A Brief Reminder on Sextortion Spam

The sextortion spam that is prominent today has existed for many months now, if not longer. We’ve written about it ourselves in our April post (https://spamauditor.org/2018/04/no-they-didnt-catch-you-masturbating/). However, we understand most people are not up to date with Information Security news, so this article will provide a summary on sextortion spam and the different iterations that we have encountered so far during our spam auditing.

The Meaning of ‘Sextortion’

This particular kind of spam is commonly referred to as ‘sextortion’ spam. The word is a combination of sex and extortion, which is essentially what this email message is trying to do.  The recurring theme we see is that the ‘hacker’ claims to have installed malware on your device, recorded you viewing porn and masturbating, and attempts to blackmail you by threatening to expose the video to your contacts unless you transfer money to a bitcoin wallet.  Hence, extortion by use of sex-related material.

However, there is no evidence of these people having any such sort of video. This is more of a scare tactic used to prey on the gullible. The fact is that this scare tactic seems to be working, as evident by the transfers to the scammers’ bitcoin wallet addresses. (One would begin to wonder just what kind of people fear this blackmail spam enough to pay..)

Iterations of Sextortion Spam

The beginning iterations were basic, just as described above. However, as time went on these scammers tweaked their messages to be a little more convincing.

One tweak is claiming that they know what your password is, and may provide one in the email that truly is a password you may have used in the past.

Another tweak is providing a phone number (or last 4 digits) which may be yours, present or past.

There may be other tweaks in the future, such as knowing your name, address, etc.

How do they have my Information?

Understandably, a password or number can easily cause some stress to the recipient. Even if you don’t have a camera on your device, or if you don’t watch pornography, it is still concerning that they seem to have some of your personal information. Where did they get this?

In the information security world, unfortunately, data breaches are very frequent and sometimes in very large scale. Companies all over the world are constantly having their data exposed (both customer and employee data). These data breaches may have information such as: email address, password, phone number, address, bank card information, etc.

Past data breaches are the most likely source of data that these sextortion scammers are using to attempt to blackmail people. This is perhaps why the password or number they provide is an old one.  This is so common, in fact, that we have had one of our own business email accounts compromised by a data breach in the past. This goes to show that even if you are vigilant with your security practices, a third party handling your information can still potentially leak your information (e.g. Adobe 2013, Equifax 2017).

For those curious, there is a certain website (easily found by searching “have I been pwned”) which which has the purpose of informing you whether the email address you input has been part of a data breach.

This entry was posted in Informative and tagged , , , , , . Bookmark the permalink.

One Response to A Brief Reminder on Sextortion Spam

  1. MagicMail says:

    Just another reminder.. Most extortion spam originates from compromised home style connections. 99% can be blocked simply by using any good DUL RBL (Realtime Blacklist) whether from SpamRats, SpamHaus, or many other’s available online. The scam must be working, because others have jumped on the bandwagon, and this Remembrance long weekend (The bad guys like working on long weekends because System Administrators are usually off.,), and the largest number of attacks seen since this started months ago was detected.

    Small snapshot..

    2.124.39.237 (S) 1 027c27ed.bb.sky.com
    2.124.224.104 (S) 1 027ce068.bb.sky.com
    2.142.80.52 (S) 1 52.red-2-142-80.dynamicip.rima-tde.net
    2.152.27.127 (S) 1 2.152.27.127.dyn.user.ono.com
    2.154.97.64 (S) 1 2.154.97.64.dyn.user.ono.com
    2.206.13.206 (S) 1 dslb-002-206-013-206.002.206.pools.vodafone-ip.de
    2.217.56.67 (S) 2 02d93843.bb.sky.com
    2.222.95.14 (S) 2 02de5f0e.bb.sky.com
    2.223.233.4 (S) 1 02dfe904.bb.sky.com
    2.243.83.159 (S) 1 x2f3539f.dyn.telefonica.de
    2.247.241.144 (S) 1 x2f7f190.dyn.telefonica.de
    5.38.139.240 (S) 1 05268BF0.dsl.pool.telekom.hu
    5.54.15.71 (S) 1 ppp005054015071.access.hol.gr
    5.54.58.68 (S) 1 ppp005054058068.access.hol.gr
    5.54.113.139 (S) 2 ppp005054113139.access.hol.gr
    5.54.125.1 (S) 1 ppp005054125001.access.hol.gr
    5.67.216.57 (S) 2 0543d839.skybroadband.com
    5.68.248.50 (S) 1 0544f832.skybroadband.com
    5.173.16.133 (S) 1 user-5-173-16-133.play-internet.pl
    5.173.32.233 (S) 2 user-5-173-32-233.play-internet.pl

    Your email server should never accept email from these types of connections..

Leave a Reply