A simple fraud scheme that spams out extortion demands threatening to reveal the online porn habits of victims can be very profitable when usernames and passwords are included in the messages, according to an analysis published by cybersecurity firm Sophos on April 22.
The company analyzed so-called “sextortion” spam caught in its email filters over five months, capturing the Bitcoin wallet address sent to victims for payments, and found that the campaigns cumulatively raked in $473,000, about $3,100 a day. Email messages used in the sextortion fraud scheme accounted for 4.23% of all observed spam traffic over the five months, and only 0.5% of the Bitcoin wallets used in the campaigns received a payment, Sophos stated in its advisory.
“It was a microscopic response rate, but it was still enough for them to make a profit,” says Sean Gallagher, senior threat researcher with Sophos.
The research shows that a simple fraud scheme can have big payoffs for the groups behind the cybercrimes.
Sextortion scams usually center on a simple fraud: threatening to reveal the private porn habits of would-be victims using usernames and passwords leaked from previous data breaches to add credence to the threats. Those compromised credentials usually come from massive breaches and have nothing to do with people’s surreptitious activities online, but the inclusion of a once-valid username and password can frighten the recipient, Gallagher says.
“People still reuse passwords, and people still react in fear when they see something come in from someone that shows a valid username and password,” he says. “So people who are doing risky behavior online — such as going to porn sites — they feel seen, they feel exposed, they immediately panic and respond.”
Typically, groups will just send a single email to the victims using information from a compromised account. The scam can be profitable, because like other spam campaigns, only a small fraction of recipients need to respond to make the scam pay for itself.
The attackers used 10 to 20 campaigns, usually occurring on the weekends and, a handful of times, exceeding 20% of the spam volume detected by Sophos, according to the researchers’ analysis.
The researchers analyzed spam activity connected to the sextortion scams between September 1, 2019, and January 31, 2020, finding transactions totaling nearly 51 Bitcoins, which at the average daily price of the cryptocurrency, tallied up to about $473,000.
Embracing the well-worn adage of “follow the money,” the researchers teamed up with CipherTrace to track the nearly 50,000 Bitcoin wallets to see whether victims paid the extortion demands and how much. Each wallet address was only included in the extortion email messages for an average of 2.6 days. Only 261 of the wallets received payment, which averaged out to…