Reasonably Clever Extortion E-mail Based on Password Theft

Imagine you've gotten your hands on a file of e-mail addresses and passwords. You want to monetize it, but the site it's for isn't very valuable. How do you use it? You convince the owners of the password to send you money.

I recently saw a spam e-mail that ties the password to a porn site. The e-mail title contains the password, which is sure to get the recipient's attention.

I do know, yhhaabor, is your password. You may not know me and you're most likely thinking why you're getting this email, right?

actually, I actually setup a malware on the adult video clips (pornographic material) web site and you know what, you visited this web site to have fun (you know what I mean). While you were watching videos, your web browser began operating as a RDP (Remote Desktop) having a key logger which provided me accessibility to your display and web camera. after that, my software obtained your entire contacts from your Messenger, social networks, and email.

What exactly did I do?

I created a double-screen video. First part shows the video you were viewing (you've got a fine taste ; )), and 2nd part displays the recording of your webcam.

What should you do?

Well, I believe, $2900 is a reasonable price for our little secret. You will make the payment through Bitcoin (if you don't know this, search "how to buy bitcoin" in Google).

This is clever. The valid password establishes legitimacy. There's a decent chance the recipient has visited porn sites, and maybe set up an account for which they can't remember the password. The RDP attack is plausible, as is turning on the camera and downloading the contacts file.

Of course, it all fails because there isn't enough detail. If the attacker actually did all of this, they would include the name of the porn site and attached the video file.

But it's a clever attack, and one I have not seen before. If the attacker asked for an order of magnitude less money, I think they would make more.

EDITED TO ADD: Brian Krebs has written about this, too.

Posted on July 16, 2018 at 6:30 AM • 46 Comments


michelJuly 16, 2018 6:50 AM

it is clever because the actual attack exits
it happened to a colleague of mine.
He got filmed while "talking" to a webcam girl.
He was send the actual video and asked to pay 2000euro. He did not pay and the video was send to his entire email address book.

RatioJuly 16, 2018 6:53 AM

Imagine you've gotten your hands on a file of e-mail addresses and passwords. You want to monetize it, but the site it's for isn't very valuable. How do you use it?

Idea 0: you check for username + password reuse on sites that are valuable.

HmmJuly 16, 2018 7:10 AM

So to recap, never read spam, and don't be embarrassed by anything you ever do online.

aaJuly 16, 2018 7:15 AM

It's a sort of interesting attack, but the solution is to just not have your cam on, ever, unless you need it.

Most cams in laptops have hardware or software fn key switches (if you fear spies too then tape over it), webcams you can unplug, etc.

Or to 'have your fun' under the table...

It also throws lots of jargon around (some of it silly, like why does double-screen video even matter?) and preys on the unknowing, plus the typical luck of someone watching videos online via a browser (and not downloading them like many premium sites allow you to, or torrenting or youtube-dling them to their seedbox and then downloading them for offline viewing, or streaming them to his/her tablet, or reading erotica or watching cam streams online instead of watching videos), but for free users that might as well be the most popular 'consumation' method of 'adult materials', so if they do something that's the best chance.

I've once seen a similar case where some old man paid just to not fight such accusations despite not even having a computer, let alone internet (his scam arrived via mail, from one of the copyright troll companies that go after torrenters and such).

HmmJuly 16, 2018 7:19 AM

Interestingly Krebs has a similar article, only it's $1400 there instead of $2900.

JeffJuly 16, 2018 7:50 AM

Isn't this a Black Mirror episode?

OK, serious question... What's the game theory analysis that leads one to believe that $2900 buys silence? Isn't this just a situation where you're self-identifying as someone willing to act as an ATM for the attacker?

At least in the scam where the attacker encrypts your hard drive, you know pretty quickly whether you wasted the payment and know not to pay a second time. This, I just don't see as being as effective. Much more emotionally compelling, I agree, but once you sit and think for a second, how could you possibly trust the hacker to live up to his end of the bargain?


MedoJuly 16, 2018 7:53 AM

I got one of those a few weeks back asking for 430 USD, which is a lot more "reasonable". However, mine didn't even have a password in it to lend credibility. It did have some nice touches though:

"You have one day after opening my message, I put the special tracking pixel in it, so when you will open it I will see."

...which struck me as quite the feat in a mail with mimetype text/plain. I wonder why they didn't *actually* add one.

"If ya want me to share proofs with ya, reply on this letter and I will send my creation to five contacts that I\'ve got from ur contacts."

...ensuring of course that nobody would ever take up that offer for proof.

I always wonder what one can do in these cases. The mail was DKIM-signed for a domain registered through godaddy, so I contacted their abuse address with the mail attached. I have little hope that that actually achieves anything though.

CallMeLateForSupperJuly 16, 2018 8:13 AM

Be interesting to learn what the response rate is. My gut says that this scam is inefficient. On the other hand, just one victim coughing up $2900 for, say, 5000 emails sent is nothing to sniff at; that one payment would buy a very nice laptop, for example. When the scam reaches a vulnerable target, I imagine it resonates with great unpleasantness.

There are scams that utterly, epically fail, because the scenario they spin is "way out there" and the *target*knows* it. For example, a phone scam has been hitting me for a couple of months: "... unusual activity on your iCloud account. That your iCloud account has been breached..." I've never had an "iCloud account" (nor "i-" anything), so a breach is impossible. => Delete message. A previous scam dejour informed me that my Windows computer was disrupting the internet with errors and suggested I return the call and have them sort out the problem. But nobody at this phone number has run Windows since the early 1990's. => Delete message.

linkedout2012July 16, 2018 9:32 AM

This particular wave of emails appears to be based on an old copy of the LinkedIn user database, probably from around 2012. Messages were sent to email addresses that had only ever been used for linkedin, and the released passwords appear to be ones that were used for linkedin until around that time.

Jack O'FlongerJuly 16, 2018 10:03 AM

@ aa :

... but for free users that might as well be the most popular 'consumation' method of 'adult materials' ...

I think you meant "consumption" but "consummation" may apply here too.

Karl LembkeJuly 16, 2018 10:46 AM

I'd be curious to know how this person managed to video my reaction through the piece of tape over the camera lens on my computer.

ChelloveckJuly 16, 2018 11:12 AM

@aa: "(some of it silly, like why does double-screen video even matter?)"

They mean split-screen or picture-in-picture, one video showing the feed from the user's camera and one showing what they're watching. It's only somewhat embarrassing for word to get out that you're watching porn. It's *extremely* embarrassing for word to get out that you're watching Barney the Dinosaur porn (or whatever you're into). The attacker is betting that the victim at least occasionally watches something they're ashamed of.

markJuly 16, 2018 11:25 AM

Of course, that merely amuses us (I haven't gotten one yet, I'm feeling left out) who don't have webcams....

Denton Scratch July 16, 2018 11:38 AM


What you are referring to as the same scam is a different scam from the one Bruce described. Your colleague (supposedly) really got filmed. Bruce's attack depends only on an email address and matching password (I guess any additional personal info tending to confirm that it's not just a spam-blast to a 'millions' list would do). In the Bruce scenario, there is no video.

But I'm doubtful; did your colleague actually show you this video? I have a feeling this may be a 'friend-of-a-friend said' situation.

Tips for avoiding blackmail:
- Don't be a (serious) criminal
- Be completely free of shame (especially about sex)

The only things that cause me shame happened decades ago (and weren't to do with sex); and none of the crimes I routinely commit is anywhere near as serious as blackmail (blackmail is a very serious offence).

Just a random personJuly 16, 2018 11:54 AM

Several copies of this email are floating around. There are different addresses. Last Friday I was shown one and the bitcoin address already had 6 transactions from prior days totaling 1.1 BTC.

aaJuly 16, 2018 12:35 PM

@Jack O'Flonger - that's the joke.

@Chelloveck - I get that part but it just sounds silly. You can put anything you want together with someone's compromising video and it's not a proof they watched what you added when 'having fun'.

More thing are silly actually, like casually admitting to two huge hacks: a major porn website and a browser (to turn JS execution into a full take over of a PC) and mixing terminology and functions of a keylogger (that name is dropped but the function description doesn't match it), RDP (why MS's RDP, lol, it's not even available on Home by default IIRC, and what a feat would it be to make a browser into an RDP server, and isn't it obvious to the person in front of the PC when RDP is used?), trojan (that's what is described), etc.

kwJuly 16, 2018 2:39 PM

Jeff, the popularity of gambling suggests that many people lack an intuitive grasp of game theory. I wouldn't pay either, but the wallet links posted in this thread show that some people will.

The game theory for the attacker, one might suppose, is to carpetbomb the world with spam in the hopes of finding some people who don't behave according to game theory. The different payment requests might be an effort to utilize randomness to get some large payments without pricing everyone out.

Jesse ThompsonJuly 16, 2018 3:46 PM

I view this as having an almost inoculative effect. Sure, people on this blog can assert "this is dumb, I have tape on my camera / don't have a camera / (insert OPSEC 101 bullet point here)" but for me the take-home is that we've already been wearing that advice thin to our associates who use poorer OPSEC and they simply never pay attention.

When they get an email like this, even if it's a near miss (meaning they do figure out that they're safe from the accusation but still have to think for a good minute to assure themselves of it), or even if it's related to them by somebody else, it at least begins to increase the perceived value *of* such OPSEC considerations and of doing some bare minimum to improve one's privacy hygiene.

@Just a random person @Karin Spaink
In other news, my reply to "the bitcoin address already had 6 transactions from prior days totaling 1.1 BTC." or "has managed to extot five people by no, and he's got 1,5 bitcoin by now." is that it's rather trivial for the attacker to prime the pump by sending multiple payments from their own presumably anonymous sources to the payment address just to give whoever might peek an indication that people really are coughing up, thus inferring that perhaps they should too.

Clive RobinsonJuly 16, 2018 4:28 PM

@ All,

One thing that does come out of this is that traditional crimes do mainly transfer across to the Internet.

But they have one new angle which is that of "The army of one".

When you consider traditional blackmail is actually not that common as to "get the goods on somebody" usually means "you are known to that somebody". To get the goods and still in effect be anonymous the Blackmailer usually "gets the goods" through a third party that is known to the person being blackmailed. This gives "tracability" thus the "goods" realy have to be quite devestating or the victim will "call the bluff of the blackmailer" and track them down.

To most the Internet means untracable thus a modern blackmailer feels a lot more secure as well as sending a threat to hundreds if not hundreds of thousands of people more easily than sending just one tradirional blackmail letter.

Thus we can expect Internet Blackmail to be many many times more frequent than traditional blackmail. But importantly the odds of their actually being any "goods" is as many if not more times lower.

@ Mark,

I haven't gotten one yet, I'm feeling left out

Post your details here and I'm sure there will be one along soon ;-)

Joking aside the Internet is a very very target rich environment, thus the odds of any individual getting attacked this way are actually quite low.

But a few people could spot the way things were going thus don't have any form of data slurping "socialmedia" or other "Cloud" based systems to have credentials stolen from. I don't have nor ever had social media, I did once have a social email address on gmail but that is long gone.

Whilst I'm in no way invulnerable to attack due to those changes[1], I have moved myself up a layer or three in the fruit tree. Which means like you I get to miss such invitations, as well as those "blue pill" "male enhancment" products and invitations from Nigerian Princes...

The point is though that it is like the old joke about two men being chased by a bear. Suddenly one of them kneels down and starts tying his shoe laces. The other aghast says to his friend "You won't out run the bear by tying your laces..." The kneeling man replies "I don't have to out run the bear only you..."

That is the real reality of Internet security currently, not being the lowest hanging fruit...

Thus for non targeted attacks being a slightly harder nut to crack causes criminal attackers to go for the abundance of weaker targets...

[1] As I've mentioned before, I use other techniques to raise my "fruit" quite a bit further up towards the top of the tree. That is well away from "low hanging fruit".

echoJuly 16, 2018 4:47 PM

I would be rich if I montized every man who tried to send me pictures, movies, or skype invitations.

Jack O'FlongerJuly 16, 2018 8:58 PM

@Clive Robinson:
I don't have nor ever had social media, ...
Good sir, this forum has been your social medium. It just hasn't been instant-exchanging or photo-sharing.

Dave HoweJuly 17, 2018 2:01 AM

Seriously though, I would be impressed. My webcam is in a box several feet away from my home computer, and remains there unless I really, really want to teleconference. I do have laptops with webcams, but they all have solid metal gates over them, and not even maxing out gain will get you more than light bleed from around the edges of the cam.

Do people really leave webcams (or user-facing cameras on tablets) live, after all the scare stories in the media about people peeping though them?

HermanJuly 17, 2018 4:00 AM

"scare stories in the media" That is the thing. If a person really is scared by scare stories, then this person is an easy mark.

WeatherJuly 17, 2018 4:34 AM

Who would you send that information to, sure var ^= is a problem but so wos sbox, and that is gone, maybe you should say hi, as I think you don't block everything

echoJuly 17, 2018 6:45 AM

@Dave Howe

In the UK apart from the Computer Misuse Act there is also the Sexual Offences Act which makes it a criminal offence to record someone without their consent for sexual purposes.

CallMeLateForSupperJuly 17, 2018 10:49 AM

@Dave Howe
"Do people really leave webcams (or user-facing cameras on tablets) live, after all the scare stories in the media about people peeping though them?"

Some people forget the silly camera is ... well, a camera; some think, who would target *me*? Others just don't care (until fate pays a visit to change their mind).

Does anyone actually read emails without looking closely at the sender's address? A-firm!

Do people actually respond to email from addresses they don't recognize? Yup.

Who clicks a link in an email; that's nuts!
Many, apparently. And yes, that behavior is nuts.

Who, in this age of skimmers, still swipes their *chipped* debit or credit card? Oh my... where to start.

The point is, some people don't take their own security seriously (e.g. some of my siblings, sadly). There are reasons for that but few, if any, of them are excuses.

Chronic onanist, apparentlyJuly 17, 2018 9:21 PM

So, I just got hit with two of these emails. I do believe we're entering the copycat phase. I checked my password safe against the gibberish in the subject line - neither matches anything I've used in the past decade and a half, and both e-mails arrived to a public-facing address I would not have used with anything requiring a password (other than the account itself). For maximum amusement, I provide the text, with only the "passwords" trimmed out in case they're actually valid for someone someone else out there:

= = = = = = = =

Subject: ID (gibberish)!
Good afternoon! While you beat the dummy watching erotic website your laptop computer have been injected. For the present moment I am provided with all the necessary dirt and contacts of all your nearest and dearest. Yours front camera was set to work with a help of the software program and filmed and takes photographs. At the same time I have all data to yours SNSs user accounts. You must send USD 400 to my Bitcoin address 18CSXANqriPc4nVDZ65NVLQRhwLBMCF5Zr In a case if you do not like me to forward all the files ( when you had been fucking off ) to your relatives and coworkers. Otherways if I do not obtain remittance within twentyfour hours I going to send compromising material to all loved ones and workfellows and to Net. If you going to fulfill all that terms I would shut down all this photos and video.
You should know that the key point in your life is family values and it will be a good experience for the future. There was no that sort of situation if you do not make that ugly things. Be meticulous about next time With respect.
P.S. After watching this mail you own only twentyfour hours.

= = = = = = = =

Subject: Malware on your device ID (gibberish)!!
How are you!
I guess that my message is completely unsuspected for you!
I have unpleasant news!
Last time when you visited porno Web-site, you laptop was attacked by malicious software.
That virus turned on frontfacing camera of your laptop computer. And now I have something incriminating against you. On that vidoerecord you feel yourself.
Pretty soon that computer virus could gain entrance to yours leads. And it is going to send clip to your confidants.
If you want to put a line under it? Then you have to send me 400$ in Bitcoin.
It is my Bitcoin number - 1CKdrGGLCB1r6aqTkZFhii7AqYPwWts4VR
Waste no time! You have only 24 hours! I apologize for grammar - I am not native speaker.

= = = = = = = =

Ending with "With respect" and a apology for poor grammar. A bit of civility is so often missing from extortion, don't you think?

FrancesJuly 17, 2018 9:48 PM

I got one via Hotmail last Saturday. Instead of deleting it right away, I looked at it and then deleted it. No password was involved, it was just a straightforward fishing expedition but I didn't have the requisite guilty conscience. Unfortunately, my Hotmail address has been passed around for years and I get a fair amount of spam on it most of which I ignore. Sometimes the spam appears to come from a legitimate company and then I will unsubscribe. Anyway, it's interesting that the scam has come to Bruce's attention.

JTJuly 18, 2018 5:24 AM

I had a relative call me having received one of these emails, at the same approximate time as having received a call from (quote-unquote) BT Technical Help Support. I believe he has been receiving these calls for the last month or so and are likely unrelated, just coincidental timing.

Is anyone else aware of "tech support" calls being part of this scam?

C U AnonJuly 19, 2018 2:18 AM

@Chronic onanist, apparently:

Just be thankfull you are not the ground that apparently you are anointing :-S

djJuly 20, 2018 11:09 AM

One doesn't need to have visited a porn site or ever be compromised in any way. It's sufficient for your address to appear publicly somewhere. I received three extortion messages that claimed to have installed malware when visiting sites that were never visited. Perhaps more were sent but did not make it past Google's censorship.

albertJuly 20, 2018 3:41 PM

I friend got an extortion email yesterday. If contained -no- information proving he was hacked, just threats. If they sent 1000 emails, they might scare one person enough to pay the USD3900. At least casino owners get a dependable percentage of bets; some of these guys may do better.

Wonder what the actual odds would be?

. .. . .. --- ....

Lon HohbergerJuly 20, 2018 3:49 PM

Mine was asking for $3000.

Aww, their investment is not paying out.

Funny thing. Sex isn't a thing to be ashamed of.

Text follows:
I do know one of your pass. Lets get directly to point. No person has paid me to investigate about you. You don't know me and you're most likely thinking why you're getting this e mail?

Let me tell you, I installed a malware on the X video clips (porno) web-site and do you know what, you visited this web site to have fun (you know what I mean). While you were viewing videos, your internet browser started out working as a Remote Desktop having a key logger which provided me with accessibility to your display and webcam. Right after that, my software collected all of your contacts from your Messenger, Facebook, and emailaccount. Next I created a double video. 1st part displays the video you were watching (you've got a nice taste haha), and next part shows the view of your webcam, & its you.

You actually have two choices. We will check out each of these options in details:

Very first choice is to neglect this e mail. In this scenario, I am going to send out your actual video recording to just about all of your contacts and then imagine concerning the humiliation you will get. Furthermore if you are in a relationship, how it will eventually affect?

Second choice will be to pay me . Let us call it a donation. In this scenario, I most certainly will instantaneously eliminate your videotape. You will carry on your daily routine like this never took place and you will not hear back again from me.

You'll make the payment via Bitcoin (if you don't know this, search for "how to buy bitcoin" in Google).

BTC Address to send to:
[case SENSITIVE copy & paste it]

If you have been thinking about going to the cop, anyway, this email cannot be traced back to me. I have covered my steps. I am just not trying to charge a fee a huge amount, I prefer to be paid for. You have one day to make the payment. I have a unique pixel within this e mail, and now I know that you have read this mail. If I don't receive the BitCoins, I will, no doubt send out your video to all of your contacts including family members, co-workers, etc. Nonetheless, if I receive the payment, I will erase the recording immidiately. It's a nonnegotiable offer thus please do not waste my time and yours by replying to this mail. If you want proof, reply Yeah and I will send out your video recording to your friends.

wendyJuly 22, 2018 1:06 PM

I had one of these emails. It was startling, but because it clearly didn't apply to me I ignored it.

These emails could have terrible consequences for some people. I hate to think what could happen if a vulnerable person was sent one.

I have a friend with a daughter who is handicapped and has many issues with anxiety. She got one of those phone calls that the IRS is sending the police to her house for non-payment of taxes. She had a breakdown and couldn't leave her room for three weeks.

I know the people sending these are anonymous but I wish they could see the damage they could cause.

echoJuly 22, 2018 3:49 PM


Aside from the criminal element you make a very good point about the human impact.

Unfortunately, I have discovered a lot of organisations suffer from this problem too. Arbitrary decisions made without full consideration or well formed policies which don't consider people as people and trample over the context of their life situation are far too common lately.

FrancesJuly 23, 2018 10:41 PM

I wish that people weren't so credulous. The income tax scam gets tried in Canada too and people just believe it without any thought or consideration on how ridiculous it is.

RobertoJuly 24, 2018 6:36 PM

Always have a first read of emails in text mode (html disabled). Be it spam or not.

Endrick KreuterJuly 25, 2018 9:44 PM

I just received one of these - first time. Old password with name combo, which did not exist, but the numerical part of the combo was correct. Below I show the address of the sender, best as I could copy it: ....... SHOWS as: Grantham Currier

Text of message:

I know xxxxxxxxxxx is your pass. Lets get right to point. Nobody has compensated me to investigate you. You don't know me and you're probably thinking why you're getting this e mail?

actually, I actually installed a malware on the 18+ video clips (porno) web site and do you know what, you visited this website to have fun (you know what I mean). When you were watching videos, your web browser started out operating as a Remote Desktop having a key logger which provided me with accessibility to your screen as well as webcam. Right after that, my software program gathered all your contacts from your Messenger, FB, as well as e-mailaccount. And then I created a video. First part shows the video you were viewing (you've got a nice taste lol), and next part displays the view of your web camera, yea its you.

You actually have not one but two alternatives. Lets check out these types of solutions in details:

First choice is to ignore this email. In this situation, I am going to send your very own tape to each of your your contacts and just consider regarding the awkwardness you experience. Do not forget should you be in an important relationship, exactly how it will eventually affect?

Number 2 choice will be to compensate me $7000. Let us refer to it as a donation. In this case, I will straight away erase your videotape. You could keep on going your life like this never occurred and you surely will never hear back again from me.

You'll make the payment by Bitcoin (if you do not know this, search for "how to buy bitcoin" in Google).

BTC Address: 1HSPrPJuqsP49p6BNWJidwRDEFruDBLYNh
[case-sensitive, copy & paste it]

If you may be wondering about going to the authorities, surely, this e mail cannot be traced back to me. I have dealt with my actions. I am just not looking to charge you a huge amount, I simply prefer to be compensated. I've a unique pixel within this email, and at this moment I know that you have read through this mail. You have one day to make the payment. If I do not get the BitCoins, I will definitely send out your video recording to all of your contacts including family members, colleagues, etc. Nonetheless, if I receive the payment, I will erase the video right away. If you want to have proof, reply with Yea and I will certainly send your video recording to your 7 friends. It is a nonnegotiable offer, and thus please don't waste mine time & yours by responding to this e-mail.

ongakuAugust 1, 2018 3:29 PM

I just got one of these, demanding $7000. Seems the price is going up. This was the version with a real password I had used in the past. I thought it was the password I used to use on Linked In, and sure enough, by resurrecting an old version of Password Safe (thanks Bruce), I verified it was what I used on Linked In before changing it when they sent out the message several years ago that they'd been hacked.

The password wasn't really tough and a brute force attack should have been able to crack it if all they had were hashes. Or perhaps Linked In were using plain text storage on those days. I don't know. But I'm virtually certain I only used that for Linked In so that's the source of this stuff.

François VIGNERONAugust 15, 2018 9:18 AM

The BTC addres referenced on KerbsOn Security is
It seems that this adress has only received one single transaction for 0.28847409 BTC.
I don't know if this is the real BTC address of the scam or not.
If it is the real BTC adress, then then scam went no where.
On the otherhand, I came to another conclusion, let say you want to compromise a BTC transaction. You start a sextortion scam spam and mention the BTC address that you want to compromise mentionned in the scam email. And afterwards, you will get a bunch of angry hackers starting to look for the personns involved in using that money.

Dagfinn ReiersølAugust 17, 2018 3:20 AM

I got one of these, too. Actually, I found it in my spam box, and it was two weeks old already. The password appears to be from, which I haven't visited in five years.

The tracking pixel idea is interesting. It could theoretically be true even if there is no video. As far as I can tell from the email source, there is none, and if there were, it wouldn't be activated in spam view anyway.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.