Porn Scam Email Uses Your Hacked Passwords

Here’s a new scam that’s been floating around recently, but the new twist makes it more believable. I’m pasting the contents of an actual email with the user’s password redacted. (Typos and poor English in tact)

I am aware, <substitute password formerly used by recipient here>, is your password. You may not know me and you are most likely thinking why you’re getting this email, correct?

actually, I setup a malware on the adult video clips (sexually graphic) web site and guess what, you visited this web site to have fun (you know what I mean). While you were watching video clips, your internet browser initiated functioning as a RDP (Remote Desktop) with a key logger which provided me access to your display screen as well as web cam. Just after that, my software program gathered your complete contacts from your Messenger, social networks, and email.

What did I do?

I created a double-screen video. First part displays the video you were watching (you have a fine taste : )), and 2nd part displays the recording of your webcam.

exactly what should you do?

Well, I believe, $1900 is a reasonable price for our little secret. You’ll make the payment through Bitcoin (if you do not know this, search “how to buy bitcoin” in Google).

BTC Address: 1JHwenDp9A98XdjfYkHKyiE3R99Q72K9X4
(It is cAsE sensitive, so copy and paste it)

Note:

You have one day in order to make the payment. (I have a specific pixel in this email message, and at this moment I know that you have read this mail). If I do not get the BitCoins, I will, no doubt send out your video recording to all of your contacts including members of your family, colleagues, and many others. However, if I receive the payment, I will destroy the video immidiately. If you need evidence, reply with “Yes!” and I will send out your video to your 5 contacts. It’s a non-negotiable offer, that being said please do not waste my time and yours by replying to this mail.

This is considered a sextortion scam by the FBI, and that tells us it’s not really anything new. There’s a possibility your computer could have malware… sure. However, this email shows up on computers that are clean, and have never visited a porn site. These guys are just betting that you did something online that you wouldn’t be proud of – or want your contacts to know about. One of the largest porn websites reports 75 million visitors a day. So, you can see why they use this angle to scare you into paying them. The part that is new is that you may find one of your actual passwords in this email.

Let’s talk about the password. Should you be concerned? Yes, at least a little. Start by changing that password on any website you used it. Then take a deep breath and relax. Now, stop worrying. What’s going here is that one of your past / present passwords has been breached. Most likely you had to sign up on a website in the past and give a username / password to access their content etc. Time passes and they get hacked. Then your info shows up online, and these scammers use it against you.

You can check if your info has been part of a breach here: https://haveibeenpwned.com

I checked with my personal email account and my email address was found on 5 breached websites.

tl;dr What’s the point?

  1. Don’t use the same password everywhere. We all use just a few passwords. Try to use more. Consider a password manager like lastpass, dashlane, or 1password.
  2. Make use of 2 Factor Authentication like Google Authenticator or at least enable the “sms code” on your other accounts (Facebook, etc)
  3. In my opinion: keep your email account password and financial passwords different from your common ones you use elsewhere

Stay safe out there. Stay suspicious of everything online.

Tips to Spot a Phishing Email

Every day you get tons of email. If your email provider is any good, most of the junk gets caught by the SPAM filters. Even with the best of the best services, some junk can still get through. So, what’s the best way to protect yourself from getting phished? Wait, what’s phishing?

phish·ing
ˈfiSHiNG/
noun

the activity of defrauding an online account holder of financial information by posing as a legitimate company.
“phishing exercises in which criminals create replicas of commercial Web sites”

Ok, so back to the tips. How do you spot a fake email? I’ve made some screenshots from an email that I received. The email appeared to come from a friend, so he may have given his information out to the bad guys first.

Let’s look at the original email:

2016-01-07_101853
SAMPLE EMAILI better get this important document!

Here’s what is wrong (numbers match the picture):

  1. Look for spelling and grammar errors. Often times the bad guys don’t speak English as their native language. Spelling errors in phishing emails seem pretty common. “RE:Necessary Informations” sounds off to me. Red flag!
  2. View the details of the From, To, CC, BCC. In Gmail I clicked the show details drop down. I saw that my name was not in the to box. This tells me this is is probably SPAM or in this case something worse. Red Flag!
  3. Hover over buttons or links and see where your browser is going to take you. Don’t click! This message obviously is going to take me to a website that is different than what the message claims. Red Flag!
2016-01-16 22_21_47-Start
SUSPCIOUS EMAILLook for the red flags!

Where does the button take me?

I carefully copied the link and pasted just the domain portion. It takes me to a fake site that will gladly take any credentials – –  so I can get the precious document I didn’t know I needed. The big red flag at this point is that the site will take just about any password: Google, Yahoo, Adobe ID, Hotmail, AOL or even your mobile number.

2016-01-16 22_37_08-Send & Receive Large Files Easily – Select, Send, & Confirm & Track_ Adobe SendN
PHISHING SITEHere's the attempt to get your information

 

This is the site as of a week later:

2016-01-16 22_36_36-Security error
GOOD GUYS WINGoogle Chrome is now protecting me from this site

I took the time to report the site to this page: Google Safe Browsing: Report a Malware Page. I also looked into who was the domain registrar. I reported the site to GoDaddy as well. I’m sure I wasn’t the only person to report this site.

What’s the moral of this story?

You are your own best defense. So, don’t rely on any one browser to keep you safe, don’t rely on your antivirus to catch everything.

  1. Don’t be quick to click! Take your time and read through the email to see if it is legit.
  2. Spelling and grammar errors are often a give away.
  3. View the details of the From, To, CC, BCC.
  4. Hover over buttons, but don’t click! If the URL doesn’t match the email, or looks “funny” don’t click it.
  5. Real emails never ask for personal information. Instead it will tell you to go to your account and make the updates.
  6. If the email claims to be someone you have an account with: open a new browser window and visit the site directly by typing the address and NOT clicking in the email.
  7. If it came unsolicited, be even more suspicious.
  8. If the email talks about a UPS or FedEx package… ask yourself the obvious question “What package?”
  9. If it threatens about taxes or claims to be a government agency, you know it’s junk. To the best of my knowledge the IRS and County Tax offices do not send emails about back taxes!
  10. Follow your gut instinct to delete it if anything doesn’t look right. If it was real, they’ll email you again.

You can sniff out a fake email! Don’t give away your personal information to criminals!

Stay safe, it’s a jungle out there.