|
For a while now, we have seen sporadic extortion emails that claim to have a video of you watching pornographic material. The emails usually count on the guilt and shame of the victim to convince them to pay up. However, the bad guys, of course, do not have any evidence of their kompromat, which makes the extortion weak. You would expect them to at least include a frame from the video. Short of actually producing the video, I just saw another trick used to make the threat more plausible. The e-mail now includes a username and password that you used on *some* website. The bad guys are harvesting leaked account lists, and use them to make their threat more plausible. I include a screenshot of such an email below. "someoddpassword" was a password I used on some sites in the past. Kind of my throw-away password for a while, and I know it leaked in more than one breach. The emails also include some random text at the end which is typical for spam to evade spam filters. I did not reproduce that part in the screenshot. The copy I received was plain text and did not include any images or other trackers as promised. Currently, the bitcoin address in this email has not received any ransom payments. It is possible that each email uses a different address. (Update: Brian Krebs and others also received emails like this and wrote about it. Looks like each address is different)
--- |
Johannes 3507 Posts ISC Handler |
| Reply Subscribe |
Jul 12th 2018 9 months ago |
|
We received a report of one of those messages with the address: 1AWKTr1vq3946tyuxG7Q1mLcJum4rjnmro and Krebs' article reports the address: 1Dvd7Wb72JBTbAcfTrxSJCZZuf4tsT8V72 so it looks like they are using different ones.
|
Anonymous |
| Reply Quote |
Jul 12th 2018 9 months ago |
|
I investigated an instance of this as well with this bitcoin address. 1GavsHHQM42DxG4F8SVeW4uyTFeZAL8cRn
|
Anonymous |
| Reply Quote |
Jul 15th 2018 9 months ago |
|
Very interesting. It occurs to me that this type of extortion might also be used in spear fishing type-attacks - again using the password or other previously leaked information to attempt to add credibility. This might then be used to gain a foothold inside organisations.
Extortion through guilt/shame is, unfortunately, likely to be effective at least some of the time. From the bad guy perspective, it is a relatively easy way to get "extra value" out of leaked credentials. It doesn't matter that the victim might have changed all their passwords since the credential loss - if they have an old password floated in front of them, many will not be aware that the claims in the rest of the email are unlikely from a technical perspective, and follow through motivated by guilt/shame. |
Sorren1969 1 Posts |
| Reply Quote |
Jul 15th 2018 9 months ago |
|
I am currently tracking 15 addresses from this campaign. So far 6 of them have payments on them and 2 of those 6 have two payments on them. Total collected on these 6 BTC addresses is approaching $19000 USD. Average payment is $2358 USD.
This information reveals some things about this campaign - the BTC addresses are not unique. While I do not have enough information to determine the size of the pool, I have seen two cases of two emails with the same BTC address and the fact that multiple people have paid using the same BTC address confirms that. While anecdotal, since none of the 15 addresses has more than two payments it is possible the addresses were not recycled a large number of times. - people are paying for this scam. This is not a surprise, but certainly disappointing. - none of the money has moved out of the BTC addresses, so the bad guys haven't started collecting their ill gotten gains yet. |
Rick 290 Posts ISC Handler |
| Reply Quote |
Jul 15th 2018 9 months ago |
|
I have seen 2 payments done for one of the BTC I am currently tracking. :/
|
Anonymous |
| Reply Quote |
Jul 17th 2018 9 months ago |
|
1 address to add to the list:
Amount to be sent: 0.8 BTC BTC ADDRESS: 14DesJvy9NieVDMbeJG4zEtELizzB9jKdG |
Anonymous |
| Reply Quote |
Jul 30th 2018 8 months ago |
|
Thanks. That is a new one. No payments on that one so far. They must think you are really naughty. That is the highest requested payment I have seen.
|
Rick 290 Posts ISC Handler |
| Reply Quote |
Jul 30th 2018 8 months ago |
|
Received: from mail0.beckymiles.com (beckymiles.com [46.161.42.97])
by <> with ESMTP id 4D7A217A5 for <>; Mon, 30 Jul 2018 13:37:57 +0300 (MSK) Date: Mon, 30 Jul 2018 03:37:57 -0700 $1000 Bitcoin Address: 14oHpqvFLgi7Y4KDDD2ksUvpQFo4q4y8Dj |
M IV 1 Posts |
| Reply Quote |
Jul 31st 2018 8 months ago |
|
That one is new as well. No payments on that one so far.
|
Rick 290 Posts ISC Handler |
| Reply Quote |
Jul 31st 2018 8 months ago |
|
A few new ones:
1Laj8VkobMn1BTQvvmUhABbAGf7N7QLTs3 https://bitcoinwhoswho.com/address/1Laj8VkobMn1BTQvvmUhABbAGf7N7QLTs3 - 0 BTC So Far https://www.reddit.com/r/Scams/comments/90tmo6/scam_they_have_a_password_of_mine/ 1GkqvGk6rWTwW1EqJooyZeNjC2T7aDAPHW - The one from the email that made me aware of this scam in the first place. https://bitcoinwhoswho.com/address/1GkqvGk6rWTwW1EqJooyZeNjC2T7aDAPHW/urlid/12689026 - 0 BTC So far 1QAVaukg4es84us9XRTaPqztYB1XXoXEdA https://bitcoinwhoswho.com/address/1QAVaukg4es84us9XRTaPqztYB1XXoXEdA/urlid/12655819 - They've got at least someone to bite. 0.77 BTC So far https://www.reddit.com/r/Scams/comments/908ax4/porn_blackmail_email_with_old_password/ |
Anonymous |
| Reply Quote |
Jul 31st 2018 8 months ago |
|
The first two were new to me. The last one I had already and has shown up in a rather public Pastebin list.
Now tracking 336 BTC addresses. Thanks! |
Rick 290 Posts ISC Handler |
| Reply Quote |
Jul 31st 2018 8 months ago |
|
Just got this one. Don't know if it's been reported yet.
13nyKnsKVsNwf6YugeDzTtZiSriqWYRxJt |
Anonymous |
| Reply Quote |
Aug 3rd 2018 8 months ago |
|
Thanks for sharing. Did the email that included this address have a password in it? This BTC Address has payments on it that do not fit the pattern I have seen for this campaign. This means it is most likely for one of the other sextortion campaigns, or that this campaign is changing or being copycatted.
If possible...could you send me the campaign email (hopefully with headers) to rwanner(at)isc.sans.edu Thanks! |
Rick 290 Posts ISC Handler |
| Reply Quote |
Aug 3rd 2018 8 months ago |
Sign Up for Free or Log In to start participating in the conversation!
