Inside One Of The Biggest Sextortion Scams: 450,000 Machines Send 30,000 Emails An Hour

Check Point Research has today published the results of a five-month-long investigation into what it has called the “largest-scale sextortion campaign” it has ever seen. What’s more, the threat actors behind the sexual blackmail scam could be using your computer to help distribute their demands for payment without your knowledge; up to 15,000 per infected computer. What is sextortion and how might you have unwittingly become involved in this illegal activity? Read on.

What is sextortion?

Simply put, sextortion is an email scam of the blackmail variety. An email is sent to an unsuspecting victim that threatens to expose sexual activity of some kind if payment is not made. Most commonly, these sextortion scams will claim to be from someone who has hacked into your web browser using a vulnerability that had not been patched. To make this claim appear genuine, the attacker will often start the email with “I know one of your passwords is,” and include a genuine password that was found to be associated with your email address following a data breach or leak. They will go on to further claim that they have full access to your computer and email. The sexual leverage is then applied, with a statement regarding your activity being recorded through your computer’s webcam including when you were visiting porn sites. The implication is plain enough, and the attacker will ensure the message is driven home by threatening to distribute compromising images or video of you to all your email and social media contacts if a “fee” is not paid.

What did the Check Point researchers find?

Gil Mansharov and Alexey Bukhteyev, researchers at Check Point Research, spent five months monitoring a botnet operation known as Phorpiex or Trik. Active for the best part of a decade, the botnet has previously been seen making money by distributing malware such as GandCrab, or by mining cryptocurrency on infected machines. With some 450,000 infected devices currently incorporated into the Phorpiex botnet, this is not a small criminal endeavor by any means. However, the Check Point researchers noticed that it recently added a new method to make money: a sextortion spam bot.

A Check Point spokesperson, Ekram Ahmed, told me how this works. “Your computer becomes infected with Phorpiex,” Ahmed says, “which then connects to a command and control server where downloads databases of emails and passwords.” Your computer will then start sending out thousands of emails, via the simple mail transfer protocol (SMTP) protocol without you knowing it is doing so. “Phorpiex deliberately circumvents both Gmail and Outlook in order to evade detection,” Ahmed says, “making it a lower-level, low maintenance operation.”

If your email address is targeted, the bot will create a total of 15,000 threads to send the sextortion messages that are composed of several hardcoded text strings. The researchers calculate that given the time it takes for all these spam threads to complete, Phorpiex is capable of sending 30,000 sextortion emails every hour. “Each individual spam campaign can cover up to 27 million potential victims,” the report stated.

How successful has the Phorpiex sextortion campaign been?

On the face of it, given the number of infected hosts and the rate at which the botnet can distribute the sextortion messages, the campaign has only performed moderately. By monitoring the campaign, and the Bitcoin wallets extracted from every spam bot spotted by Check Point researchers from April 2019, it has been determined that around 11 BTC ($88,322 or £68,943) has been earned by the criminals behind the operation. However, when you bear in mind that the value of the credentials being exploited by Phorpiex, email addresses, and passwords that are related to other resources than email accounts, is very low due. The criminal has found a way to monetize it, nonetheless.

What do the security experts say?

“I’ve had close friends panic with this scam and forward me the email to ask if it’s valid,” Jake Moore, a cybersecurity specialist at ESET, says, “these targeted friends of mine have been clever, computer-savvy people, which shows the power and impact such an email can have.” These scams work so well because they rely upon that knee-jerk reaction of seeing a password that you remember using and assuming it could only have been known about by a successful hacker.

“The sight of one’s password is often enough to induce a sense of panic in individuals which gets them thinking about all the websites they may have visited,” says Javvad Malik, security awareness advocate at KnowBe4, “or actions they’ve carried out in front of the camera.” Do not acknowledge or otherwise reply to the email, Malik says, instead delete and move on. “It’s important to not click on any links in the email or open any attachments,” Malik says, “as they could be laced with malware.”

“No matter how credible the email looks it is a threat, and the people behind it are criminals,” Lisa Forte, partner at Red Goat Cyber Security and a social engineering expert, says, “report it to the police, don’t pay and don’t click on any links in the email.” Even if you fear the threat could be genuine, as you have visited pornography sites and not practiced the safest security hygiene relating to password usage, you still shouldn’t pay. “People who pay often find themselves added to lists of ‘good people to target’ on the dark web,” Forte says, “so paying could paint a larger target on your back.”

It’s essential for anyone who receives such emails to take a breath and slow down, Malik says, and if they still use the included password on sites or services, they need to change it. “It’s important to have different passwords on different sites to prevent criminals from re-using stolen passwords and gaining access to other accounts,” Malik says, “a password manager can help greatly in this regard to generate and store strong and unique passwords for each site. Where available, people should enable 2FA, especially on critical sites like emails or social media.”

“If you want to mitigate your paranoia fully,” Moore says, “I can’t emphasize the use of a webcam cover enough. This simple piece of plastic, or ‘Blu tack’ will do, proves that your webcam has not been compromised.”