Last Updated: 2018-09-25 01:32:08 UTC
by Brad Duncan (Version: 1)
As early as 2018-09-05, I've seen daily waves of sextortion spam that have spoofed yahoo.jp in the message headers and sending addresses. Subject lines include a password the recipient allegedly uses. Extortion prices range from $1,000 to $7,000 US dollars.
Back in July 2018, Johannes Ullrich wrote about an example here. Brian Krebs also documented a wave earlier that month. But recent sextortion emails appear to be mass-distributed without any real or current passwords. Krebs indicated these criminals were using password lists from older data breaches. However, these most recent waves don't seem particularly targeted.
By now, many of us have probably seen or heard about these sextortion emails. They are botnet-based spam, and emails from this latest campaign follow noticeably distinct patterns. A different Bitcoin address is used for each message I've reviewed. 50 examples of this sextortion spam from Monday 2018-09-24 are available here.
These messages have different passwords for each recipient and different Bitcoin addresses for each message. It's done on a massive scale of distribution, and I've only found English-speaking recipients. I run across this type of spam at least every weekday. I suppose criminals must find it cost-effective.
But does this actually work?
Criminals behind the campaign assume most people view pornography on their computers. But the majority of passwords from this spam don't follow lists of most common passwords I've seen published. The passwords in these messages appear to be somewhat random, even if they are based on information from data breaches.
I feel like this campaign is attempting to prove the infinite monkey theorem. It states that a monkey hitting keys at random on a typewriter keyboard for an infinite amount of time will almost surely type a given text, such as the complete works of William Shakespeare. The infinite monkey theorem has been referenced several times in popular culture over the years. My favorite reference is this Simpsons cartoon scene.
Shown above: "This is a thousand monkeys working at a thousand typewriters.
Soon they'll have written the greatest novel known to man."
The idea may not be so far-fetched. Given the amount of sextortion spam I run across in my day-to-day work, it might hit on someone's actual current password. I doubt it, but it's possible.
An example of the sextortion spam follows.
I'm not sure how effective this sextortion campaign really is. But due to poor security practices of potential victims, and based on how vulnerable some people are to suggestion, I suppose someone might be tricked into paying the criminals.
If countless variations of the Nigerian Prince scam have convinced people to share their bank account information, this sextortion scam might also be viable.
50 email examples and a spreadsheet tracker associated with today's diary can be found here.
brad [at] malware-traffic-analysis.net