The porn extortion scam works like this: you get an email from a stranger claiming that he hacked your computer and recorded video of you masturbating to pornography, which he'll release unless you send him some cryptocurrency.
It's not a very convincing pitch, lacking any evidence that the scammer is telling the truth.
But thanks to the massive databases of leaked passwords circulating online after massive, multi-million-user breaches, the extortionists behind these scams have an extremely effective convincer: your passwords.
The new version of this scam, first spotted in the wild last week, has your stolen username and password (from some breached service) in the subject line and opens with this: "It seems that, (password), is your password. You may not know me and you are probably wondering why you are getting this e mail, right?"
In the week since this tactic was first observed, the scammer who pioneered it has made $50,000 (a sum that can be calculated by looking at the public ledger of cryptocurrency transactions).
It's yet more evidence that breach liability is undervalued. After breaches, courts usually only consider direct, immediate costs to the user (the time spent clearing up fraudulent transactions and changing your password, basically). But the real costs are effectively infinite: scammers, identity thieves, extortionists, malware creeps, and stalkers will find ingenious new ways to merge these leaked databases and harm the people whose data was released in them.
From: Beitris Englert
Date: July 12, 2018
Subject: (username + password)
It seems that, (password), is your password. You may not know me and you are probably wondering why you are getting this e mail, right?
actually, I setup a malware on the adult vids (porno) web-site and guess what, you visited this site to have fun (you know what I mean). While you were watching videos, your internet browser started out functioning as a RDP (Remote Desktop) having a keylogger which gave me accessibility to your screen and web cam. after that, my software program obtained all of your contacts from your Messenger, FB, as well as email.
What did I do?
I created a double-screen video. 1st part shows the video you were watching (you've got a good taste haha . . .), and 2nd part shows the recording of your web cam.
exactly what should you do?
Well, in my opinion, $2900 is a fair price for our little secret. You'll make the payment by Bitcoin (if you do not know this, search "how to buy bitcoin" in Google).
BTC Address: 1KiCTVUq5A9BPwoFC8S965tsbtqcWr8bty
(It is cAsE sensitive, so copy and paste it)
You have one day in order to make the payment. (I've a unique pixel in this e mail, and at this moment I know that you have read through this email message). If I do not get the BitCoins, I will certainly send out your video recording to all of your contacts including relatives, coworkers, and so on. Having said that, if I receive the payment, I'll destroy the video immidiately. If you need evidence, reply with "Yes!" and I will certainly send out your video recording to your 6 contacts. It is a non-negotiable offer, that being said don't waste my personal time and yours by responding to this message.
Adult Site Blackmail Spammers made Over $50K in One Week [Lawrence Abrams/Bleeping Computer]
(Image: Valerie Lawson, CC-BY-SA)