New Sex Blackmail Scam Uses Your Password Against You
A new scam claims to have gleaned both your username and password from a risqué website, but you can ignore it safely.
"In my day," said 20th-century refugee Philip Fry in a famous episode of Futurama, "the internet was only used to download pornography."
Two decades into the 21st century, the internet is still a hot spot for porn — and there are still criminals who take advantage of man’s (and woman's) innate lust for, well, lust.
A new email extortion scam claims to have webcam footage of you on a hot date with yourself, as well as whatever provocative material you were viewing, and demands that either you pay up in Bitcoin or your friends will see it all. The message seems plausible because it has your username and (likely old) password in the subject line.
Don't believe it. The scammer has nothing on you except that username and password, which could have been picked out of any massive data breach of the past decade. Change the password if you haven't already, and you can safely ignore the rest of the threat.
MORE: What to Do After a Data Breach
Evidence of this scam began popping up online a week ago. Researcher Johannes Ulrich received the message himself. Independent security blogger Brian Krebs and infosec news site Bleeping Computer both heard from readers that they’d received such email messages.
It seems that plenty of people have fallen for it. A Dutch security researcher examined a few dozen of the Bitcoin addresses referenced in the emails, and found that they had received in excess of $50,000 as of yesterday morning (July 19).
Sign up to get the BEST of Tom's Guide direct to your inbox.
Get instant access to breaking news, the hottest reviews, great deals and helpful tips.
"A growing number of my friends are posting on social media or other outlets that they've received this; I'm seeing one or two posts per day right now," Sue Marquette Poremba, a freelance information-security writer, told Tom's Guide. "Some are laughing it off as ridiculous; others are (wisely) reporting it to their ISP and police."
Boilerplate extortion
In all cases, the extortion message is the same, except for the username and password, the amount of money demanded and the Bitcoin address to which to send the payment. In most cases, the passwords concerned were several years old.
“I’m aware that (password) is your password,” the message begins.
Once the scammer has grabbed your attention, he or she claims to have infected a porn site with browser-based malware that recorded both your onscreen activity and your webcam footage. The message also says a keylogger was installed on your computer that let the attacker break into your social-media and email accounts and steal contact information for all your friends.
You can guess the rest: Unless you send the extortionist a large amount of money -- ranging from $1,400 to $3,200 in Bitcoin -- within 24 hours, he or she will send the embarrassing footage to everyone you know.
The best thing you can do about this threat is to ignore it. While the logistics of the supposed infection on your machine are plausible, they're not likely (and you can run an antivirus scan to make sure).
Why this threat is hollow
But first, let’s deal with the username and password, the parts of the scam that grab your attention. They may seem like "proof" that a cybercriminal has hacked your machine, but in reality, they're old, easily accessible data.
In the past several years, major companies such Adobe, eBay, LinkedIn and Yahoo (twice) have fallen victim to database intrusions, massive security failures that let thieves steal billions of username-password combinations.
Finding online lists of these purloined usernames and passwords isn’t difficult. But the odds are that you’ve already changed the stolen passwords to something else. If you haven't, do so now.
If a breached company was responsible, it contacted affected users right away and forced them to change the passwords. If the company was negligent, and many are ... well, you should run your email addresses through the HaveIBeenPwned breach-checking website. (It's safe to use.)
But even if your old password is compromised, it's unlikely that anyone recorded untoward footage of you. This scammer is sending out nearly identical emails to thousands of people. Rogue or infected websites do harbor exploit kits and other nasty malware that infect computers, but it would have been hard for this scammer to have obtained the email usernames and passwords for thousands of random visitors to a porn site.
Remember, too, that if this scammer had half the information he or she claimed to have, he wouldn’t need to extort you at all. By hacking into your computer, he would have access to your financial information and could have stolen thousands from your online bank account, or charged it to your credit card, long before you'd even notice.
But if anyone does choose to shoot back a snarky message to the oh-so-clever scam artist, we’d love to see the response.
Marshall Honorof is a senior editor for Tom's Guide, overseeing the site's coverage of gaming hardware and software. He comes from a science writing background, having studied paleomammalogy, biological anthropology, and the history of science and technology. After hours, you can find him practicing taekwondo or doing deep dives on classic sci-fi.