Inside the mind of a sextortion scam artist

Do they really have access to your browsing habits and data?

Sextortion is nothing new, but the way in which cybercriminals attempt to relieve us of our money through blackmail is evolving.

The Internet hosts countless websites with pornographic content, live adult camera streams, infidelity websites, and more. Visitors are unlikely to want their browsing activities or views made public, and this is an area in which scam artists are now attempting to profit from.

The effects of true sextortion can be devastating. Following a data breach at the extramarital affairs website Ashley Madison, which leaked the private information of millions of members, one former user who told us his story back in 2015 received an email with the subject header, "Action required regarding recent security breach."

The email contained details of his account, subscription, and payments, as well as a demand for two Bitcoin (BTC) to prevent the information from being sent to his home address.

While the user did not pay up, he ran the risk of such information not only being physically sent to his spouse, but also appearing online -- where colleagues, friends, and other family members could stumble across it.

Read on: In Ashley Madison's wake, here's one man's story of sex, sorrow, and extortion

The man in question was far from the only former member of the website to receive blackmail threats -- and in 2017, a new wave of blackmail hit former members.

The reason the data breach and its effects roared back to life is simple: once information is leaked online, it cannot be removed easily. The Dark Web is teeming with stolen data dumps from countless organizations and these collections are easily bought and traded.

The landscape has changed from basic, automatic spam emails to those which include a snippet of this kind of data which is connected to their intended victim; such as a password or username.

Phishing campaigns and scams are constantly evolving and will use whatever resources possible to frighten victims into paying up -- and this will include the use of information stolen from data breaches.

See also: Meet the malware which turns your smartphone into a mobile proxy

Ashley Madison was an exception to the rule when it comes to general sextortion. Now, freely-available data leaked from services unconnected to mature content will be used to play upon the fears of those who may be using the Internet to access adult services.

In July, security expert Brian Krebs described such a scam, in which a sextortion scam email would mention a password the intended victim has previously used for a service, and then continue:

"I actually placed a malware on the porn website and guess what, you visited this web site to have fun (you know what I mean). While you were watching the video, your web browser acted as a RDP (Remote Desktop) and a keylogger which provided me access to your display screen and webcam [...] I made a split-screen video.

First part recorded the video you were viewing (you've got a fine taste haha), and next part recorded your webcam (Yep! It's you doing nasty things!)."

The email would then demand a payment to keep the "little secret" between each party.

This particular scam appears to be semi-automated and pulls up passwords leaked from a public data dump before pinging the phishing email to the email address connected to the stolen data.

In October, researchers from Malwarebytes listed Bitcoin wallet addresses connected to a range of similar scams, some of which would claim that victims had visited a pornography website which downloaded malware to their system and captured the user masturbating or being involved in similar acts.

Another sextortion scam revealed in the same month connected a Bitcoin address to scammers which at the time of writing is still active. It is believed this scheme alone has raked in thousands of dollars for the cybercriminals responsible for it.

CNET: How to spot a phishing email

Now, researchers from Cisco Talos have begun tracking a set of active sextortion campaigns, one of which began on August 30, and another which was detected beginning October 30.

Over the course of 58 days, the campaigns sent a combined 233,236 spam emails, transmitted from 120,659 unique IP addresses.

The scam emails not only used passwords likely gained from a public data breach dump but also used leaked telephone numbers. Some messages claimed that the operators had proof that a victim's partner was cheating on them -- and this information could be had for a price -- and in other cases, went so far as to say the senders were hitmen paid to kill the victim, but after a change of heart would be willing to reveal who their supposed enemy was in return for payment.

In total, roughly 50 percent of these messages originated from only five countries; Vietnam, Russia, India, Indonesia, and Kazakhstan.

Despite sending so many messages, the researchers only found just over 15,000 unique victim addresses -- some of which had been contacted hundreds of times.

Each sextortion email contained a payment demand which was randomly generated, ranging from $1000 to $7000.

TechRepublic: Why we might see more spam and phishing post-GDPR

The volume of Bitcoin wallet addresses attached to the spam emails is vast. In total, over 58,000 unique addresses are associated with these campaigns, working out at roughly three sextortion messages per wallet.

At the time the research was published, the combined value of these wallets was $146,380 for 58 days' work. However, further investigation revealed that some payments made to the scammers were less than the minimum $1000 demand, which suggests that the same wallets are being used in other criminal schemes.

It is possible that these spam campaigns are the work of the Necurs botnet, due to indicators of compromise provided by IBM which overlap with Cisco Talos findings.

"Most anti-spam solutions will filter out obvious sextortion attempts," Talos says. "However, that is no silver bullet. When these kinds of spam campaigns make it into users' email inboxes, many of them may not be educated enough to identify that it's a scam designed to make them give away their Bitcoins. Unfortunately, it is clear from the large amount of Bitcoin these actors secured that there is still a long way to go in terms of educating potential victims."

Previous and related coverage