Sextortion 2.0: «Don’t make us visit you at this address»

Sextortion in itself isn’t a new phenomenon. Cyber criminals send e-mails to innocent recipients, claiming to have gained access to their webcam or computer and stolen compromising video footage. They tell their victims that they’ve been videoed «visiting websites of a pornographic nature», then demand hush money. Hence the term «sextortion», a combination of «sex» and «extortion».

A new level of intimidation

Although sextortion e-mails were initially shocking, the upset soon died down. Sent piecemeal to random e-mail addresses, they sounded generic and vaguely formulated – an obvious bulk e-mail. Not only that, but major e-mail providers and their spam filters ensured many users didn’t even see the messages.

This new wave of sextortion is a different story, with today’s cyber criminals going to unprecedented lengths. The latest blackmail e-mail begins with the victim’s first and last name, mobile phone number and home address. It then moves on to the typical claim – that the recipient has visited a compromised porn site, had their device infiltrated and been covertly filmed by the perpetrators. This is followed by a demand to send about 2,000 US dollars in Bitcoin to a crypto wallet address. The perpetrators threaten to send the video to the victim’s social media- and phone contacts or to post their phone number online. They even claim they’ve built a special pixel into the e-mail to notify them whether it’s been opened. The message is topped off with a threat to come to the recipient’s home address «to talk», complete with a picture of their home. Although the photos obviously come from Google Street View, it leaves no doubt that the perpetrators know their victim’s home address.

There are even stories on Reddit about such threats being sent by post – at least in the USA.

Corporate data leakages are to blame

As well as the sample e-mail I got from the National Cyber Security Centre (NCSC), a Digitec reader who’d fallen victim to the new scam also reached out to me. The perpetrator got his name, home address and phone number right too. This means there have been several confirmed cases of the scam in different regions of German-speaking Switzerland. Although the e-mails are written in English, the perpetrators have paid close attention to details, such as the «ü» dots in the word «Zürich».

As the NCSC reports, the data most likely came from a data leak by the company Eye 4 Fraud. This is a firm that specialises in checking the authenticity of data records for online mail order companies or service providers so that nobody can take advantage of goods or services without paying for them. The e-mail address of the Community member who contacted me was verified to have been included in that same leak. You can easily check for yourself, free of charge, whether you’ve been affected too:

1. Go to haveibeenpwned.com
2. Enter your e-mail address and click on the «pwned?» button. All data leaks you’ve been affected by will be displayed

Note: don’t be surprised if there are multiple leaks. Older e-mail addresses that have been in use for a while are particularly likely to show up in several such data breaches. This isn’t necessarily down to you – it could also be a result of some manufacturers’ carelessness. If you have a strong password and have activated your provider’s multi-factor identification feature, you’ll still be pretty secure.

Don’t get intimidated

The way these messages are written, with all these personal details, is undoubtedly intimidating. But don’t let it faze you. The perpetrators don’t have access to your computer. It’s an e-mail that’s been sent millions of times. Delete it right away. However, if you’re in doubt, you can get help via the National Cyber Security Centre’s contact form. It’s worth reaching out to them either way. Since the perpetrators operate from numerous addresses, reporting them helps get them gradually blocked.