Sextortionists Get Past Defenses with Cryptocurrency Shift

sextortion litecoin

A new campaign is evading secure email gateways that rely on identifying word patterns in order to filter out spam.

A sextortion campaign is making the rounds that attempts to evade detection by demanding payment in cryptocurrencies other than Bitcoin.

Sextortion operators typically send emails out claiming to have harvested webcam footage or browser histories related to adult content from the recipient’s computer – and then threaten to release damaging information to family, friends and coworkers. The mails go on to demand payment in exchange for not releasing that information. The reality of course is that the crooks haven’t actually collected anything at all – they’re simply relying on victims’ fear and gullibility.

Hunter Johnson, a researcher at Cofense Professional Services, noted that secure email gateways (SEGs) block these mails as spam by looking for certain word patterns in the body of the emails – including asking for payment in Bitcoin. The latest sextortion campaign spotted by Cofense mixes things up by instead asking for payment in Litecoin — which is enough, he said, to slip past SEG filtering.

“Previous iterations showed a gradual shift away from identifiable patterns and to alternative cryptocurrencies, in an attempt to foil SEG Bitcoin-detection rules,” he wrote in a blog on Tuesday. “The current emails appear to be crafted to contain very few searchable word patterns. While we could publish the contents of those emails, let’s just say the emails contained adult language admonishing the recipient to be more careful about their browsing and webcam habits.”

He added that previous strategies for getting around SEGs include replacing text with an image, which prevented key words from being identified by SEGs; attaching PDF documents containing the demands rather than putting them in the email body; and encrypting those attachments with the decryption password in the body of the email.

“As this latest twist shows, threat actors can switch to the next cryptocurrency and attempt to iterate through all the scam’s previous versions,” Johnson said. “While there are thousands of cryptocurrencies, only a dozen or so are easily attainable from large exchanges. For the scam to work, the recipient needs an easy way to acquire the requested payment method.”

Sextortionists typically gather target emails from prior credential breaches; and the scam messages sometimes offer, as proof of compromise, a password associated with the victim’s online accounts. Users can check sites like to see if their email credentials have been compromised, Johnson noted.

Sextortion emails are growing in volume so far this year, according to the FBI. It can be a lucrative activity for cybercriminals: Researchers at Symantec analyzed data from the 5,000 most-seen Bitcoin addresses used in sextortion emails in May and found that 63 of those wallets received 12.8 bitcoins through 243 transactions in a month.

That means that scammers earned an average of nearly $106,240 in May alone.

“During this time one bitcoin was worth approximately $8,300, so the scammers received about $106,240 in total in a month,” according to the study. “So at an average, these scammers are earning well over $1.2 million a year ($1,292,586).”

As another example, one campaign uncovered by Malwarebytes in August, launched by a group calling themselves “ChaosCC,” raked in around $2,500 worth of Bitcoins per week.

According to a recent report from Digital Shadows, another factor spurring the growth of sextortion is the emergence of resources on the Dark Web to help novices. These resources include: Access to credentials leaked from past breaches, tools and technologies that aid in creating campaigns, training from online extortionists, and a trove of DIY extortion guides available in criminal underground forums.

The report also found that newbie scammers are also incentivized with high salaries if they are able to hook high-earning targets, such as doctors, lawyers, or company executives — which they can target by scouring LinkedIn profiles or other social media accounts.

“When it comes to email sextortion scams, suffice to say, business is unfortunately incredibly good,” according to Malwarebytes’ report. “But more importantly, this should be a wake-up call for users. A lot of people, even those who consider themselves Internet-savvy, are falling for or are rattled by the extortion messaging, especially those emails that make use of old passwords to scare innocent people into parting with their money.”

What are the top cyber security issues associated with privileged account access and credential governance? Experts from Thycotic will discuss during our upcoming free Threatpost webinar, “Hackers and Security Pros: Where They Agree & Disagree When It Comes to Your Privileged Access Security.” Click here to register.


Suggested articles