Extortion Scams
An extortion scam is a type of scam where someone threatens, coerces, or blackmails the victim into providing a form of payment or service.
How Does it Work?
During an email extortion scam, the scammer will send out extortion emails to a bulk amount of individuals. The email threatens to make embarrassing information public unless the victim pays up. Payment is made via Bitcoin, allowing scammers to easily collect the money anonymously. Making the extortion believable is that the email may include a password that individual may have used to log into a site, making victims believe they’ve been hacked and need to pay the extortion demand.
The citation of a password in the message opening is intended to establish the extortioner's credibility with the message recipient, and to motivate the recipient to comply with the extortion request. The cited password may be an old, valid password that was disclosed as the result of a prior compromise of an unrelated account or service, such as LinkedIn, Yahoo, Tumblr, MySpace and others. It is believed that the attackers are leveraging older compromised credential lists to more narrowly target recipients of this campaign.
Extortion Email Scams at CMU
Members of the CMU community have reported receiving emails that are known to be a part of large-scale extortion campaigns. Messages from these campaigns are identified by the following distinct features:
- The message opens by disclosing a password to the recipient that is believed to be related to the targeted account holder, e.g: "I’m aware that <password> is your password."
- The message will then claim that the attacker has compromising video of the message recipient, and goes on to threaten to release this video publicly unless a cryptocurrency payment is made to the extortioner, generally within 24 hours.
If You Have Received An Extortion Email Message
- Do not panic. These individuals likely do not have any compromising video of you.
- If the password included in the e-mail is a password that you recognize, change the password for any account where this password was used. New, unique passwords should be used for separate accounts to prevent the potential for an attacker to compromise multiple accounts with a single reused password.
- Please report the original message, including full headers, to iso-ir@andrew.cmu.edu or use PhishAlarm so that our incident response team can analyze and block these messages.