I think you’ll agree that one of the craziest and scariest things you can hear is that someone will post a sex video of you or expose a deep secret online unless you pay them money.

What!!! Me?!!

According to the FBI, sextortion (sex+extortion) is a serious crime that occurs when someone threatens to distribute private or sensitive material about you if you don’t provide them images of a sexual nature, sexual favors, or money.

Now, you’re probably thinking it can’t happen to you because you’re not into that sort of thing; but a new email scam might have just the right approach to make you believe there’s something to be worried about…especially if you ever dated someone who talked you into some provocative photos, X-rated or not—or if you have some reason at all to believe some unflattering information about you might be out there.

That’s how this new scam works.

How do I know?

Because someone tried to trick me into believing they had damaging information about me!

The sextortion scam in action.

I recently received an email that took me by surprise.

It said they had hacked into my computer and used my webcam to record a video of me while I was supposedly watching porn.

They also told me that and unless I paid a ransom in Bitcoin, the recording they made will be released to all my contacts.

The clincher? They claimed they had “proof” of my actions

The subject line of the email referenced a real (but very old) password I used for an online account.

The entire email was a hoax. It is a scam that this hacker will send to email addresses that have one thing in common: their email accounts were stolen sometime in the past…as mine was once.

Below is the copy of the scammer’s email:

SUBJECT: {name} - {redacted password}

It seems that, {redacted password}, is your pass word. You do not know me and you're most likely thinking why you're getting this e-mail, right?

actually, I actually setup a malware on the adult vids (pornography) site and there's more, you visited this web site to have fun (you know what I mean). While you were watching videos, your web browser initiated operating as a RDP (Remote Desktop) with a keylogger which gave me access to your display screen and also web cam. Just after that, my software obtained your complete contacts from your Messenger, Facebook, and email.

What exactly did I do?

I made a double-screen video. First part displays the video you were viewing (you have a good taste lol), and second part displays the recording of your webcam.

exactly what should you do?

Well, I believe, $2900 is a reasonable price for our little secret. You will make the payment via Bitcoin (if you do not know this, search "how to buy bitcoin" in Google).

BTC Address: {redacted bitcoin address}
(It is cAsE sensitive, so copy and paste it)

Note:
You now have one day to make the payment. (I've a unique pixel within this e mail, and at this moment I know that you have read this message). If I don't get the BitCoins, I will send out your video recording to all of your contacts including family members, colleagues, and so on. However, if I receive the payment, I will destroy the video immidiately. If you want evidence, reply with "Yes!" and I will certainly send out your video to your 5 contacts. This is a non-negotiable offer, and so don't waste my personal time and yours by replying to this mail.

A new wrinkle, but still a total scam.

Blog readers all over the internet have reported receiving different versions of this sextortion email – but always with the same format and Bitcoin element. They also confirmed that the password referenced in the email subject was previously linked to an online account associated with their email address and that the email sender used an Outlook account.

Now, some of us can take one look at this and easily spot the grammatical errors and misspellings that are the hallmark of email scams.

Additionally, we can recognize this for the scam that it is and dismiss the threat for the simple reason that we don’t visit porn sites.

But what about those who do happen to visit adult sites—which certainly isn’t news they would want the world to know.

You can imagine how real the threat seems for them. But they should know their knee-jerk fear is what the scammer is counting on.

There is no real threat.

Even though there is a reference to a pixel/image (“I’ve a unique pixel within this e mail, and at this moment I know that you have read this message”), that is actually not the case. There are no image pixels in the email I received.

The email isn’t based on anything the intended victim has actually done. There is no evidence. There was no webcam video, no proof of anything.

It’s all a lie.

At best, this is a semi-automated phishing scam. It’s very likely that your username and password was mined from a previous data breach of a popular website. In short, you’re receiving the same email as a million other users.

As this scam gets refined, it’s possible that more current username and password will be used, along with other personal information gathered from social media accounts, to make the hacking threat appear more credible.

How can you stay safe?

First, don’t fall for this sextortion scam. It is a total hoax and don’t let it scare you.

But it does bring up another issue that’s related—that is, be careful what you do share online.

Prevention is key.

  • Don’t take compromising images of yourself. If you do, never send them to anyone – not even your spouse or significant other. They are not hack-proof and traditional sextortion cases are usually perpetrated by bitter exes.
  • Turn off and/or cover any web cameras when you are not using them. They can be hacked.
  • When using social media apps for video chat, use security features like Viber’s secret chat, which doesn’t allow users to take screenshots. You can also set messages to “self-destruct” after a set period of time.

If you believe you’re a victim of sextortion or know someone who is, contact your local FBI office or call toll-free at 1-800-CALL-FBI.

You can check for user-credential breaches associated with your email addresses or passwords at https://ihavebeenpwned.com

If you find compromised accounts, change the password of the account that had the breach.

Finally, you should use password managers such as LastPass, Dashlane or 1Password for an additional layer of security.

Update

According to an article on BleepingComputer over $50,000 has been paid to the scammer.

Follow Me

Chris Parker

Chief Marketing Technologist at CGP Holdings, Inc.
Founder and Chief Marketing Technologist of WhatIsMyIPAddress.com, the leading IP address lookup site. Chris has 15+ years of experience building and managing high traffic web sites. Web developer, programmer, IT Guy.
Follow Me