Threat Level: green Handler on Duty: Kevin Liston

SANS ISC: New Extortion Tricks: Now Including Your Password! - Internet Security | DShield SANS ISC InfoSec Forums

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
New Extortion Tricks: Now Including Your Password!

For a while now, we have seen sporadic extortion emails that claim to have a video of you watching pornographic material. The emails usually count on the guilt and shame of the victim to convince them to pay up. However, the bad guys, of course, do not have any evidence of their kompromat, which makes the extortion weak. You would expect them to at least include a frame from the video.

Short of actually producing the video, I just saw another trick used to make the threat more plausible. The e-mail now includes a username and password that you used on *some* website. The bad guys are harvesting leaked account lists, and use them to make their threat more plausible. I include a screenshot of such an email below. "someoddpassword" was a password I used on some sites in the past. Kind of my throw-away password for a while, and I know it leaked in more than one breach.

The emails also include some random text at the end which is typical for spam to evade spam filters. I did not reproduce that part in the screenshot. The copy I received was plain text and did not include any images or other trackers as promised. 

Currently, the bitcoin address in this email has not received any ransom payments. It is possible that each email uses a different address. (Update: Brian Krebs and others also received emails like this and wrote about it. Looks like each address is different)


Johannes B. Ullrich, Ph.D., Dean of Research, SANS Technology Institute


3295 Posts
ISC Handler
We received a report of one of those messages with the address: 1AWKTr1vq3946tyuxG7Q1mLcJum4rjnmro and Krebs' article reports the address: 1Dvd7Wb72JBTbAcfTrxSJCZZuf4tsT8V72 so it looks like they are using different ones.
I investigated an instance of this as well with this bitcoin address. 1GavsHHQM42DxG4F8SVeW4uyTFeZAL8cRn
Very interesting. It occurs to me that this type of extortion might also be used in spear fishing type-attacks - again using the password or other previously leaked information to attempt to add credibility. This might then be used to gain a foothold inside organisations.

Extortion through guilt/shame is, unfortunately, likely to be effective at least some of the time.

From the bad guy perspective, it is a relatively easy way to get "extra value" out of leaked credentials. It doesn't matter that the victim might have changed all their passwords since the credential loss - if they have an old password floated in front of them, many will not be aware that the claims in the rest of the email are unlikely from a technical perspective, and follow through motivated by guilt/shame.

1 Posts Posts
I am currently tracking 15 addresses from this campaign. So far 6 of them have payments on them and 2 of those 6 have two payments on them. Total collected on these 6 BTC addresses is approaching $19000 USD. Average payment is $2358 USD.

This information reveals some things about this campaign
- the BTC addresses are not unique. While I do not have enough information to determine the size of the pool, I have seen two cases of two emails with the same BTC address and the fact that multiple people have paid using the same BTC address confirms that. While anecdotal, since none of the 15 addresses has more than two payments it is possible the addresses were not recycled a large number of times.
- people are paying for this scam. This is not a surprise, but certainly disappointing.
- none of the money has moved out of the BTC addresses, so the bad guys haven't started collecting their ill gotten gains yet.

277 Posts Posts
ISC Handler
I have seen 2 payments done for one of the BTC I am currently tracking. :/

Sign Up for Free or Log In to start participating in the conversation!