Sextortion Scam emails: the hype and truth behind them
The other day, for the first time in a long long time I’ve received a sextortion email. Regularly, I check my email inboxes for information, newsletters, and such, you know, it’s email... Then I saw one with the subject: Your account is being used by another person! I’ll share what I did ant the whole story behind this you don’t want to be part of situation, but being asked to do X or you’ll suffer the consequences is not such a fun story… X being pay me in Bitcoins.
It’s true that with the always uprising leaks and tons of emails, accounts, credit card information and such being out there compromises to security and privacy can happen, and they do happen, even more often than you think. So I found myself captivated by the email, and curious about the situation, what did just happened to me?
This is what I got:
In the past, I spent quite some time after the trails of malicious actors using Bitcoins, but mostly related to malware attacks. Ransomware is still a thing, and many companies get punched in the nose by a pretty bad cyber hygiene or simply because their anti malware software missed something. Now apparently this was in one of my emails, but I’m not giving up so easily you know.
Truth is that this email was not being sent to me from my own email, it was coming from a list I’m part of. That list it’s actually related to some cybersecurity groups, but it just adds a cherry in top of the cake (How ironic no?). Curiosity kicked in, and I started to ask myself what can we know about this, and the obvious question to me was how do people fall for this? and how many people would actually pay?
It’s true that the technique behind the attack relates to scams, phishing, and other Social Engineering actions that will lure the potential victim into it. Sentiments of despair, fear, impulse and to stop actually processing what just had happened could lead people to actually pay as the shame of this happening could be disastrous. Extortion is a bad thing, even if you’re Jeff Bezos. We all know how he confronted Mr. Becker, and how up to some point he made an informed decision and did not gave up to fear and despair, to be fair he might know a thing or two about pressure, stress and hard decisions.
Back to the story I’ve started by looking at the strongest lead I had, the Bitcoin wallet address. There are many thing people don’t know about Bitcoins or other cryptocurrencies, but one that you really should be aware of is that all transactions can be seen, they are recorded and they come with some info associated to it.
I’ve decided to check a few things on this:
- How much was transferred into the Bitcoin address in the email
- How many people fallen in this scamp
- How other similar emails I can find with a different Bitcoin Address.
1GoWy5yMzh3XXBiYxLU9tKCBMgibpznGio — The starting point…
How much money was transferred into this attacker account?
This one is an easy one. For answering question 1, it’s kind of straight forward and easy. You can go to a Blockchain Explorer and lookup the address you’re interested in, paste the address, hit enter and you’re there:
This is sad. Email was received less than three days ago in that inbox, but looks like up to the time of this publication at least 23 transactions were made. This sums up to a total of 3.1214048 BTC or 11,869.70 US Dollar in less than three days.
How many people have fallen in this Sextortion Scam?
There were a total of 23 transactions. 22 incoming, and 1 outgoing. Looking into this is basically done by breaking down the incoming transactions and matching the transferred amount with what it is requested in the email. An average $540 for each person sending in bitcoins to this wallet. This is likely simplifying things but this can scale pretty quickly (think of X emails with Y bitcoins addresses)
No need to dig much more on this, but a scale on how many people can and are being affected is something that should raise more awareness.
Can I find other emails with different Bitcoin addresses?
Yes, that’s another direct and straight forward task. At least for a few other samples can easily be surfaced with a Google Search. People with concerns were flagged in Reddit, one example with another single Wallet in PCRisk, and a third one with a more extensive list.
A total of 16 Bitcoin addresses that received transactions where surfaced in a couple of minutes and at least have been going around since December 2018.
Food for thought…
There are tons of examples like this out there, and it’s a sample of how much technology needs to do improve for detecting and keeping this things at bay. It’s true that examples like these might be catch by Spam filter and what makes reporting so damn important but it also opens the need for the things to come.
Cybersecurity is in my take a great battlefield for adversarial environments, where companies, industry and community do collaborate a lot. Much more needs to be done, and potentially it will.
I hope to dig a little bit more into examples like this and come up with tools and ideas for other folks interested in can contribute to. From simple examples to full deep dives, there is always room to share, and keep sharing. Is not just about looking and researching, sometimes also about reporting it to the person who can help you to help other people.
