I got a slightly panicked message from a friend recently. There was an email, mentioning porn use and a demand for $1900 to be sent to a bitcoin address. “I don’t have bitcoin” wailed my friend.
I asked for screen shots of the email. It’s full of technical detail about malware and screen views that is just plausible enough to be concerning. The threat is to release evidence of your activity on porn site via a video with a two camera view – one a screen capture and one a webcam – to all your Facebook and email contacts unless you pay within one day. My friend was worried.
After looking at the images of the email I answered “Total Scam”.
The combination of the high urgency and the vagueness of the actual “misdemeanor” captured made me suspicious and a quick search of a few phrases from the email showed that others had received the same message with the same demand. It’s cleverly crafted to trigger fear and shame – and then you’re very likely to pay up. Classic social engineering.
It’s a case of “sextortion“, using your sexual activity to bribe you.
In this case the sender knew my friend’s email address and password, the email address contained my friend’s name so the email looked credible. However there have been some massive data breaches of legitimate sites; Linkedin, Amazon, Facebook, Sony. The data now for sale to criminals includes email addresses and matching passwords. This means that the email sender did no research, just parsed the email address into name and fired off an email, he’s relying on a percentage of recipients will have used a porn site recently. (PornHub releases their statistics annually, as reported here by Forbes, it was 81 million views per day on their site in 2017)
So while this makes the scam email appear more credible it’s probably due to a data breach rather than any sophisticated hack.
Here are the clues that an email is dodgy
- somethings unspecific
- high urgency, threat
- stuff you wouldn’t want to discuss with anyone
- the amount is less than a lawyer
- the text will be reused in other scams or come up in a discussion online (google the text)
So most of us live where porn is legal, but most visitors of porn sites don’t want that discussion with our friends/parents/partners or colleagues. (Fair warning to all friends, family, colleagues and random strangers: I REALLY don’t want any discussion of your porn habits).
Here’s what you can do to protect yourself:
- Use a separate email address that does not include your name for any “naughty” sites. By naughty I mean stuff that might be legal but embarrassing.
- Use different passwords for everything. This might have come from an old old Linkedin breach. The list of passwords and email addresses discovered in the security breach is then sold online and cyber criminals will then try the combination on other sites, or use the address to attempt to extort money from you
- When you hear of a data breach on a site you use change that password immediately
- Keep track of your passwords in a list somewhere as well as saving them in your browser, it’s too hard to remember 100 passwords, so write them down, just don’t tape the list to the your laptop bag.
- Private browsing, here’s how to do that on firefox or chrome
- You can report stuff to the local police or cybercrime unit, realistically there isn’t much they can do, chances are the sender of the email is in another country.
My friend didn’t pay, it’s been a couple of weeks now and there’s no sign of an email from the scam artist, and I am a friend of theirs on Facebook.
Image: Butt via pixabay