“Conosco la tua password e ho i tuoi video”: nuova ondata di ricatti via mail

Sono ormai oltre due anni che il fenomeno delle email con richiesta di estorsione in bitcoin basate sulla conoscenza della password e il presunto utilizzo di spyware è noto e spesso non facciamo caso a questo tipo di ricatto che viene girato direttamente nella cartella dello spam. Ogni tanto, però, i criminali tornano a farsi vivi con nuovi messaggi di sextortion via email con la password dell’utente e a partire dal periodo di Pasqua – approfittando anche della situazione d’incertezza causata dal lockdown per il Covid-19 – abbiamo assistito a una nuova ondata di mail con richieste di estorsione.

“I know ___ your password”, “I’m aware ___ is your password”, “It seems ___ is your password”: il testo della mail di sextortion varia ma in sostanza la minaccia è come al solito incentrata sul fatto che il criminale fa sapere alla vittima di conoscere la sua password e che quindi è realistico che grazie a questo sia riuscito a bucare il PC e spiarne il contenuto.

Per rendere più minacciosa la richiesta di sextortion, il delinquente aggiunge di aver filmato la vittima durante la visione di filmati a contenuto esplicito e di essere pronto a inviarli ai contatti e agli amici se non riceverà una “donazione” – un riscatto, in sostanza – in bitcoin all’indirizzo indicato nel messaggio stesso.

Come al solito il consiglio è quello di non preoccuparsi, non rispondere e non pagare nessun riscatto, dato che la minaccia di sextortion è priva di fondamento e il mittente non ha avuto accesso al PC né alla telecamera.

La password che viene riportata nei messaggi è stata infatti prelevata dai criminali ricavandola dai data leak pubblici nei quali l’indirizzo della vittima compare perché parte delle registrazioni ai portali oggetto di attacco in passato (es. Linkedin, Dropbox, Adobe, etc…). La parola chiave quindi è quella che la vittima aveva, a suo tempo, sui portali che sono stati oggetto di attacco da parte dei criminali che ne hanno poi rilasciato le credenziali online in data breach pubblici o a pagamento.

Per verificare se la vostra password è contenuta in tali elenchi, vi sono diversi siti gratuiti, ad esempio:

• Have I Been Pwned
• Firefox Monitor
• Ghost Project
• Am I Breached
• Avast Hack Check
• Dehashed

Su questi siti è possibile inserire la propria email (attenzione, mai inserire la propria password) e ottenere in cambio l’informazione circa quanti leak la contengono e anche, in alcuni casi, conoscere la password o parte di essa che è stata divulgata oltre ad altri dati talvolta pubblici (indirizzo, data di nascita, numero di telefono, etc…).

Il contenuto delle email estorsiva cambia ma abbiamo alcune correnti principali. La prima riporta quanto segue:

I’m aware, _password_, is your pass word.

I need your total attention for the coming Twenty-four hours, or I may make sure you that you live out of guilt for the rest of your life span.

Hey, you do not know me. However I know nearly anything regarding you. Your facebook contact list, mobile phone contacts as well as all the virtual activity in your computer from past 112 days.

Consisting of, your masturbation video, which brings me to the primary reason why I ‘m composing this particular e mail to you.

Well the previous time you visited the sexually graphic websites, my spyware was triggered in your computer system which ended up shooting a lovely video clip of your self pleasure act simply by activating your web cam.
(you got a seriously weird preference btw lmfao)

I have the full recording. If, perhaps you think I am messing around, simply reply proof and I will be forwarding the particular recording randomly to 11 people you recognize.

It might be your friends, co workers, boss, parents (I don’t know! My system will randomly select the contacts).

Will you be capable to gaze into anyone’s eyes again after it? I question that…

But, doesn’t necessarily need to be that path.

I would like to make you a 1 time, non negotiable offer.

Purchase $ 2000 in bitcoin and send it on the below address:

b***c1qxmw8dvn9q3vm5t57lwnuwt9jp6gwumgunsw3k9
[case-SENSITIVE copy & paste it, and remove *** from it]

(If you do not know how, google how to acquire bitcoin. Do not waste my valuable time)

If you send out this particular ‘donation’ (let’s call this that?). After that, I will disappear and never ever make contact with you again. I will get rid of everything I have in relation to you. You may very well continue living your current ordinary day to day life with zero concern.

You have got 1 day in order to do so. Your time will begin as soon you check out this e mail. I have got an one of a kind program code that will notify me once you see this e-mail so do not attempt to act smart.

Altro testo di email con richiesta di riscatto in bitcoin:

It seems that, _password_, is your password.

I need your full attention for the upcoming Twenty-four hrs, or I will make sure you that you live out of guilt for the rest of your lifetime.

Hello, you do not know me personally. But I know everything concerning you. Your fb contact list, smartphone contacts plus all the digital activity on your computer from previous 147 days.

Consisting of, your self pleasure video footage, which brings me to the main reason why I am composing this particular e-mail to you.

Well the last time you went to see the porn webpages, my spyware ended up being activated in your computer which ended up documenting a lovely footage of your self pleasure play simply by triggering your cam.
(you got a exceptionally weird preference btw haha)

I have the full recording. Just in case you think I am fooling around, just reply proof and I will be forwarding the recording randomly to 5 people you’re friends with.

It might be your friends, co workers, boss, parents (I’m not sure! My software will randomly select the contacts).

Would you be able to look into anyone’s eyes again after it? I question that…

However, it doesn’t have to be that route.

I’m going to make you a one time, non negotiable offer.

Purchase $ 2000 in bitcoin and send it on the listed below address:

b***c1q3h2zc560nqnr7mjuh30vemzajah39frdjmv9xx
[CASE sensitive so copy & paste it, and remove *** from it]

(If you do not understand how, look online how to purchase bitcoin. Do not waste my important time)

If you send out this ‘donation’ (let us call it that?). After that, I will go away for good and under no circumstances get in touch with you again. I will eliminate everything I’ve got concerning you. You may very well proceed living your current regular day to day life with absolutely no stress.

You have got 1 day to do so. Your time will begin as quickly you go through this mail. I have got an unique program code that will inform me once you see this email so don’t attempt to play smart.

Ancora, altra versione arrivata a diverse vittime, sempre di richiesta di pagamento in bitcoin di un riscatto in cambio del silenzio:

I know, _password_, is your pass word.

I require your total attention for the the next 24 hrs, or I will make sure you that you live out of embarrassment for the rest of your life span.

Hey, you do not know me personally. Yet I know nearly anything regarding you. All of your facebook contact list, phone contacts along with all the online activity on your computer from previous 116 days.

Consisting of, your self pleasure video footage, which brings me to the primary motive why I ‘m crafting this email to you.

Well the previous time you went to see the porno web sites, my malware ended up being triggered inside your computer system which ended up logging a beautiful video footage of your self pleasure act simply by triggering your cam.
(you got a exceptionally odd taste by the way lol)

I own the full recording. If perhaps you feel I ‘m fooling around, just reply proof and I will be forwarding the recording randomly to 7 people you know.

It could end up being your friend, co workers, boss, parents (I’m not sure! My software program will randomly choose the contact details).

Will you be capable to look into anyone’s eyes again after it? I doubt it…

Nonetheless, it doesn’t need to be that path.

I want to make you a one time, no negotiable offer.

Get $ 2000 in bitcoin and send them to the listed below address:

bc1***q4wa2ryu4jt5ftk7r5vxw674vyq5zrpqrur2mmn
[CASE SENSITIVE so copy & paste it, and remove *** from it]

(If you do not understand how, look online how to purchase bitcoin. Do not waste my precious time)

If you send this particular ‘donation’ (why don’t we call this that?). Right after that, I will disappear and under no circumstances get in touch with you again. I will erase everything I have got about you. You may very well keep on living your current ordinary day to day lifestyle with no fear.

You’ve 24 hours to do so. Your time starts as quickly you read through this mail. I have got an unique code that will tell me as soon as you read this e mail therefore don’t attempt to act smart.