Earlier in April, a new sextortion scam campaign was detected making the rounds in countries on both sides of the Atlantic. The spam emails that were detected by ESET's research laboratory have been trying to dupe unwitting victims by referring to old passwords that have been part of old data breaches.
The campaign is not altogether new, since it repurposes old scams, ESET reports. The first time that scammers made waves with these tactics was in 2018 with a campaign that also included the victim's password in the subject line. The email itself claimed that the password was obtained by compromising one of the recipient's devices using malware.
However frightening this may seem at first glance, these are just social engineering and scare tactics, employed by cybercriminals to generate panic in the recipients of these emails. To put it simply, it is highly unlikely that your computer has either been accessed or compromised, at least not by the method suggested in the email, so there is no need to panic.
The new extortion campaign borrows, or rather builds upon, the previous versions. The scammers start with an alarming message right off the bat to get the victim's attention, usually by including one of the victim's old passwords that was probably stolen as part of a previous data breach. Moving on, the fraudsters claim that the victim's device was infected by some form of malware when visiting a porn website, and that allowed them to obtain both the victim's password and access to their device. The scammers then purport to have made a video of the victim and the alleged "not safe for work" content.
Once the cybercriminals have scared their potential victims enough, they demand a sum to be paid within 24 hours or the embarrassing video will be released. They usually want the payment to be made in bitcoin.
After analyzing some of the cases stemming from this new sextortion scam campaign, ESET researchers found that it probably started sometime around the 8th or 9th of April. They checked the bitcoin wallet addresses shared by the attackers and found that they weren't faring very well, to put it mildly. By contrast, during the 2018 campaign the scammers were able to trick victims out of almost half a million dollars.
To reiterate, it is important to note that the password did not come from the potential victim's compromised machine. All of the breadcrumbs indicate that the campaign leverages credentials taken from large data leaks and older breaches, which, unfortunately, aren’' a rare occurrence. ESET researchers entered some of the victims' email addresses into to the Have I been pwned? website, and indeed found that their passwords and emails were gathered from services that suffered data breaches such as LinkedIn, Taringa, MyFitnessPal or Canva, among others.
Users are advised to go on Google or whatever search engine they prefer and enter the word scam, in quotes, along with an interesting phrase from the scam email. They can then scroll through the results, of which there may be a few thousand, and see if anything seems vaguely familiar. Quite often examples can be found of similar scams that have been floating about and have already been scrutinized by a number of researchers and experts in the field.
ESET is a global leader in IT security. The company was founded in Slovakia in 1992 and today it has representation in more than 180 countries.