Persistence pays off for crooks when it comes to sextortion-based phishing scams, research into its effectiveness suggests.
One variant bombards prospective marks with threats to release non-existent footage of them watching smut unless they give in to demands. Cleverly, these threats are lent an air of authenticity by using partial details of real passwords that have been exposed by genuine breaches.
Most often this involves cases where the compromised web service used weak and crackable password hashes. Password crackers sell compromised email addresses and passwords through underground forums, but they often leak and are therefore not difficult to acquire even without paying. Sextortionists take these lists before churning out batches of bogus emails often from newly created webmail accounts or alternatively take the lazier and less effective approach of using open email relays.
Threat intelligence firm Digital Shadows ran the rule over a large sample of such scam emails, sent over a two-month period, to gauge their effectiveness.
In the sample, a total of 8,497 individual email addresses were swamped with more than 60,000 spam messages (a sample of which appears in a blog post here).
The Anti Public and the Exploit[.]in leaks were the two main sources of compromised credentials harnessed in the scam sample, Digital Shadows discovered.
Researchers found that persistence paid off for scammers and marks would pay up after a sustained series of scams rather than when they first appeared in their inbox. Victims who had recently actually watched porn and were in the terrible habit of reusing password across multiple sites were more likely to cave in. Using a webcam was another factor that made marks respond.
Victims in the sample were told to send funds to various Bitcoin wallets. Digital Shadows discovered 26 transactions linked to a fraudulent campaign that brought in $28,000. The amount demanded by the sextortionists varied, Digital Shadows reported.
The attackers experimented with different methods to maximize their return. For example, by tracking one Bitcoin address, we can see the same one targeted 49 email addresses with demands ranging from $1,100 to $11,000. Eventually the attacker got lucky with a payment of $1,100 (0.1512 BTC).
The scam represents a new way to monetise breached credentials.
Other security researchers, such as Troy Mursch, have begun attempting to chart their extent, as well as how many Bitcoins has been paid to fraudsters as a result, but this work remains only preliminary and no firm conclusions can be drawn.
I've asked @Banbreach if they'd like to collaborate to help us build a definitive grand total of BTC paid in sextortion scams.— Bad Packets Report (@bad_packets) August 26, 2018
If anyone else has found BTC addresses used for this purpose, request edit access to add your data.https://t.co/lgX0qd65zX
Sextortion as a term initially referred to a sleazy cybercrime where perverts planted trojans on the PCs of young victims. Youngsters' PCs are often in their bedrooms and the malware was used to surreptitiously turn on webcams and record footage or pictures of victims. This material was then used to coerce them into sending more explicit pictures or performing sex acts.