Attackers contact their targets through email, claiming that they have video footage of their victim watching what I’ll delicately describe as ‘adult entertainment’ content. Most of the devices that people use to watch that sort of content online are either a smartphone or tablet with front facing cameras, or laptops with webcams. So, a lot of the targets might assume that the basis of the attackers’ extortion attempt is valid.
Combine that with the attackers’ claims of having acquired one of the targets’ passwords through malware exfiltration, then displaying that password in plaintext in the body of the email, and you’ve got a very convincing social engineering strategy.
The attackers then threaten to distribute the personally compromising footage to the targets’ friends, family, and coworkers through Facebook, Facebook Messenger, and email if the victim doesn’t fork over $2900 worth of bitcoin within one day.
Here’s an example of the emails that the targets have received (edited for appropriateness):
I’m aware, XXXXXX is your password. You don’t know me and you’re probably thinking why you are getting this mail, right?
Well, I actually placed a malware on the <adult content> website and guess what, you visited this website to experience fun (you know what I mean). While you were watching video clips, your internet browser started out working as a RDP (Remote Desktop) with a key logger which gave me access to your display screen as well as web camera. Just after that, my software program gathered every one of your contacts from your Messenger, Facebook, and email.
The extortion message goes on to instruct targets how to make payment under threat of exposure.
The passwords that the attackers have sent their targets are legitimate passwords the target really uses. That would alarm the targets, and people often behave foolishly and panic out of fear.
Universal Cyber Protection believes that it’s unlikely that the attackers actually have footage of their targets watching adult content. As far as the passwords are concerned, the attackers likely acquired them through data breaches conducted by other cyber attackers, not from adult content website malware, as they assert in their email.