It’s been quite a while since I last did a scam post, because I very rarely get such emails, thankfully. But this week I’ve received a couple of emails at my work address, both identical, that have grabbed my attention – because they had my real name and a genuine password attached.
So initially, for a few brief seconds, it seemed a little alarming. But then it became immediately apparent that they were fake and not worth responding to. Googling has also shown it to be a very widespread scam that has attempted to extort money out of a lot of people. so at the end of this post I’ll link to an article that deals with it very comprehensively, including responses to concerned people in the comments.
But here I want to discuss the emails I got, by showing you one as an example, and how I knew I could safely delete them.
The Email
From: Marshal Wodarczak (hbbrentvjc@outlook.com)
Subject Line: forename.surname – password
That’s how the subject line was structured – I’m not showing what it actually said because the information it contained was real.
And here’s the body text of the email. I’ve censored the password, the rest is left untouched.
“I am well aware *********** is your password. Lets get directly to the point. You don’t know me and you’re probably thinking why you are getting this e-mail? Nobody has paid me to investigate about you.
In fact, I setup a malware on the 18+ vids (pornography) web site and there’s more, you visited this website to have fun (you know what I mean). When you were viewing video clips, your web browser initiated operating as a Remote Desktop having a key logger which provided me accessibility to your display screen and also web cam. Right after that, my software obtained every one of your contacts from your Messenger, FB, and emailaccount. And then I created a video. 1st part shows the video you were viewing (you’ve got a fine taste haha . . .), and next part shows the recording of your cam, & its u.
You actually have two different alternatives. We are going to study each one of these choices in details:
1st choice is to skip this e-mail. In this scenario, I most certainly will send out your very own video clip to almost all of your contacts and also imagine concerning the disgrace you will get. Keep in mind if you happen to be in an important relationship, exactly how it would affect?
Second alternative will be to pay me $1000. We will name it as a donation. As a result, I will promptly discard your video. You could carry on with your way of life like this never occurred and you will never hear back again from me.
You will make the payment by Bitcoin (if you do not know this, search for “how to buy bitcoin” in Google).
BTC Address to send to: 159syy5ffsf4h6y9pAGagGGEXCej3f1xjc
[CASE-sensitive, copy and paste it]
If you may be thinking of going to the law enforcement officials, look, this email can not be traced back to me. I have covered my actions. I am just not looking to charge you a huge amount, I just want to be paid. You now have one day in order to make the payment. I’ve a special pixel in this e mail, and at this moment I know that you have read through this email. If I don’t get the BitCoins, I will certainly send out your video to all of your contacts including relatives, co-workers, and many others. Having said that, if I do get paid, I will destroy the recording immediately. If you need proof, reply with Yea & I will send out your video to your 6 friends. It is a non-negotiable offer, and so do not waste mine time & yours by replying to this e mail.”
In short, therefore, the email is attempting to blackmail me, by saying a video of me watching pornography will be sent to everyone I know, unless I pay $1000. And they’ve given my real name and password to show they’re serious.
In previous scam emails I’ve discussed, I’ve only ever been addressed in a generic manner e.g. “Dear Customer”. So the fact that they have my name and password in this instance must mean it’s genuine, right?
Nope, wrong. It’s still utter nonsense, for multiple reasons. Let’s go through it bit by bit.
My Name
Notice that they’ve written my name as “forename.surname”, with a dot in the middle. Nobody writes names like that. All they’ve done is strip off the first part of my email address before the @ sign because, in common with many companies, that’s how our email addresses happen to be constructed.
So they’re just automatically generating the subject line using some kind of script. If they’d wanted to go a step further, they could have replaced the dot with a space and capitalised each word – “Forename Surname”. That would have looked more real. However, there are many companies who don’t structure email addresses like that, so doing that type of thing would come out weird a lot of the time. So it’s safer for them to just grab the bit of the email address before the @ sign. To their mind, the fact that they know your email address should give you enough cause for alarm.
A more determined hacker would be able to find out your actual name and format it properly. The fact that this scammer hasn’t bothered to do that little bit extra suggests that they’re just doing a basic scripted mail merge from their list of names.
My Password
The password in the email is a real password, I have used it. But note the past tense there. I don’t use it any more. It’s an extremely old password in fact, and my employer forces us to change our password every 3 months, which is very common practice these days. So it’s way out of date. So the scammer clearly doesn’t have a password that’s even remotely recent. Because if they did, they’d be using that instead.
So how did they get hold of it? Well, over a decade ago, my employer had a data breach, and I know it was that long because I still have the emails about it from back then. I also already knew the password was an old one I hadn’t used for ages, so it’s highly likely that the data breach is the source of the information.
So evidently the email addresses and passwords have surfaced on a list somewhere, which shows how long this type of data can hang around for. This is the first time I’ve been aware of anyone doing anything with it since the breach happened, though it’s entirely possible that other spam attempts over the years have been blocked by the many filters in our corporate IT system. Indeed, my company’s network has become considerably more secure in the years since then, so the passwords the hackers have now are completely useless.
Work vs Home
The other major anomaly in all this is that they’re emailing me at work. And it’s safe to say I’ve never watched any kind of adult material there. You’d have to be extremely determined and stupid to do so, because you’d somehow have to circumnavigate the blocks that are in place, and even then the IT guys would still notice, so you wouldn’t be in your job for much longer! And my work computer doesn’t have a webcam either, so filming me is impossible.
So why on earth are they emailing my work email address with an old work password, claiming I’ve accessed pornography sites and to have filmed me viewing them, when it’s completely impossible for me to have done so? Why not email me at my home address?
It’s simply because they don’t know it’s my work address. Remember, as I said earlier, they’ve just run a script over a list of email address and passwords, to contact many people at once. They don’t know or care where each address is based, they’re just trying their luck. There will be lots of personal addresses on their list as well as company ones.
There will be lots of these emails going out to many people. And while it’s obvious to me that it’s rubbish, in many cases the spammers will be spot on with the name and password and email address. There are plenty of people out there who don’t change their passwords very often or at all, which is very bad practice. So there’s a very high chance that the passwords shown to some people will be current and active, making the scam look more convincing.
So if you have received an email like mine and the password is a real one you’re using, do NOT reply to it or pay them anything, as I’m about to explain. But DO change your passwords immediately, ensuring the new ones are difficult to guess, and different for each site. See Get Safe Online for advice on passwords.
Their Evidence
Now let’s look at the text of the message. It’s full of bad spelling and grammar, but then this is a foreign guy trying to blackmail me, and his English clearly isn’t great.
“I am well aware ********** is your password.”
Well, you’re not that aware, because it’s not my current password and hasn’t been for years. But please, do go on…
“Lets get directly to the point. You don’t know me and you’re probably thinking why you are getting this e-mail? Nobody has paid me to investigate about you.”
Aw, you’re doing this yourself without being paid? Bless you, I’m flattered to get your attention! And guess what, someone with a different name sent me an identical message to yours the other day. Funny how you’ve both had the same idea at the same time, isn’t it? Pure coincidence I’m sure..
“In fact, I setup a malware on the 18+ vids (pornography) web site and there’s more, you visited this website to have fun (you know what I mean).”
Ok, in all seriousness, this bit is potentially plausible in some ways, and it’s the additional hook on top of the name and password to lure you in.
In the other duplicate email I received, the XVideos website was referred to, which I have heard of. But I’ve never heard of a site called 18+ Vids, and Googling it doesn’t bring up any clear matches. So maybe this time they’re just being generic, to say that I’ve been to any 18+ site. But then he is saying “the” 18+ Vids site, suggesting there is a particular one. Or maybe it’s a category inside another site. I don’t know.
In any case, we know how common such material is on the internet, and that a lot of people look at it. So by sending out a message like this to loads of people, accusing them of watching that kind of stuff, you are guaranteed to get a lot of matches. So it’s a very effective way to get people’s attention.
What’s more, there are loads of porn sites with malware on, because it’s an easy target. Let’s face it, a lot of people who use them aren’t as careful as they should be because they’re… well… distracted, shall we say. So if you’re going to catch people off guard, that’s a good place to do it. Though I suspect the viruses planted there are much more likely to be used to steal data rather than blackmail you. That’s not to say it can’t ever potentially happen, but it’s not the main reason they do it.
After all, if a hacker can get a virus on to a machine that has ineffective or no security protection, then they may be able to steal and sell your personal information, fraudulently spend your money online, take money directly from your bank account directly if they can get the login details, and so on. They’re the big money-spinners. Blackmail would be a small bonus on top of that really.
“When you were viewing video clips, your web browser initiated operating as a Remote Desktop having a key logger which provided me accessibility to your display screen and also web cam. Right after that, my software obtained every one of your contacts from your Messenger, FB, and emailaccount.”
All of that is potentially possible, if they really have hacked your machine and you do have a webcam. All the evidence presented here so far makes it pretty clear they haven’t done so in my case. But to other people this will feel very possible and very real, which is precisely what the scammer wants.
“And then I created a video. 1st part shows the video you were viewing (you’ve got a fine taste haha . . .), and next part shows the recording of your cam, & its u. “
That’s the part that will really worry a lot of people. But it’s also the part where the scam falls short. There’s no proof given at all. The scammer has been deliberately vague, because they don’t really have this information.
If they really knew what you’d been watching, they would give you the video’s title, the link to the video, the date and time you watched it, and a screenshot of you from your webcam. They would also be able to show you details from your contacts list, so you know they have that too.
Basically, they would leave you in no doubt whatsoever that they really had the footage of you and the information about your contacts, to make absolutely certain that you’ll pay them. But because they’ve left it so vague, it’s just not convincing.
And, as I said earlier, because I sit fairly close to the screen, any webcam shot wouldn’t show anything useful anyway! Nor would it show what I’m watching either, as it’s looking away from the screen.
Besides, if you can film someone on their webcam, you could then easily mock-up a video of their desktop watching any video you like. So unless the hacker can definitively prove the date and time of the webcam recording and the date and time of the video being watched, it’s rather difficult to prove that you’re watching something in particular. The only way you could really prove it is to have a camera elsewhere in your room that is capturing both you and your computer screen at the same time. And that’s extremely unlikely to say the least!
So basically, it’s impossible for them to have proof of what they’re claiming. They haven’t offered any evidence to suggest otherwise, because they can’t.
The Payment Demand
“You actually have two different alternatives. We are going to study each one of these choices in details:
1st choice is to skip this e-mail. In this scenario, I most certainly will send out your very own video clip to almost all of your contacts and also imagine concerning the disgrace you will get. Keep in mind if you happen to be in an important relationship, exactly how it would affect?
Second alternative will be to pay me $1000. We will name it as a donation. As a result, I will promptly discard your video. You could carry on with your way of life like this never occurred and you will never hear back again from me.
You will make the payment by Bitcoin (if you do not know this, search for “how to buy bitcoin” in Google).
BTC Address to send to: 159syy5ffsf4h6y9pAGagGGEXCej3f1xjc
[CASE-sensitive, copy and paste it]”
Scammers love using Bitcoin. I’ve never used it, because I’ve never understood it or seen the point of it. It may be suitable for some legitimate people, but it has no apparent relevance to me. But for scammers it helps them to remain anonymous and untraceable.
Never pay scammers money. That’s the bottom line. Even if you’re convinced they do have information about you, don’t pay up. If they really did have the information they claim to, there’s nothing stopping them from releasing it anyway, or demanding even more money from you. They’re acting illegally, and you’re not in any kind of legal agreement with them. So just because they say they won’t share the information, it doesn’t mean anything. If they were honest, trustworthy people, they wouldn’t be doing this to begin with.
“If you may be thinking of going to the law enforcement officials, look, this email can not be traced back to me. I have covered my actions. I am just not looking to charge you a huge amount, I just want to be paid. You now have one day in order to make the payment. I’ve a special pixel in this e mail, and at this moment I know that you have read through this email. If I don’t get the BitCoins, I will certainly send out your video to all of your contacts including relatives, co-workers, and many others. Having said that, if I do get paid, I will destroy the recording immediately.”
They have used a random email address, and a made-up name no doubt, so sure, the email is untraceable. I don’t know if they really do have a pixel tracking whether you’ve read the email or not – it’s possible to do it, but as it was a plain text email, not HTML web code, it seems unlikely.
The limited time to pay of 1 day is designed to panic people into paying quickly without questioning it, and sadly that will probably work on a few people. But remember, there is no proof that they have the information they claim to possess. What’s more, this email came 3 days after the other duplicate one that made exactly the same 24-hour threat. But nothing happened there, and they didn’t chase it up. So they’re not that desperate to release the information, but then how could they be when they don’t really have it?
“If you need proof, reply with Yea & I will send out your video to your 6 friends. It is a non-negotiable offer, and so do not waste mine time & yours by replying to this e mail.”
In other words, don’t bother replying. If you ask for proof, then you’ll apparently be exposed, so going down that avenue would do you no favours if it were true. But I have considerably more than 6 friends in my contact list, so that number’s clearly a guess too. And in general there would be no point in replying, because the scammers are unlikely to be monitoring their random, made-up email addresses. So by ruling out the option of replying, they’re further trying to panic you into paying up.
Conclusion
All in all, the email is nonsense, and can safely be deleted. It’s easy to see why it would be very worrying for people, especially if the scammers happen to get quite a few details right, which they will in some cases.
But they have no information about me, other than my email address and a password that’s over a decade old. And they’ve offered no evidence whatsoever of my online viewing habits. And they haven’t followed up on their threats of exposure either, despite going past the deadline.
So if you do get an email like this, please don’t panic. They really are just trying their luck, and sometimes the emails will appear much more accurate than my one did. If they have mentioned a password that’s still current, be sure to change that password on every site that uses it, and consider changing your other passwords as well to be on the safe side, making sure all your passwords are secure. Also do a virus scan to ensure your device is clean. And if you happen get an attachment with the email, don’t open it, because it will certainly contain a virus.
You can see much more evidence and discussion about the scam, from people much more in the know about computer security, at the following links, among the many sites that are highlighting the issue. It’s clearly a very common scam at the moment.
- Techlicious – Is the Porn Blackmail Scam Real? (read through the comments as well as the main article for many examples people have received)
- Krebs on Security – Sextortion Scam Uses Recipient’s Hacked Passwords (look through the comments here too)
- News reports by The Independent, The Express, The Mirror, Fox News, etc.
So that’s it for this post. I hope you found it interesting and useful. Stay safe as always!
Share this:
Well Eye Never 
One thought on “Scam Email – Adult Site Blackmail”