Unfortunately, we’ve had to warn about sextortion, also known as porn scamming, many times before.
Porn scams are phishing tricks whereby criminals try to squeeze you into making contact with them, or even to pay them money immmediately, by claiming to have evidence that you have committed some sort of sexually-related online impropriety.
In the early days of porn scamming, the messages were often made to look like police demands, typically locking up your browser or your mobile phone and keeping you stuck on a warning page.
These pages were frequently topped-and-tailed with ripped-off police logos determined by your geolocation (e.g. if your IP number was in the US, you would see an FBI logo; if in Australia, you’d get the Australian Federal Police “branding”), to give them a whiff of legitimacy.
The web page you ended up locked onto usually offered you two choices: pay an online fine to “decriminalise” the charges and put an end to the matter, much like taking the online route of paying a parking or speeding fine; or get arrested and have your day in court.
Here’s what this sort of scamming looked like eight years ago:
The good news is that this brand of online extortion didn’t last very long, for three main reasons:
- Reveton, one of the primary gangs behind these scams, got busted in Spain and shut down.
- Users learned how to remove this early type of ransomware using free tools to bypass and delete the “lockup” program that tried to take control of your device..
- Cybercriminals turned their attention to a new type of extortion.
Police locker scamming dies out
The bad news, of course, as alluded to above, is that simplistic “police locker” ransomware, as it was known, was replaced in the cybercrime arsenal by file-locking ransomware, where there was no need for the crooks to pretend to be law enforcement officials.
Quite the opposite, indeed: in modern ransomware attacks, which found their criminal feet in the early 2010s, the criminals make no secret of their criminality, usually demanding huge amounts of money for a decryption key to unscramble your files, or for a promise not get your stolen data leaked, or both:
Sextortion video scams
Porn-oriented scams soon returned to our inboxes, however, with phishing emails that were plain-and-simple blackmail demands, like this one:
I’m aware, [REDACTED] is your password. You may not know me, and you are most likely wondering why you’re getting this mail, right? […]
I installed a malware on the adult vids (sex sites) site, and there’s more, you visited this site to have fun (you know what I mean). Once you were there on the website, my malware took control of your browser. […]
Well, I believe, $1900 is a fair price for your little secret. You will make the payment through Bitcoin (if you don’t know this, search “how to buy bitcoin” in Google).
Personal data used for verisimilitude
In this revised type of “sextortion” scam, the crooks typically add into the email some widely-known data from an earlier data breach.
Usually, this means data stolen from a third-party service provider to whom you’d trusted it but who hadn’t returned your trust with good cybersecurity.
By putting into the email an actual password of yours (even if it was an old one you’d already changed), or your phone number, or some other semi-private chunk of data, the criminals hoped to convince you that their claim to have implanted spyware on your computer must be true.
And even if you weren’t worried – or didn’t care about – about the porn allegations, the crooks hoped you might still reply to them on the grounds that if they know some private data of yours…
…what else might they have got hold of along the way?
Over the last year or two, however, we’ve noticed that the steady stream of sextortion emails we used to receive – at one time, we were getting several variants on the theme each week – has dwindled to almost nothing.
Note that we’re not suggesting, despite the timing, that the coronavirus pandemic has anything to do with this tail-off in porn scams to our email accounts. You can probably come up with various theories that might plausibly connect the two things, e.g. that home delivery scams turned out more lucrative, so that’s where the artisan parts of the cyberunderworld switched their attention, but correlation (or plain coincidence) does not, as you well know, does not imply causation. We hve no firm evidence for exactly why our own sextortion email “feeds” tailed off, and we can only hope it’s because there was less and less money in it for the crooks as more and more people learned to recognised these scams for what they were.
Down, but not out
Sadly, however sextortion scams haven’t died out altogether.
Like many aspects of cybercrime, old-school techniques fot crookery rarely die out altogether – in the same way when that file-locking ransomware took over from police locker ransomware, and began to dominate the cybersecurity news because of the huge blackmail payments involved…
…other types of malware and cybercriminality, such as spyware, keylogging, spambots, cryptomining and romance scamming and spambots, didn’t disappear.
Here’s a recent sextortion scam example in French, sent in by a Naked Security reader we’ll refer to simply as @M (thanks, M!) , where the porn scammers have converted their message into an image.
This is an old trick that makes it harder for security software that filters incoming messages primarily by analysing the grammar, structure, style and content of the writing:
Often, attackers stick to messages in plain text or HTML for the obvious reason that web or email links in those messages typically turn into directly tempting “calls to action”.
Web URLs inside emails (and even in plain old SMSes, or text messages) are often automatically made clickable, and embedded email addresses can usually be replied to directly, or copied semi-automatically into your address book or the To: field of a new message.
Adding an image that holds the call-to-action text obviously makes it harder for a recipient to reply, because a plain image can’t contain clickable links, or even text that can be copied and pasted.
Shaking loose some replies
But the criminals behind scam campaigns like these – fake police notices – aren’t trying to entice you to a new website or to encourage you to try clicking on a brand new service.
They’re aiming to frighten just a few of the recipients of these messages enough to scare them into replying of their own accord.
Indeed, as this email claims (highlight 1 above; our loose translation), after warning you of the penalties for viewing illegal cyberporn (up to 5 years and a fine up to EUR75,000):
We sent you an email in this form for reasons of confidentiality. If you wish, you many reply to the address below to explain away your actions, so that we can evaluate your explanation and determine if charges should be brought. You have a strict deadline of 72 hours.
Simply put, the criminals are trying to convince you that they do have evidence against you, but they have – for reasons of “fairness” and “decency” – been discreet enough not to include this evidence in an email where someone else might come across it.
Presumably, the blackmailers behind this scam are hoping that at least some of the recipients will feel pressurised into justifying themselves, perhaps by explaining that although they have looked at porn recently, they haven’t knowingly committed any criminal offences or viewed any illegal content while doing so.
As you can imagine, anything that’s shared with the criminals will simply be worked into future correspondence with potential victims, in order to increase the amount of manipulation and the level of pressure applied by the crooks.
Any personal circumstances or explanations offered to the crooks will be turned into replies intended to amplify and expand the fear of those victims, until they agree to take some action to “suppress” or to “finalise” the matter, typically involving paying over some sort of “fine” or hush money.
The criminals finish off even more threateningly (highlight 2 above):
You are now summoned to answer in your own words immediately in order to prevent this matter from going further and taking an unpleasant turn against you. After 72 hours, we will are obliged to send our report to the Public Prosecutor to issue an arrest warrant against you. We will proceed to have you arrested by the police closest to your place of residence.
What to do?
We suspect that most or all Naked Security readers will discard emails of this sort without further thought.
But you may have family or friends who, if they are worried by a message like this, probably won’t reach out to you for help…
…so we’ve published this article to try to help them where you might not be able to.
Importantly:
- How likely does the message really seem? The sender of this email was given as Jean-Luc Godard, who in real life is a world-famous left-wing French filmmaker now in his 90s. The investigating officer you are told to email directly is Frédéric Veaux, the Director General of the French Police. If you were being charged, you would have to be formally accused by name, not simply sent an email starting simply Monsieur/Madame. (Interestingly, the subject line said Mr/Mme, mixing up English and French in an obvious mistake.)
- If in doubt, don’t give it out. If this were a geniune criminal investigation, you would not be invited to submit evidence in mitigation informally via email. That would be insecure both for you and the police, and would almost certainly be useless in court anyway.
- Don’t be afraid to check with a trusted source. If this email were genuine, and there really were police charges against you, then emailing back information of your own to defend yourself against as-yet unspecified, unknown claims against you would be a very bad idea. The police themselves would not ask you to do that, which makes it obvious that this email doesn’t come from the police in the first place.
- Check online for similar message reported by other people. Many sites, of which Naked Security is just one, make an effort to write up scams like this in order to show potential victims that they aren’t the only ones being “accused”, and thus that the message they received is simply one of many identical spams sent out to stir up fear.