The porn scam hitting inboxes - and how to protect yourself

by Peter Griffin / 01 August, 2018

Free porn websites feature in the top sites accessed by Kiwis - so it's easy to imagine a fair few may have panicked upon getting the email. Photo / Getty Images

Sextortion scams could become all too real with age verification for porn sites.

As internet scams go, the emails landing in inboxes all over the world this month aimed at shaming adult website users into paying to avoid having their porn-surfing habits revealed, was amateurish blackmail at best.

The majority of recipients, who likely don’t even visit porn websites, quickly saw through the ruse. As Victoria University PhD candidate and scam email recipient Sarah Hendrica Bickerton (@sarahhbickerton) tweeted:

I mean, given I don't access porn sites (porn actually bores me) I'm able to chuckle at this and disregard it.

But it makes me think how many people might be taken it by it.

Indeed, such ‘ransomware’ attacks are simply a numbers game. The scammers know that most people will disregard the emailed demands (see below for an example), but that a small number will be spurred into panicked action. In this case, that meant making a payment of up to $3,000 to the anonymous correspondent in the untraceable digital currency Bitcoin.

This scam caused disproportionate consternation, if not financial damage, around the world.

That’s because the perpetrators combined several scam tropes that hadn’t been used effectively in combination before.

We have your password

Chiefly, they exploited the negative stigma around viewing pornography that is common to virtually all cultures.

They then confronted the email recipient with what for many will have been an alarmingly authentic detail - a private password they had actually used previously. It would have been many years old and long since updated, probably obtained in one of the big data breaches at LinkedIn or MySpace that saw tens of millions of email accounts, usernames and passwords stolen and leaked onto the web. Hackers and scammers have been dining out on those accounts for years.

Then the scammers really jumped the shark, claiming to have put malware on the user’s computer that granted access to their web camera. They were supposedly recording while the user sat in front of their computer watching porn and would send the video to all of their email contacts unless they paid up.

To be clear, the scammers haven’t hacked your computer, don’t have access to your web camera and don’t know your passwords - unless you’ve used the same one for every log-in and haven’t changed it in years.

The New Zealand Computer Emergency Response Team (CERT) issued an alert on the scam.

“We can’t confirm whether the video recordings actually exist, or if this is an opportunistic scam. We have not had any reports of scammers releasing a video when a ransom isn’t paid.”

But when you consider that the world’s largest freely accessible porn websites, Pornhub.com, Xvideos.com and Xhamster.com regularly feature in the top 20 - 30 websites accessed by Kiwis according to tracking companies Alexa and SimilarWeb, it isn’t hard to imagine a fair number of people freaking out on receiving that email.

Hundreds have paid up

So what has the damage been so far? Within a week of the scam emails first appearing, at least US$50,000 had been paid to Bitcoin addresses used by the scammers, according to anonymous Twitter security information commentator @SecGuru who has been tracking payments made. By Tuesday they totalled US$250,000 from 151 victims and that likely understates the total.

With the scam continuing to claim victims, SecGuru appealed to the big porn website owners to alert their users to it, tweeting yesterday:

It would be very good if all legal porn sites (eg Pornhub, Xhamster, etc) warn their visitors about this Sextortion Scam. Visitors to these sites are the target group that pay:-( #scam #Extortion #sextortion

With material posted to the likes of Pornhub and Xhamster freely available without registering on the site or using a log-in, millions of site visitors leave little in the way of identifying details, particularly if they use safe or incognito web browsing features.

However, the online porn industry has faced growing pressure to introduce age-verification measures to its sites as concern grows around the accessibility of hardcore pornography to minors under the age of 18 through simple internet searches.

Repeated efforts from conservative politicians in the US to introduce legislation requiring verification of the age of porn site visitors have failed, mainly on free speech grounds. But the United Kingdom intends to have age-verification measures in place by the end of the year, as part of the Digital Economy Act 2017.

Porn site age checks

That will enforce rules that could see porn website operators face fines and have their websites blocked by UK internet providers if they don’t put in place systems to verify the age of site visitors, using identifiers such as credit card details, driver’s licence or passport number.

Those rules, which are estimated to impact 20 - 25 million porn site visitors in the UK, were intended to go into effect in April, but have been deferred until later in the year while the British Board of Film Classification (BBFC) more time to draft guidelines around what exactly constitutes pornography and how the companies should police access to it.

The UK Government’s plan to let the industry deliver the age-verification systems has also been controversial. While independent systems exist that could authenticate a website user’s identity and age without sharing their private details, a bit like the New Zealand Government’s RealMe system, the porn industry has moved quickly to develop the systems itself.

MindGeek, the owner of Pornhub, YouPorn, Redtube and Brazzers, has developed AgeID, a system that uses encrypted details to verify a site user’s age. It has floated AgeID as the system that could be used across all porn websites in the UK to make them compliant with the law.

But any system that acts as an authentication tool to verify age will become a target for hackers seeking to uncover the details of millions of website users. A system run by one of the largest purveyors of internet porn could potentially be used to mine data on the millions of users signing up. In the wake of numerous major data breaches around the world in recent years, it is hard to imagine millions of Brits trusting a system that could be seen to catalogue their sexual proclivities.

The UK-based Open Rights Group led the campaign against the age verification system and sees its implementation by the UK Government as being deeply flawed.

The ghost of Ashley Madison

“Genuinely, the privacy risk was so severe that if all that data were hacked they would never be taken seriously again when it came to holding private citizens’ data, whether covertly or otherwise,” the Open Rights Group’s legal director, Myles Jackman, said in March.

The prospect of an Ashley Madison-style data breach appears to have given the UK Government pause for thought.

In 2015, hackers leaked onto the internet gigabytes of information on users of the Canadian website, which facilitated extramarital liaisons between its members. Privacy advocates fear similar data dumps if UK users who currently are hard to trace, end up linking personal details to their access to porn sites.

New Zealand’s government has kept a watching brief on the UK developments, but so far has favoured promoting education through NetSafe and active intervention from parents such as web filtering tools to prevent explicit material getting into the hands of minors.

That seems a sensible move, especially given that the age-verification systems the UK is looking to implement can be circumvented with the use of virtual private networks that allow a user to appear as though they are accessing a porn website from outside of the UK.

The UK Government now faces intense scrutiny as it attempts to turn a policy that the Conservative Party pledged during its election campaign, into a workable scheme that protects the privacy of millions in a world where information security is fragile and constantly under attack.

Text of the sextortion email arriving in inboxes around the world

I do know, [PASSWORD REDACTED], is your password. You do not know me and you are probably thinking why you are getting this email, correct?

actually, I placed a malware on the adult videos (pornography) website and do you know what, you visited this website to experience fun (you know what I mean). While you were watching videos, your internet browser initiated working as a RDP (Remote Desktop) that has a key logger which gave me accessibility to your display and also webcam. after that, my software program obtained all your contacts from your Messenger, Facebook, as well as email.

What exactly did I do?

I made a double-screen video. First part displays the video you were viewing (you've got a nice taste haha), and second part shows the recording of your webcam.

exactly what should you do?

Well, I believe, $2900 is a reasonable price tag for our little secret. You'll make the payment via Bitcoin (if you don't know this, search "how to buy bitcoin" in Google).

BTC Address: 19ZFj3nLSJCgoAcvZSgxs6fWoEmvJhfKkY
(It is cAsE sensitive, so copy and paste it)

Important:
You have one day to make the payment. (I've a unique pixel within this email message, and now I know that you have read this e mail). If I do not get the BitCoins, I will definitely send out your video to all of your contacts including relatives, co-workers, and so forth. Nonetheless, if I receive the payment, I'll erase the video immidiately. If you want evidence, reply with "Yes!" and I will send your video to your 9 friends. It is a non-negotiable offer, that being said do not waste my time and yours by replying to this e-mail.

 

How to avoid being scammed

  • Don’t use the same passwords for multiple websites
  • Don’t click on links or download attachments contained in emails sent to you from unknown sources
  • Change your passwords regularly and use complicated passwords
  • Use two-factor authentication systems if available for extra security
  • Visit the website https://haveibeenpwned.com/ to see if your email address is associated with accounts that have been compromised in previous major data breaches.
  • Never respond to an extortive ransomware email asking for payment and certainly don’t transfer any funds via internet banking or digital currency transfer.
  • Contact CERT for advice if you are concerned that the scam or hacking activity may be genuine
  • Run antivirus software and keep your computer updated with the latest security patches to stay protected.

Latest

The enduring sandwich: What's not to like about bread and fillings?
94342 2018-09-23 00:00:00Z Food

The enduring sandwich: What's not to like about br…

by Margo White

Despite an apparent backlash against bread – against carbohydrates and gluten – the sandwich endures.

Read more
Humanity is on 'the highway to digital dictatorship', says Yuval Noah Harari
96527 2018-09-22 00:00:00Z Social issues

Humanity is on 'the highway to digital dictatorshi…

by Andrew Anthony

The author of worldwide bestsellers Sapiens and Homo Deus says our free will is at stake. We talk to Yuval Noah Harari about his new book.

Read more
Why there's no 'clash of civilisations' between Islam and the West
96558 2018-09-22 00:00:00Z Social issues

Why there's no 'clash of civilisations' between Is…

by Yuval Noah Harari

There is just one civilisation in the world, writes Yuval Noah Harari, and the West and Islam are joint participants in it.

Read more
The Kiwi cicada expert who's just 11 years old
94985 2018-09-22 00:00:00Z Science

The Kiwi cicada expert who's just 11 years old

by Ken Downie

Hamilton entomologist Olly Hills isn’t in high school yet, but he’s already a world expert – and he wrote a book.

Read more
Thackeray's Vanity Fair gets a clever update for the millenial age
96633 2018-09-22 00:00:00Z Television

Thackeray's Vanity Fair gets a clever update for t…

by Russell Brown

A new TV version of William Makepeace Thackeray’s 19th-century satirical novel taps into today's celebrity-Instagram culture.

Read more
The debate over the Serena Williams controversy was a dialogue of the deaf
96659 2018-09-22 00:00:00Z Sport

The debate over the Serena Williams controversy wa…

by Paul Thomas

Serena Williams’ US Open outburst was unbecoming but the umpire made a mess of his response.

Read more
The classical blokes saluting unsung women composers
96670 2018-09-21 14:16:06Z Music

The classical blokes saluting unsung women compose…

by The Listener

The suffrage celebrations get a soundtrack from all-male ensemble NZTrio.

Read more
Labour MPs stand behind Jacinda Ardern's action on Meka Whaitiri
96630 2018-09-21 07:31:30Z Politics

Labour MPs stand behind Jacinda Ardern's action on…

by Gia Garrick

The public will have to wait to see a report into an assault claim against MP Meka Whaitiri, who was yesterday stripped of her ministerial portfolios.

Read more