Sextortion is a form of blackmail where the extortionist claims to have photos or video of the victim watching adult entertainment on their computer. The criminal threatens to send the compromising images out to the victim’s email address book.
We’ve described this sort of crime before, and in the past, typically, that’s as far as classic sextortion went. The extortionist almost never had pictures, video, screen captures, browser history, or anything else. It’s typically been an empty threat.
The scammers are vague on the details of the sites the victims are said to have visited, and that’s no accident. The extortionists usually have no access at all to their marks’ devices and the attacks are “spray-and-pray”.
This new sextortion version has a twist: the hacker claims to have placed a RAT (Remote Access Trojan) on your computer, making it possible to take control of the device. And that’s the twist: the criminal threatens to send the embarrassing material from the victim’s own device.
Perhaps the most convincing element of the scam is that the extortion email has been crafted to look as if it were sent from the victim’s own email account, spoofing their email address. This can help convince someone that yes, they really have been infected by a RAT.
Victims are told they have one day to come up with the ransom, to be sent in Bitcoin of course. If they fail to pay, they’ll be humiliated from their own email account. Analysis of the Bitcoin transactions associated with the sextortion emails found that victims had handed over seven Bitcoin in a short period of time, making it one of the more successful extortion emails seen.
One of ActiveCo’s security partners, KnowBe4, suggests you send the following to your employees in accounting specifically. You’re welcome to copy, paste, and/or edit:
“The bad guys are getting very deceptive with sextortion scams. They now send you an email that looks like it is coming from yourself—spoofing your email address— and claim that they have infected your workstation with a backdoor which allows them to take control of your computer.
Next, they accuse you of watching adult entertainment and that they have recorded that. And here comes the kicker, unless you pay them bitcoin, they threaten to use your own computer to send embarrassing content to all your contacts.”
RATs are real, and they’ve been spotted in all sorts of devices. But there’s no RAT here: it’s a pure hoax. The scammers are simply spoofing the victims’ email address, which is easy enough to do, but which can be surprising and unsettling enough to spook a victim into paying. The extortionist’s email seems real, and urgent, and all the more convincing.