Sextortion scams: researchers reveal numbers behind the attacks

Sextortion scam is a successful business for bad actors

Crooks are trying to scare users that their computer is hacked, friend's list acquired, and video cam footage taken of them watching porn.

Security experts at Cisco Talos released a research report^[1] detailing the two recent campaigns of the sextortion scams. Porn Blackmail virus^[2] has been active since mid-July 2018, and it seems like bad actors are not stopping deceitful activities anytime soon.

Attackers often employ data that was stolen during previous breaches (such as usernames and passwords) and use in their email campaigns to aid the sextortion scams. They claim that victim's account has been hacked, Remote Access Trojan injected into the PC, and videos were taken when the user was watching porn.

They further proceed to explain that, if the victim does not want these embarrassing recordings to be sent to their family, friends, and coworkers, they need to pay a specified amount of Bitcoin into the Bitcoin wallet, also provided in the email. Additionally, users are also warned that the webcam videos might be published on their social networks like Facebook, Twitter, or others.

According to research, the cumulative amount of extorted money reaches 23.3653711 Bitcoins or 147,377 US dollars in current conversion rate.

Sextortion is effective, here's why

What makes this campaign so believable and successful is the personal information included inside the email. Hackers often make use of personal passwords (often outdated) of various accounts or telephone numbers. This data was acclaimed previously in multiple data breaches, such as Linkedin hack of 2012.^[3]

Additionally, hackers are playing on users' embarrassment and unwillingness to expose themselves in such situations; thus, many are eager to pay, because a thought of facing their relatives and friends afterward is just way too unsettling.

Furthermore, hackers ask for anywhere between $1,000 to $7,000 payment, making profits stack up high quickly. Barracuda security team also researched recent sextortion campaigns^[4] and said:

With blackmail amounts at anywhere from $1,000 to $7,000, it's easy to see why the #sextortion scam is popular with cyber criminals, especially given that the overhead is so low.

Nevertheless, none of what hackers state in their email is true, apart from specified personal information. The computer is not hacked, no videos were taken, and bad actors have no clue about who victim's friends and coworkers are. It is all a cleverly engineered scam that helps crooks to acquire a large amount of money.

Peculiarities of sextortion scam

Cisco Talos group examined two spam campaigns (which are still active to this day), on starting on August 30, 2018, while another one beginning on October 5, 2018. Most of these contained a “From” address From =~ /Aaron\\d{3}Smith@yahoo\\.jp/ or From =~ /Aaron@Smith\\d{3}\\.edu/.

SpamCop, the service for scam reports, reported 233,236 sextortion emails sent from 37,606 unique IP addresses. The IP addresses are connected to multiple countries, including:

• Vietnam 15.9%
• Russia 15.7%
• India 8.5%
• Indonesia 4.9%
• Kazakhstan 4.7%, etc.

Talos experts concluded that Nectrus botnet is involved in distributing these sextortion messages, as India and Vietnam are countries that were invaded by the botnet the most. Also, the scam was presented in multiple languages, including English, German, French, Italian, Japanese, Korean and Arabic.

While a total of sent messages reaches almost a quarter of a million, the number of unique recipients remains quite low – a total of 15,826 email addresses, which means that, on average, 15 spam messages were sent to each email.

Precaution measures

Experts from IBM recommend users not to panic if they receive a sextortion message:^[5]

Do not get tricked by scams, research before you process any sort of online transactions.