I provide support to many businesses so I run into plenty of random issues throughout my work week. However, one issue appears to be an ever increasing constant over the past several weeks. So much so that I’ve actually had to type up a canned response to address the influx of emails about it to be able to effectively address it across my support base. So, as you can probably assume by the title, the tl;dr of this post is: No, a porn virus didn’t compromise your account.

THE EMAIL

The message has shown it’s face in slight variation in the time I’ve seen it, but the core message is always the same:

From: phil@REDACTED.com [mailto:phil@REDACTED.com]
Sent: Tuesday, October 02, 2018 12:54 AM
To: Phil
Subject: Security Warning
Hi, dear user of REDACTED.com
We have installed one RAT software into you device.
For this moment your email account is hacked (see on <from address>, I messaged you from your account).
Your password for phil@REDACTED.com: 778777
I have downloaded all confidential information from your system and I got some more evidence. The most interesting moment that I have discovered are videos records where you masturbating.
I posted my virus on porn site, and then you installed it on your operation system. When you clicked the button Play on porn video, at that moment my trojan was downloaded to your device. After installation, your front camera shoots video every time you masturbate, in addition, the software is synchronized with the video you choose.
For the moment, the software has collected all your contact information from social networks and email addresses. If you need to erase all of your collected data, send me $800 in BTC (crypto currency).
This is my Bitcoin wallet: 1PuYAe7BLxNE6F6zE2PeVthfXCeYH88PmQ
You have 48 hours after reading this letter. After your transaction I will erase all your data. Otherwise, I will send video with your pranks to all your colleagues and friends!!!
And henceforth be more careful! Please visit only secure sites!
Bye!

THE THREAT

The message seems to always have these same two constants (along with others): A known password of the user, email appears sent from the user.. In my experience, the sending user has always been spoofed. I have not come across a case where the malicious actors are actually logging into these accounts. My guess is they don’t risk it because they’re making plenty of money just spoofing it. This is actually done quite easily as exhibited by my previous post. Nonetheless, the user believes their account is compromised because the email appears to be from them and presents them with information (the password) that nobody else should / would know.

The extortionists often get bonus points if the victim does happen to have a closet porn browsing habit, especially if it’s of a variety that would be widely categorized as weird or unacceptable. Even with the other two factors above, this is probably the most compelling threat that causes action when the three are together.

THE PASSWORD

So how are the scammers able to so widely present users with accurate current or past passwords? Well in the age of information we live in, data breaches are all too common. In fact, a majority of internet users have likely been the victim of a public data breach. Now, just because a user has been involved in a breach, even a high profile one, does not mean their password is exposed. Most passwords in breaches have at least some kind of protection on them when they’re stored.

However, criminals can get a hold of these breaches and run all of the passwords against software that will attempt to crack them. If a user has a weak or common password, their chances of having their password guessed are fairly high. It’s always these users who are the subject of these emails. I have never seen an email where they tell the user their password is: correcthorsebatterystaple (don’t use that password though, it’s compromised too). It’s always something like the email above, a very simple or short password.

When I receive a concerned email from a suspicious user, I always go to two places and they both have accurately corroborated my suspicions every time. The first place is ghostproject.fr. They allow you to input a username or email address and will display any known cracked passwords related to the account. This, in my experience, has always displayed the password from the extortion email when I enter the user’s email in here. Then, I go to HaveIBeenPwned to verify which breaches the email has been involved in and as one would expect from the results of the first site, there’s always at least one major breach involving their email.

THE PROFITABILITY

It has become quite annoying having to constantly address these emails but I am thankful that users are willing to report them to me. The increase in them has been so sudden that I had been left to wonder why. Well, look no further than Sammy (0x736a) on Twitter for the answer. She deals with email security regularly and has been plagued by the same scam. She followed the money and it turns out, these people are making quite the nice return on these emails. If you view the thread she started HERE, you’ll see that she followed the transactions and they are receiving a surprising amount of income.

In addition to what I’ve already noted, she had some really good insight on why a portion of users could easily be coerced into paying and that was regarding those who live in oppressive countries. She noted, “ I’d pay $800 if I thought that something punishable by death was about to be sent to my contacts”. Unfortunately that’s an all too real scenario for some recipients of these emails.

SO WHAT NOW?

This part is really simple and I’ll break it down into 3 parts:

  1. Stop paying these people. They’re not gonna keep wasting time for little to no return.
  2. Check your accounts on the two sites I noted above. You can even sign up to be notified of new breaches as they’re exposed on HaveIBeenPwned. If you notice a password on GhostProject that you still use, STOP IT.
  3. Stop reusing your passwords, seriously. I know it’s easy and I know everything requires a password these days. but you need to understand how common password reuse attacks are and how effective they are. If you want to use a password, try putting it in HERE and see if it’s already been involved in a previous breach.
  4. This is a bonus one: make stronger passwords. If you reference the link I added to the password “correcthorsebatterystaple” above you’ll find a comic illustrating the password problem we’ve dug ourselves into. Length is always best in my opinion. It doesn’t need to be so complicated that you forget it (unless a site makes you). Investing in a password manager isn’t a bad idea either but in that case you REALLY need to take advantage of 3 and 4 together to ensure safety of your password manager.

Companies lose my information like it’s their job.

If I reused my password on all of my banking, healthcare, social media, and government sites, do you know the kind of access someone would have to my life if even one of these breaches exposed my password? There’s no guarantee that even large companies with security budgets in the hundreds of thousands of dollars will be able to keep our data safe. We have to control what aspects we can of our data safety and a large portion of that can be done through using a unique password for each site.

Lastly, stop defending yourselves to your IT/Security people when you forward this trying to convince them you definitely weren’t looking at porn ever. It seems really suspicious…