Thanks to Michelle Farenci and the Sophos Security Team for their help with this article.
Cybercriminals really do know no limits.
Remember sextortion, where they say they’ll spam your friends and family with x-rated photos of you that they got via malware?
At least, they will unless you pay them $2000.
Well, the Sophos Security team just sent us a phish they received that shows the stakes just got a lot higher and way more offensive.
Now, the price is $4000, and if you don’t pay…
…then they’re threatening to infect your family with coronavirus.
As crazy as that sounds, the crooks are making that threat because they want you to believe that they really do have deep, dark insights into everything you do, because they’re deep inside your computer and your digital life, and because they can track you and your family everywhere.
The weird look to the text below is because the crooks have used lookalike Greek characters in place of English letters such as A, N, O, T and V to disguise the words from simple text matching (see screenshot of email here):
Subject: [YOUR NAME] : [YOUR PASSWORD]
I know every dιrτy liττle secreτ abοuτ your lιfe. To ρrove my poιnτ, tell me, does [REDACTED] ring αny bell το yοu? It was οηe οf yοur pαsswοrds.
Whαt dο Ι κnow αbοuτ you?
Tο sταrt with, I κηοw all of yοur passwords. I αm awαre of your whereαbοuτs, what yοu eaτ, wιth whοm you tαlk, every liττle τhing yοu do in α day.
What αm Ι cαpable οf dοιηg?
Ιf I wαηt, I cοuld eνen infect yοur whοle fαmily with τhe CοronαVirus, reνeαl all of yοur secrets. There αre cοunτless τhiηgs I cαn dο.
Whατ should yοu do?
Yοu need tο ραy me $4000. You’ll mαke τhe ρayment viα Βiτcoiη τo the belοw-mentιοηed αddress. Ιf you dοn’t knοw how tο do τhis, seαrch ‘how tο buy bιτcoin’ in Goοgle.
(Ιt is cAsE sensiτiνe, sο cοpy αηd ραste it)
You hαve 24 hours τo maκe the ραyment. Ι hαve a unique pιxel withιn τhis email messαge, and rιght now, I κηοw thατ yοu hαve reαd thιs email.
If I dο ηoτ geτ the paymenτ:
Ι wιll iηfect eνery member οf your family with τhe CοronαVιrus. No matter how smart yοu αre, belieνe me, ιf Ι waητ to αffect, Ι caη. Ι will also gο αheαd aηd reνeαl yοur secreτs. Ι will comρletely ruiη yοur lιfe.
Nonetheless, ιf I do geτ ραιd, Ι wιll erαse every lιτtle informατιοη I have αbοut yοu immediατely. You will never hear from me αgαιn. It ιs a nοn-ηegotιαble οffer, sο dοn’t wαsτe my τιme αnd yours by reρlyiηg to thιs emαil.
As we’ve seen so often in sextortion emails, the “proof” that they really can see deep into your online life is a password that very likely is one you used to have…
…but they’ve extracted it from publicly available data leaked in an old data breach, so even though it might have been a secret once, it hasn’t been for years.
What to do?
- Don’t send any money. It’s all a pack of lies.
- Don’t be scared. In scams like these, the crooks don’t have any data on you, let alone details about all your family members and where they live.
- Don’t think of replying. It’s tempting to contact the crooks, just in case, but they have nothing to sell; you have nothing to buy; and by contacting them you are just giving them another chance to scare you into making a mistake.
- Let people know about this scam. Make sure others don’t fall for this horrible scam either. Let’s face it, we already have enough to worry about at the moment.