We’ve started to see a few of these coming in from clients recently – a really horrible email

The exploit starts off with the simple statement that the extortionist knows your password and actually states it in the first sentence of the email. On average the passwords that I have seen have been ones that the users actually do have in use on the internet at various places which adds a sense of realism (and panic) to the email.   Most likely, an account associated with the email address has been compromised at some point and the criminal is using details / dump already available on the darker side of the internet.

 

Sample Email

I will directly come to the point. I’m aware XXXXX is your password. More importantly, I do know about your secret and I have proof of your secret. You don’t know me and no one hired me to investigate you.

It is just your bad luck that I found your blunder. In fact, I actually placed a malware on the adult videos (pornographic material) and you visited this website to experience fun (you know what I mean). While you were watching video clips, your internet browser initiated operating as a Rdp (Remote control desktop) that has a keylogger which provided me accessibility to your display screen and also cam. Immediately after that, my software program obtained all your contacts from your messenger, facebook, and email.

After that I gave in much more time than I should’ve exploring into your life and generated a two screen video. First part shows the recording you had been viewing and second part shows the capture from your web camera (its you doing inappropriate things).

Frankly, I’m ready to forget about you and let you continue with your life. And I will present you two options which will accomplish this. The two option is to either ignore this letter, or perhaps pay me $3200. Let us explore above 2 options in more detail.

First Option is to ignore this e-mail. Let me tell you what is going to happen if you opt this path. I definitely will send out your video recording to your contacts including friends and family, co-workers, and so on. It doesn’t help you avoid the humiliation your household will must face when relatives and buddies find out your unpleasant videos from me.

Second Option is to make the payment of $3200. We will name it my “confidentiality tip”. Now let me tell you what happens if you choose this path. Your secret remains your secret. I will delete the recording immediately. You move on with your routine life as though nothing like this ever occurred.

Now you must be thinking, “I’ll just go to the cops”. Without a doubt, I have covered my steps to ensure this mail cannot be tracked returning to me and it will not stop the evidence from destroying your daily life. I am not trying to steal all your savings. I just want to be compensated for the time I placed into investigating you. Let’s hope you have decided to make all this go away and pay me the confidentiality fee. You’ll make the payment via Bitcoin (if you do not know how, type “how to buy bitcoins” in google)

Required Amount: $3200
Receiving Bitcoin Address: 1JE6Pxdb865yhxc92KfjypcaXHgdAJpdsZ
(It’s CASE sensitive, so copy and paste it carefully)

Tell no person what you should be sending the bitcoin for or they might not sell it to you. The procedure to have bitcoins will take a short time so do not delay.

I have a unique pixel within this e-mail, and now I know that you have read through this email. You have 24 hours in order to make the payment. If I don’t get the Bitcoin, I definitely will send out your video to all of your contacts including family members, co-workers, etc. You better come up with an excuse for friends and family before they find out. Nonetheless, if I do get paid, I’ll erase the video immediately. It’s a non-negotiable offer, thus kindly don’t ruin my personal time & yours. The clock is ticking.

 

So as you can see from the sample, the extortionist is hoping that you visit porn and that your password was in fact some iteration if not literally the password you use for your online accounts.  Our recommendations are as follows:

 

  • Never email the fraudster back
  • Never consider paying the ‘bad bounty’
  • Immediately change all passwords for your online accounts
  • Turn on 2-Step Authentication of all accounts where possible
  • Never use the same password across multiple sites
  • Turning off your webcam when not in use

You can check if your account has been compromised in a known data breach by visiting https://haveibeenpwned.com/

If in doubt about any email or your IT Security – feel free to contact Dash on 042-9335355

The Dash Team