A new play on an old email scam is making the rounds lately. You may receive a message that is supposedly sent to you from a hacker who has broken into your computer and used your webcam to record a video of you watching adult entertainment. The email threatens to release the video to all your contacts unless you pay them a ransom. The twist this time on this sextortion scam? The email will reference a real password that has once been tied to the recipient’s email address. How does this work and what can you do?
The email will be formatted roughly like so (this was a recent example a client forwarded us, but there are other examples out there that have better grasp of English):
I’m a member of an international hacker group.
As you could probably have guessed, your account *removed* was hacked, I sent message you from it.
Now I have access to you accounts! You still do not believe it?
So, this is your password: *removed* , right?
Within a period from July 5, 2018 to September 21, 2018, you were infected by the virus we’ve created, through an adult website you’ve visited.
So far, we have access to your messages, social media accounts, and messengers.
Moreover, we’ve gotten full damps of these data.
We are aware of your little and big secrets…yeah, you do have them. We saw and recorded your doings on porn websites. Your tastes are so weird, you know..
But the key thing is that sometimes we recorded you with your webcam, syncing the recordings with what you watched!
I think you are not interested show this video to your friends, relatives, and your intimate one…
Transfer $700 to our Bitcoin wallet: *removed*
I guarantee that after that, we’ll erase all your “data” :D
A timer will start once you read this message. You have 48 hours to pay the above-mentioned amount. Your data will be erased once the money are transferred.
If they are not, all your messages and videos recorded will be automatically sent to all your contacts found on your devices at the moment of infection.
You should always think about your security. We hope this case will teach you to keep secrets.
Take care of yourself.
The client told us that the password referenced was a legitimate password that they currently use in a few places. Client was concerned how the password was obtained. Sadly, there are lots of shady places to buy the data leaked from large breaches over the years so it’s fairly trivial to get old passwords if you know where to look.
Thankfully the client called us, where we told them to change the password in all the places that password was used get a good password manager and secure it with two-factor-authentication and a really long password.
Go and check your email address at the have I been pwned database. If your email shows up in their list, that means there’s a chance that your username and password from one of the large breaches could have ended up out on the dark web for sale. If you get an email like the above and you still recognize the password as something that’s being used, make sure to update it and use unique passwords in as many places as possible.