNwf6YugeDzTtZiSriqWYRxJt	Anonymous
Quote	Aug 3rd 2018 4 years ago
Thanks for sharing. Did the email that included this address have a password in it? This BTC Address has payments on it that do not fit the pattern I have seen for this campaign. This means it is most likely for one of the other sextortion campaigns, or that this campaign is changing or being copycatted. If possible...could you send me the campaign email (hopefully with headers) to rwanner(at)isc.sans.edu Thanks!	Rick 324 Posts ISC Handler
Quote	Aug 3rd 2018 4 years ago

Sign Up for Free or Log In to start participating in the conversation!