According to Forbes, PornHub averaged 81 million visitors per day (28.5 billion visitors for the year) for 2017. Compare the 81 million daily visitors to the 2017 US population of 325.7 million, and compare the 28.5 billion annual visitors to the world population of 7.6 billion. Of course those aren’t all unique visitors, but the visitors dwarf US/World population. That’s what makes this latest bout of Shame Hacking so effective. The Shame Scammer knows his victim probably watches porn, and probably doesn’t want the world to see a video of them doing it.
If you were faced with the shame scam decision to pay a ransom of $2,900 or have a video that was recorded by remote access to your camera while you were watching porn, what would you do?
My mom faced and many others faced that dilemma over the last week. Here’s how it happened.
Shame Hacking
There has been a recent outbreak of a new phishing scam that targets individuals in a completely different way.
Most people know phishing as sending emails pretending to be from reputable company to trick individuals into revealing personal information, such as passwords and credit card numbers.
But this new form of extortion is using validity, shame, and fear against its victims. It’s called Shame Hacking.
What to expect
I will cut to the chase. I am aware your password is 12345. I also know your secret but you do not know me
The scammer starts with building trust and fear by putting your actual password in the subject line and body of the email. By using the validity of your password, the recipient is sure to read the whole email. The scammer goes on to explain that the passwords were used to gather contacts from email and from facebook and that they would be used to release something awful.
I have discovered your misdemeanor. In fact, I actually installed a malware on the adult vids (sexually graphic) you visited to experience fun (you know what I mean). While you were watching the videos, you internet browser began operating as an RDP (remote control desktop) with a keylogger that gave me access to your webcam (its you doing inappropriate things).
This sentence is meant to increase fear in the recipient/employee. According to “Fight the New Drug” about 79% of the male population watches porn, so the attacker knows it’s likely the people they email have consumed porn at some point. At this point, the employee probably has a ton of questions going through their brain – “What if my husband/wife sees this? What if my kids see this? What if my parents, boss, or friends see it? Will I lose my job? My relationships? I won’t be able to leave the house. They are completed consumed by the scammer and the threat. They are thinking irrationally.
Option one is to ignore this email. I definitely will send your video recording to your contacts including close relatives, colleagues and many other. Option two is to pay me $2900 as a (confidentiality tip) you can keep your secret and I will destroy the video.
The mysterious hacker then left my mother with an ultimatum. She was either to ignore this email, and have the side by side video shared to all of her contacts… family, friends, and colleagues. Ignoring it is what most people would do, so they are addressing that by explicitly stating it’s an option and scaring the reader endlessly if they do ignore it. Or pay a ransom of $2900 to an anonymous Bitcoin address and the video would be deleted. $2,900 is a lot, but it’s pretty reasonable in exchange for keeping your job, family, relationships, and dignity in tact.
Now you must be thinking “I will go to the cops.” Without a doubt I have covered my steps to make sure this email cannot be linked to me and it will not stop the evidence from destroying your life.
With this line, the scammer aims to push the recipient into Option 1 and Option 2 provided because the next alternative of calling the cops will not stop them from releasing the video and the police will not be able to track them.
https://youtu.be/pNXZszPh24E
What to do
Now clearly my mother had enough confidence to know what she searches online, so she knew that something was off. She reported the email to her company IT team, and they handled it. For others though, this might not be the case. This shaming tactic has the potential to trick recipients into paying a ransom, providing confidential information, and in the worst case we’ve seen cyber bullying lead into personal harm.
Free Trial – Employee Cybersecurity
It is important that people know how to handle these situations when they are faced with them. IT leaders should raise awareness of this live attack happening now, and their company reporting policy. We’ve recently published an article showing 6 examples of phishing emails and how to identify them. The article is easy to share with employees. It can be accessed by following this link 6 Phishing Email Examples and How to Identify Them or find the content in the SlideShare below.
Company policy should require that employees report these to their IT department like my mother did. If it is on a personal level, recipient should not click any links in the email, they should not respond to the email, and they should IMMEDIATELY change any accounts using that password.
The scammers likely obtained email and password information from a previous breach – so make sure that you change all sights using that password.
The more people that we can make aware of these attacks, the better. Share this with as many family members and friends as possible, and don’t forget to have those meaningful conversations with your grandparents about what to do and how to approach similar situations.
Before you go
Wuvavi provides an enterprise-grade employee awareness platform for small and medium sized businesses. Wuvavi trains employees to recognize cyber threats like the shaming hack detailed here, and increase their awareness through safe, simulated phishing attacks.