“I give you one chance – “Recorded you mastrubating – “I seen everything”. You might have received one of these emails yourself, containing a similar threat to expose your secrets unless you pay your captors some Bitcoin.
But don’t worry, according to new research today by cyber security firm Check Point, such “sextortion” campaigns are mostly bunk, even the ones that claim to know your password.
Check Point has spent the last five months monitoring “sextortion” campaigns to find out how they actually work. It turns out the tech most use is ancient—the campaigns use a spam bot called Phorpiex, which has been around for a decade, Alexey Bukhteyev, a cybersecurity researcher at Check Point who wrote the report, tells Decrypt.
“Phorpiex uses databases of leaked email addresses and passwords obtained from previous large-scale breaches (such as the Hotmail and MSN Mail breaches disclosed earlier in 2019),” says Craig Coward, who handles communications for Check Point.
Armed with emails and passwords, the bot hacks into victims’ computers, bypassing their email client to avoid leaving a trace, and uses them as hosts to launch email campaigns. Despite its age, it’s still impressive: the Phorpiex spam bot has infected over half a million computers. Once hacked, the infected machines can send over 30,000 emails in an hour. A single email campaign can reach over 27 million victims, says the report.
The criminals are trying to call victims’ bluff: They probably haven’t got access to webcams or microphones, and are just trying to con victims into giving them money, says the report. But people still take the bait. In fact, according to Check Point’s research, criminals behind this scheme have made over $110,000 in the past five months.
“This may not sound much but for a low maintenance operation requiring only a large credentials list and the occasional replacement of a wallet this provides for a nice 22,000 US$ monthly income,” reads the report.
And these kinds of emails are on the rise: according to a 2018 FBI report, extortion emails are up 242 percent from last year, causing $83 million in damages to the US.
Check Point’s Bukhteyev says that these emails are particularly insidious because they manage to get around spam and junk filters: ”The emails have no malicious content: they don’t contain any malware, scripts, even images. So, if the filters are not set up for the specific rules that can catch this kind of [email], it will be delivered,” he says.
So, what to do about them? “Users should update their anti-virus software and run it to eliminate any lingering Phorpiex infections, and to block future infections,” says Bukhteyev.
But even though the popular Phorpiex spam bot doesn’t record your webcam or microphone, unfortunately, “Malware and spyware does exist that can record from microphones and webcams,” said Bukhteyev. So the coast isn’t entirely clear. “The solution is to keep anti-malware software updated, to minimize the chance of these threats infecting their PCs,” he says.