Cyber Criminals Rake in Half a Mil in Sextortion Bluff
You don’t necessarily have to hack a target to get them to ante up some cash; you just have to make them think you did. This has worked out really well for an enterprising group of cyber criminals, who have reportedly managed to collect $500,000 in Bitcoin by telling victims they needed to pay up to prevent a naughty video of them from being sent to every one of their contacts.
Thing is, though, there never were any videos, of any of the victims.
Security researcher Brian Krebs reported on this new sextortion scheme in July. The hackers behind it were, indeed, in possession of a password each victim used at one point in time, likely gleaned from one of the myriad of massive data breaches that have happened over the past few years. This lent an air of credibility to the emails they sent out, which claimed that the hackers had breached the victims’ webcams and caught them engaged in, uh, personal activities while viewing pornography sites:
I actually placed a malware on the porn website and guess what, you visited this web site to have fun (you know what I mean). While you were watching the video, your web browser acted as a RDP (Remote Desktop) and a keylogger which provided me access to your display screen and webcam. Right after that, my software gathered all your contacts from your Messenger, Facebook account, and email account.
What exactly did I do?
I made a split-screen video. First part recorded the video you were viewing (you’ve got a fine taste haha), and next part recorded your webcam (Yep! It’s you doing nasty things!).
At the end, the email demanded $1,400 in Bitcoin to prevent the [non-existent] video from being released.
In many cases, Krebs reported, the passwords were a decade old, and a lot of potential victims realized that the whole thing was a bluff. But not everyone. Motherboard spoke with Suman Kar, CEO of Banbreach, who reported that the scheme had snagged the perpetrators half a million dollars:
Banbreach looked at around 770 [Bitcoin] wallets in total, according to a spreadsheet the company shared with Motherboard. The majority of those, around 540, did not receive any funds. But the remaining ~230 had over 1,000 transactions, receiving a total of around 70.8 BTC.
Motherboard notes that the $500,000 figure is likely a conservative estimate, as Banbreach looked at only a sampling of Bitcoin wallets used by the perpetrators.
In addition to the usual warnings about how to protect yourself against phishing emails, there are two lessons here:
- Cover up your webcam when you’re not using it. Even though this scheme was a bluff, webcams can be hacked, and naughty images aren’t the only content criminals are interested in. They can use a hacked cam to determine if your home is unoccupied, for example.
- Never take compromising photos or videos of yourself using a phone or any device that can connect to the internet. If it connects to the internet, it can be hacked, and once someone gets hold of your X-rated photos or home movies, you have no control over what happens to them next.
Originally published at wildowldigital.com on August 22, 2018.
