We've described this sort of crime before, and in the past, typically, that's as far as classic sextortion went. The extortionist almost never had pictures, video, screen captures, browser history, or anything else. It's typically been an empty threat.
The scammers are vague on the details of the sites the victims are said to have visited, and that's no accident. The extortionists usually have no access at all to their marks' devices and the attacks are "spray-and-pray".
This new sextortion version has a twist: the hacker claims to have placed a RAT (remote access Trojan) on your computer, making it possible to take control of the device. And that's the twist: the criminal threatens to send the embarrassing material from the victim's own device.
Perhaps the most convincing element of the scam is that the extortion email has been crafted to look as if it were sent from the victim's own email account, spoofing their email address. This can help convince someone that yes, they really have been infected by a RAT.
Victims are told they have one day to come up with the ransom, to be sent in Bitcoin of course. If they fail to pay, they'll be humiliated from their own email account. Analysis of the Bitcoin transactions associated with the sextortion emails found that victims had handed over seven Bitcoin in a short period of time, making it one of the more successful extortion emails seen.
RATs are real, and they've been spotted in all sorts of devices. But there's no RAT here: it's a pure hoax. The scammers are simply spoofing the victims' email address, which is easy enough to do, but which can be surprising and unsettling enough to spook a victim into paying. The extortionist's email seems real, and urgent, and all the more convincing.
I suggest you send the following to your employees in accounting specifically. You're welcome to copy, paste, and/or edit:
The bad guys are getting very deceptive with sextortion scams. They now send you an email that looks like it is coming from yourself—spoofing your email address— and claim that they have infected your workstation with a backdoor which allows them to take control of your computer. Next, they accuse you of watching adult entertainment and that they have recorded that. And here comes the kicker, unless you pay them bitcoin, they threaten to use your own computer to send embarrassing content to all your contacts. If you get emails like that, please follow our organization's email security policy, and Think Before You Click! [OPTIONAL] Click on the Phish Alert Button to delete it from your inbox and at the same time alert IT about this scam.
When new spear phishing or sextortion campaigns make it through all the filters—and about 10 to 15% do—it is vital that IT staff be alerted immediately. One of the easiest ways to convert your employees from "weakest link" into your "human firewall" is to roll out KnowBe4's free Phish Alert Button to your employees' desktops and mobile devices. Once installed, the Phish Alert Button allows your users—which today are your last line of defense—to sound the alarm when suspicious and potentially dangerous phishing emails make it in their inbox.
Don't like to click on redirected links? Cut & Paste this link in your browser: