Cybercriminals use real hacked passwords, claim to have videos of victims on adult sites in new extortion scam

• Scammers are using real, stolen passwords to add legitimacy to their extortion scam emails.
• The new scam making the rounds is aimed at extorting a Bitcoin ransom.

A new extortion scam has been making the rounds that involves cybercriminals using people’s real passwords in an effort to extort thousands of dollars. An email is reportedly being sent out in which the attacker mentions the recipients’ actual password, likely acquired from earlier data breaches or leaks, and claims to have infected the recipients’ system with malware.

The scammers also claim they used the webcam of the recipient’s computer to make videos of the them using adult sites and have stolen the recipients’ entire contacts list. The email then threatens to expose the video expose the supposed video to their contacts unless the recipient agrees to pay a ransom amount.

New twist to an old scam

“I’m aware that <substitute password formerly used by recipient here> is your password,” the email begins, security journalist Brian Krebs reported. “You don’t know me and you’re thinking why you received this e mail, right?”

“Well, I actually placed a malware on the porn website and guess what, you visited this web site to have fun (you know what I mean). While you were watching the video, your web browser acted as a RDP (Remote Desktop) and a keylogger which provided me access to your display screen and webcam. Right after that, my software gathered all your contacts from your Messenger, Facebook account, and email account,” the scammers’ email continues.

The cybercriminals then go on to demand a ransom - the amount varying between $1,000 - $3,000. According to Krebs, several individuals have confirmed receiving such an email and confirmed the authenticity of the password mentioned in the message. However, in every case, the recipients acknowledged that the passwords were almost a decade old and were not being currently used.

Old breaches boosting new scammers

Although such extortion scams are not new, the idea of using people’s real passwords is a novel approach.

The cybercriminals likely got their hands on their targets’ real passwords by scouring already hacked and leaked password databases of old major breaches. The rest of the claims made in the frightening email, however, are bogus.

“It is likely that this improved sextortion attempt is at least semi-automated,” Krebs wrote in his report. “My guess is that the perpetrator has created some kind of script that draws directly from the usernames and passwords from a given data breach at a popular Web site that happened more than a decade ago, and that every victim who had their password compromised as part of that breach is getting this same email at the address used to sign up at that hacked Web site.”

Scammers prey on fear

Extortion scams like these are aimed at preying on people’s fear of losing their social and/or professional standing.

This particular scam has been crafted to create a shadow of doubts as to whether or not the cybercriminals could have actually hacked their webcams and made videos of them. However, this scam, like others, is just yet another attempt at tricking a target into paying a ransom.

While it is highly recommended that recipients not respond to such emails, it is imperative that recipients immediately change their passwords, particularly if the ones mentioned in the scam email is still currently being used.