Sextortion Scam With Leaked Passwords Succeeds

Following the forum post on sextortion emails being spammed to innocent victims, we were curious to see if this scam would indeed be successful. We have observed similar scam campaigns before, but now the scammers seem to include the victim’s password as well, creating a sense of legitimacy. During our analysis we observed 3 payments to the Bitcoin addresses used by the extortionists, as such, it seems innocent victims fell for this scam and paid the ransom.

Using the following YARA rule, we identified 11 files uploaded to VirusTotal, resulting in 9 unique extortion emails.

rule sextortion_20180710
{
    strings:
        $a1 = "I made a split-screen video" ascii wide nocase
        $a2 = "I made a double-screen video" ascii wide nocase

        $b1 = "password" ascii wide nocase
        $b2 = "pass word" ascii wide nocase

        $c1 = "porn" ascii wide nocase
        $c2 = "adult" ascii wide nocase
        $c3 = "pornographic" ascii wide nocase

        $d1 = "rdp" ascii wide nocase

        $e1 = "btc" ascii wide nocase
        $e2 = "bitcoin" ascii wide nocase

    condition:
        ($a1 or $a2) and ($b1 or $b2) and ($c1 or $c2 or $c3) and $d1 and ($e1 or $e2)
}

 

A typical extortion email for this campaign looks like this, notice the opening paragraph with the password (hidden by us):

The subject of the email is the local-part of the victim’s email address (the part before @) followed by the victim’s leaked password. We were able to retrieve this password (together with the corresponding email address) from leaked password databases.

It looks like this new social engineering trick of including some secret (albeit old) information in a sextortion email can be successful: out of the 8 different Bitcoin addresses we extracted from 9 different emails, 3 Bitcoin addresses received Bitcoins during the last days for amounts varying between $1900 and $3900 (the ransom demands we observed in the emails are $1900, $2900 and $3900).

Of course, we can not be sure that the ransom was indeed paid by the victims and not by somebody else, but these specific amounts do indicate that there could be a relationship to the extortion mails. To protect the victims, we are not publishing any IOCs that could lead to their identification.

About the authors
Didier Stevens is a malware expert working for NVISO. Didier is a SANS Internet Storm Center senior handler and Microsoft MVP, and has developed numerous popular tools to assist with malware analysis. You can find Didier on Twitter and LinkedIn.

5 thoughts on “Sextortion Scam With Leaked Passwords Succeeds

  1. Pingback: Retrieving and processing JSON data (BTC example), (Sat, Jul 14th) | Cyberthreat Blog

  2. Pingback: Retrieving and processing JSON data (BTC example), (Sat, Jul 14th) » @FinTechLog

  3. Pingback: Cryptominer Delivered Though Compromized JavaScript File, (Fri, Jul 13th) » @FinTechLog

  4. Pingback: Retrieving and processing JSON data (BTC example), (Sat, Jul 14th) | Jeremy Murtishaw, Inc.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

w

Connecting to %s