The BitCoin Sex Trap Email Extortion Scam


An Odd and Very Demanding Message

Last Friday night, I received a note from “Hyman Cipolletta” using the Outlook.com account rriivoryorz@hotmail.com. The message header shows that the message originated in a North American server (Namprd12.prod.outlook.com) in the common Office 365 infrastructure shared by Exchange Online and Outlook.com.

My interest was tweaked by the subject, composed of an old password and my Gmail account name. The message (Figure 1) started off:

“I won’t beat around the bush. I am aware xxxx is your password. Moreover, I know about your secret and I’ve evidence of your secret. You do not know me personally and nobody hired me to investigate you.”

Porn bitcoin email scam

Figure 1: The message demanding a Bitcoin payment

The Scam

0.75 BTC is EUR5,276 or US$6,147 at today’s rate, so the sender of this note had serious intentions. They demonstrated that they knew something about me (my Gmail address and an old password) and laid out a rational explanation for what might had happened. The flaw in the argument was that I knew I hadn’t been near any adult video sites, so the description of a keylogger being installed on my PC couldn’t have happened. And without the keylogger, no contacts from Facebook, Messenger, and email could have been gathered.

But if you had been tempted to go near such sites, it’s possible that what was described might have happened, which is why scammers lay out a plausible story in the hope that some of the millions of people they send email to will panic and believe that their watching habits would soon become public.

Internet to the Rescue

You might blame the internet for making porn easy to access. When it comes to scam, the internet is pretty fast at reporting their techniques and letting people know what’s really happening. A quick search revealed many descriptions of similar emails. Here are two:

Brian Krebs broke the story on July 12 and it seems like since then scammers have been working their way through a store of stolen email addresses and passwords to try and convince as many as they can to send them various sums of money. I guess I should feel good that my demand was at the high end of the spectrum as others have been asked for far less.

Payments Flowing In

What’s distressing is that some people are paying the scammers. @SecGuru has been able to keep track on some payments (Figure 2) and it seems like the scam is profitable.

Bitcoin sex email scam results

Figure 2: Cash flows in for the scammers

How Did the Scammers Get My Data?

If you go to Troy Hunt’s Have I Been Pwned site, you can find a list of sites where attackers have stolen email addresses and passwords. Looking through the list, I find sites that I use, like LinkedIn, where over 164 million addresses were compromised, and Disqus, also with sites that I occasionally used, like Ancestry.com. A simple check revealed that my email address is on 4 breached sites, so the scammers have a choice of sources where they can find my address.

What to Do

In any case, the password cited in the email is an old one that I don’t use today.  This means that the combination isn’t worth much to hackers, especially as I use multi-factor authentication (MFA) whenever possible to protect any important site that I use.

If you receive an email that contains a password you still use, you should obviously change that password on any site where it is still active. And if possible, take the choice to use multi-factor authentication to improve security. Services like Gmail, LinkedIn, and Office 365 support MFA.

Above all, don’t respond to the scam. Ignore the message, unless you feel that you should report it to the local police force (as recommended by some experts). Personally, I don’t think that most police forces can do much about this kind of scam. I reported the email to Microsoft (use Outlook’s Report Message add-in) so that they can improve their ability to block rubbish like this in their anti-malware tools.

Scams are a Pain

The popularity of email as the lingua franca for communication across the internet means that attackers like finding new ways of poking at human vulnerability to make money. This is just another example of a scam that’s popular right now. Do the right thing and secure your passwords and you’ll be fine. Stay safe!

Follow Tony on Twitter @12Knocksinna.

Advertisements

About Tony Redmond ("Thoughts of an Idle Mind")

Office 365 MVP and author
This entry was posted in Email, Uncategorized and tagged , , , , . Bookmark the permalink.

2 Responses to The BitCoin Sex Trap Email Extortion Scam

  1. Chris G. says:

    Thanks for bringing some attention to this recent scam. As a corporate e-mail admin, I take responsibility for minimizing the impact these types of attacks have on my users. When I learned about 3 of my users receiving similar messages last Monday, I quickly gathered the messages and started analyzing the headers in order to determine if I could create a transport rule to quarantine any future messages. Since they are all coming from “legitimate” systems (every one was from a Microsoft hosted outlook.com or hotmail.com sender), that was a dead end. So I turned my attention to the content and found the text “BTC address” in each message. My rule quarantines and notifies when it finds that text in the message body. Hardly a perfect solution, but appropriate for my business which doesn’t do any BitCoin transactions. I’m calling it a marginal success, since it has caught several more messages.

    However, since every reported instance I have seen is originating from a Microsoft hosted account, I’m curious what steps MS is taking to help mitigate this. Any insights you can share?

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.