Sextortion scams are when an attacker sends emails to people stating that their computer is hacked and that the attackers have been recording the screen and webcam as the user visits adult sites. The scammers then blackmail the recipients by stating they will release the videos if they do not receive a payment in bitcoins.
In the past, the sextortion emails would just include a target’s password that the attackers found from a data breach dump in order to scare the victim into thinking that the threats were real. Now the scammers are also pretending to have access to the target’s email account by spoofing the sender of the scam email to be the same email as the victim.
These scams have become very profitable, with scammers making over $50K in one week, and this new variant is no different. According to reporting by Daniël Verlaan, this new variant was first seen targeting victims in the Netherlands where the scammers made €40,000.
After learning about this new campaign, a security researcher known as SecGuru, who has been monitoring these scams, found a similar variant in English. SecGuru told internetnewsblog that the subject of these emails is “[email address] + 48 hours to pay”.
For example, if my email address was [email protected], the subject of the sextortion email would read “[email protected] 48 hours to pay” and sender of the email would be my own email account. You can see an example image of the English sextortion scam below.
Just like the Dutch victims, English victims have been falling for this scam and sending payments to the attacker. The bitcoin address 1GdegtNpYcvoCPsMmyiSkZARDdAmYuXGXU from the email above had 4 payments since October 10th totaling 0.37997578 bitcoins. This equates to approximately $2,353 for just two days of work sending out emails.
It is important for users to learn about these new scams as they have been very successful in scaring recipients into making payments. Therefore, if you receive an email like this, do not freak out and simply delete the email and then perform a thorough scan of your computer using an antivirus program.
Mail providers can protect their domains using SPF and DMARC records
Sending spoofed emails so that they appear to be from someone else is nothing new. Phishers, scammers, and jokesters have been doing this for many years. With that said, mail providers can do a better making it harder for attackers to spoof email addresses using the domains they manage.
By using DNS records like Sender Policy Framework (SPF) and Domain-based Message Authentication, Reporting and Conformance (DMARC), domain owners can lock down their domains to make it harder for external users to spoof domains under their control.
“In the Netherlands, mainly customers of Ziggo and KPN are now affected, but there are many vulnerable providers,” SecGuru told internetnewsblog. “If there are no good SPF and DMARC implementations, and the receiving mail server does not properly block the spoofing mails, then all customers are vulnerable. There are only a few providers that are using a good SPF and DMARC implementation.”
These frameworks are free to generate and when used properly can make a huge dent in preventing email abuse and spam. DMARC can also be configured so that you receive reports of spam campaigns utilizing your domain so that you can monitor what malicious activity is being performed.
SecGuru offers these suggested practices for protecting domains from being used for SPAM:
1. To prevent sending spoofed email:
- Create an SPF-All(hard fail) record with only the mail servers that are allowed to send mail on behalf of your domain.
- Configure DKIM on your mail servers and publish the key in a DKIM Selector record in DNS.
- Create a DMARC record with value p=reject.
- Create SPF records for each subdomain.
- Create SPF records for mailserver HELO names.
- Create SPF hard fail(-all) and DMARC p=reject records for al non-mail and unused domains.
2. To prevent receiving spoofed email:
- Check SPF results on incoming mailservers (hard fail = reject, soft fail = spam).
- Whitelists SMTP servers that are allowed to mail on behalf of their domain, block the rest.
- Check DKIM results on incoming mailservers (failure = reject).
- Check DMARC results on incoming mailservers (use P= policy published in DNS).
English Spoofed Sextortion email scams:
@Hello! I'm a member of an international hacker group. As you could probably have guessed, your account [email address] was hacked, because I sent message you from your account. Now I have access to all your accounts! For example, your password for [insert service/password] Within a period from July 30, 2018 to October 9, 2018, you were infected by the virus we've created, through an adult website you've visited. Moreover, we've gotten full damps [sic] of these data. We are aware of your little and big secrets...yeah, you do have them. We saw and recorded your doings on porn websites. Your tastes are so weird, you know.. But the key thing is that sometimes we recorded you with your webcam, syncing the recordings with what you watched! I think you are not interested show this video to your friends, relatives, and your intimate one... Transfer $800 to our Bitcoin wallet: 1GdegtNpYcvoCPsMmyiSkZARDdAmYuXGXU If you don't know about Bitcoin please input in Google "buy BTC". It's really easy. I guarantee that after that, we'll erase all your "data" :) A time will start once you read this message. You have 48 hours to pay the above-mentioned amount. Your data will be erased once the money are transferred. If they are not, all your messages and videos recorded will be automatically sent to all your contacts found on your devices at the moment of infection. You should always think abouy your security. We hope this case will teach you to keep secrets.
Dutch Spoofed Sextortion email scams:
From: your email account To: your email account Subject: email account Hallo, Ik hou je al een tijdje in de gaten omdat ik je gehackt heb door middel van een trojan virus in een advertentie op een porno website. Indien je hier niet bekend mee bent zal ik dit even toelichten. Een trojan virus geeft je de volledige toegang en controle over een computer, of elk ander apparaat. Dit houd in dat ik alles op je scherm kan zien en je camera en microfoon kan inschakelen zonder dat jij hiervan op de hoogte bent. Zo heb ik ook toegang gekregen tot al je contactpersonen. Ik heb een video gemaakt waarop te zien is hoe jij jezelf bevredigt op de linker helft van het scherm en op de rechter helft zie je de video waar jij naar keek. Met een druk op de knop kan ik deze video doorsturen naar alle contactpersonen van je email en social media. Als je dit wil voorkomen maak je een bedrag van 1000 euro over naar mijn bitcoin adres (Als je dat niet weet, zoek met Google "Bitcoin kopen".) Bitcoin adres: xxxxxxxxxxxx Zodra de betaling binnen is wis ik de video en hoor je nooit meer van mij. Ik geef je 72 uur de tijd om de betaling over te maken. Daarna weet je wat er gebeurt. Ik kan het zien als je de email hebt gelezen.