Application security, Threat Management

Sextortion plot uses public breach data to trick victims into thinking they were hacked

A pair of new research reports are providing details on an ongoing "sextortion" scam in which malicious actors use publicly available lists of breached email addresses and passwords to contact victims and then blackmail them with false claims that they were caught viewing pornographic materials.

Researchers have identified at least two distinct campaigns involving these scam emails, which all include "From:" headers featuring a variation on the name Aaron Smith. Collectively, the operation has already amassed extortion payments of at least 23.3653711 bitcoins, according to Cisco Systems' Talos Security Intelligence & Research Group, whose technical leader Jaeson Schultz authored one of the two blog post reports. Using Oct. 31 conversion rates, that's worth roughly $147,000.

Barracuda Networks, the company behind the second report, warns that the campaigns have found some success because the threatening emails literally reference the victim's password, which tricks users into thinking that their computers were hacked, when they were in fact not. Rather, these passwords were likely lifted from public resources such as the AntiPublic Combo List, which contains hundreds of millions of leaked passwords stolen in various breaches, Barracuda explains in a blog post written by senior security researcher Jonathan Tanner.

"Well, I actually placed a software on the adult video clips (porno) website website and, you know what, you visited this site..." reads one version of the poorly written threat message. "While you were viewing videos, your browser started out operating as a Remote Desktop with a key logger which gave me accessibility to your display screen and also web cam. Immediately after that, my software gathered your complete contacts from your Messenger, Facebook, as well as email."

None of this is true. Nevertheless, the attackers threaten to share an embarrassing video of both the victim and whatever pornographic content he was supposedly viewing at the time to several of his contacts. The email then demands a payment ending in three zeroes, ranging from $1,000 to $7,000 -- the exact amount is dynamically generated on a random basis.

In its report, Cisco Talos refers to the two linked sextortion campaigns as the "Aaron Smith" operation, because their emails all include headers featuring a variation on that particular name. The threat commenced in July, with the last major activity on Oct. 9, when the perpetrators added to their list of targets and registered additional bitcoin wallet addresses for receiving payments.

Cisco researchers decided to look at a two-month period from Aug. 30 to Oct. 26. Reviewing all Aaron Smith activity recorded by the email spam reporting service SpamCop during that time span, the researchers found 233,236 reported emails sent from 137,606 unique IP addresses.

About 50 percent of the threats originated from Vietnam (15.9 percent), Russia (15.7 percent), India (8.5 percent), Indonesia (4.9 percent) and Kazakhstan (4.7 percent). Talos theorizes that the Necurs botnet could be involved in the sextorition emails' distribution, considering that India and Vietnam are known have many machined infected by Necurs malware.

Separately, Barracuda reported observing approximately 24,000 Aaron Smith emails since this past September.

The distribution strategy, however, has been a bit questionable, with only 15,826 unique victim email addresses actually affected, according to Talos. (There appear to be multiple repeat victims.) Talos also found that the attackers have so far generated at least 58,611 unique bitcoin wallet addresses to accept extortion payments, although only 83 had positive balances.

Further investigation by Talos was able to link some of the attackers' bitcoin wallet addresses, Necurs-sending IP infrastructure, and threatening content to additional spam campaigns, suggesting an even larger criminal operation may be in play. One such campaign referenced the recipient's telephone number instead of a password, another was designed to look like a tech support ticket, and yet another that suggests that recipients have been cheating on their significant others. Another possibly related campaign takes a completely different approach, pretending to be a message from a hit man who's been hired to kill the recipient, but is willing to forgo the mission in exchange for a payment.

Bradley Barth

As director of multimedia content strategy at CyberRisk Alliance, Bradley Barth develops content for online conferences, webcasts, podcasts video/multimedia projects — often serving as moderator or host. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.