Sextortion scams are one of the big newcomers in Internet fraud of the last year. In these campaigns spammers send e-mails which claim that they have hacked into the victim's computer and used its webcam to film the victim masturbating while surfing adult websites. In order to prevent the crooks from publishing the compromising material they demand a certain amount of money in bitcoin within a certain timeframe. Of course, these claims are largely false which is easy to see if you think about the amount of work and expertise it would take to break into millions of desktop computers, monitor the browsers for accessing porn websites, capturing "evidence", and looking through it to make sure it actually contains what the attackers want, etc.
Nevertheless, these campaigns are pretty successful and a new research paper (see URL below) takes a scientific look into them. Some of the key takeaways are:
- Sextortion campaigns are much cheaper than traditional spam campaigns as there is no need to set up and maintain credible looking websites, purchase, sell and ship (poor quality) goods, etc. This may increase the profit for the criminals compared to "traditional" spam, although the authors' don't say anything about this.
- Cryptocurrencies make these campaigns much easier to pull of compared to using old-school money.
- In the examined campaigns the price for the ransom varies for different languages.
- A lot of the bitcoin addresses are shared throughout multiple campaigns and many can likely be tied to a single real-world entity, but this can be due to the infrastructure the spammers are using, not due to the small number of spammers themselves.
This research proves with numbers what many people in (IT-)security experience everyday: If there is an easy, quick, and cheap way to earn money, most criminals will prefer it compared to more sophisticated methods.
Research paper: https://arxiv.org/abs/1908.01051
Author: Dimitri Robl