Sextortion is an attempt to extort money or get victims do something against their will by threatening to release embarrassing, personal images or video about the victim. The compromising images may come from the victim’s webcam which is hijacked by malware, or it may be fake imagery such as in sextortion scams.
In April 2020, a new sextortion scam campaign was detected making the rounds in countries on both sides of the Atlantic. The spam emails that were detected by ESET’s research laboratory have been trying to dupe unwitting victims by referring to old passwords that have been part of old data breaches. The campaign is not altogether new, since it repurposes old scams. The first time that scammers made waves with these tactics was in 2018 with a campaign that also included the victim’s password in the subject line. The email itself claimed that the password was obtained by compromising one of the recipient’s devices using malware.
Working of scams
People receive an email that claims their computer has been hacked and that the scammer has obtained intimate recordings of them, for example using a porn site. Some versions of the scam have included the person’s password for an online account or may appear to have been sent from the person’s own email address. The scammer claims to have access to the person’s contact list and threatens to send the footage to the person’s contacts unless a payment is made (often as Bitcoin).
We’ve received thousands of reports about this scam in New Zealand and are not aware of any cases where there has been proof of the recordings or where recordings have been released. Even if the scammer has obtained a password for your online accounts, it’s very unlikely that they’ve been able to use this to access your computer’s content, webcam or browsing history.
Sextortion that demands bitcoin payment
This type of sextortion scam demanding payment in bitcoin is so widespread, it’s unbelievable. Just hours after Reddit officially announced they had a breach, due to the fact that employees relied on SMS-based two-factor authentication, plenty of users found threatening emails in their inbox. Why? The Reddit data breach exposed quite a few old usernames and passwords. Cybercriminals took those passwords to provide some “legitimacy” to their common online scam. Even one of Reddit’s employees received the sextortion message, pointing out the ways cybercriminals try to monetize stolen email databases.
Laws Related to sextortion
Offenders in such crimes usually thrive on the victim’s silence and lack of clarity in the law. Hence, everyone needs to be aware of the codes and sections that will help them in such cases.
• Section 108(1)(i)(a) of the Criminal Procedure Codeempowers the victim to call the magistrate of her locality and inform him/her about the person whom she believes could circulate any obscene matter. The magistrate has the power to detain such person(s) and can order him to sign a bond to stop him from circulating the material. This might deter the accused. This is a quick remedial section because the victim can lodge the complaint with the magistrate without any direct evidence against the accused.
• Section 292 of the Indian Penal Code incriminates any person who distributes or threatens to disperse any intimate and compromising images of someone through any electronic means, including apps and other social media.
• If a picture of woman is clicked in an obscene manner without her knowledge and is distributed, a voyeurism case under Section 354C of the IPC can also be filed along with the aid of other relevant sections from the Information Technology Act.
Steps to be taken for security
1. Always consider the type of information or pictures you post or share online. Ask yourself: “What would I do if someone threatened to show this to everyone I know?” (more on this here and here, in our guide to protecting yourself against doxing)
2. Keep your devices and PC updated and protected not just with antivirus, but with a tool that can block infected links (more on this here)
3. Use strong passwords and, to avoid reusing them, consider trying a password manager that can ge