Home
Blog
Porn scams and sextortion: Fact and fiction in cybercrime

Porn scams and sextortion: Fact and fiction in cybercrime

Paul Ducklin
Paul Ducklin
05/15/2024
11 min read
Share this article:

Do you back yourself to spot the scams that drop into your email inbox?

Could you teach your friends, family and colleagues to do the same?

If you’re like most people, you probably answered, “Yes, and yes.”

But those questions and answers don’t always tell the full story, because of the sheer variety of scams out there, and the sometimes contradictory nature of the advice that applies to each sort of scam.

When ‘general knowledge’ isn’t

Sometimes, what feels like ‘general knowledge’ that is supposed to protect you from all sort of harm turns out not to be as generally useful as you thought.

Sadly, this can play into the hands of online scammers.

In fact, many scammers rely on victims following the advice for one sort of scam specifically to sucker them into a similar-but-different scam instead.

For example, we all know that it’s important to report suspicious online content and activity if we come across it, or to get in touch with our bank promptly if we think someone is trying to defraud us.

In fact, most of us have probably encountered some sort of dubious activity recently that we spotted easily, and that was obviously intended to lure us into sharing personal data such as passwords, login codes, or payment card numbers.

We know perfectly well that we’re supposed to take care with this sort of information, which makes us feel as though we’re rightly and rightfully alert to online crime.

That’s why there’s an entire category of ‘fake fraud alert’ scams in which the crooks pretend to be reporting possible fraud to you, and offering to help, posing as law enforcement, bank officials, tech support staff and more.

If they can trick you into ‘choosing’ to contact them, thinking you’re following fraud prevention advice to protect yourself, they may be able to catch you off guard

The crooks hope that the advice about reporting one sort of cybercrime will lure you into a similar-but-different sort of online crime.

There’s also the problem that some cybercriminals are happy to assume that you’ll figure out they’re scammers, and may even make it clear all along, hoping to convince you that they have some sort of hold over you, even if you don’t believe all of their claims.

Porn scams explained

A tragic example of this sort of attack is the so-called porn scam, an odious and offensive type of spam email that is less prevalent today that it was three or four years ago, but common nevertheless.

You’re probably familiar with this sort of thing:

Porn scams and sextortion: Fact and fiction in cybercrime - SolCyber

The premise is that the crooks have filmed you through your webcam while scraping your screen to prove you were viewing a porn site at the time, thanks to malware they’ve implanted on your computer:

Porn scams and sextortion: Fact and fiction in cybercrime - SolCyber

Even if you always keep your webcam covered when you aren’t using it, have active anti-malware protection, and have no interest in porn, the scammers often try to get you on the hook anyway by including bogus ‘evidence’ in their messages to convince you that the malware part of the story is true.

Hint. If your laptop doesn’t have a built-in laptop cover, you can use a neatly-cut square of electrical tape to shield it. Avoid using a stick-on plastic sliding cover, because these can transfer unwanted forces to the edge of the glass when you close your laptop, and crack the screen.

For example, porn scam messages may include your mobile phone number, or one of your passwords in unencrypted text form, or your full postcode, leaving you wondering whether the crooks really did get hold of that information using spyware implanted on your computer.

In fact, that evidence is typically scooped up from old data breaches that have been dumped online, and is often incomplete, outdated or wrong, but it is worrying nevertheless to see it right there in a threatening email.

Also, the crooks sometimes deliberately fake the sender information on their messages so they seem to come from your very own account, as if to ‘prove’ that they have access to your email, and therefore by implication everything else on your computer.

Email addresses shown next to From and other fields such as Reply To are as much part of the message itself as the Subject line, so the sender can insert anything they like. You can’t trust those fields any more than the body of message or its attachments.

The cybercriminals hope that even if you dismiss the rest of their message because it matches the archetypal ‘porn scam’ template you have been warned about, you might nevertheless be worried that they really are spying on the rest of your digital life, including snooping on your passwords and online banking.

And although received wisdom says never to pay the crooks, because it’s obviously a scam, perhaps it’s OK to just make contact with them, and see where things go?

After all, if they can ‘prove’ to your friends and family, or to your employer, that they’re definitely spying on you, what if they decide to make the false porn-site allegations anyway, thus creating trouble in your life that you could do without?

What if there’s some truth in it?

As an IT manager of my acquaintance once put it:

“I have seen many instances of this scam. It does panic the user. It’s a similar experience when asked if you are carrying drugs or weapons at airport security. You know you don’t have any, but you’re sweating about what you may say.”

Even when we’re sure that the crooks don’t have the evidence they claim, some of us may nevertheless be troubled enough by the experience itself to dig ourselves into trouble that didn’t exist before.

Those bullish “Yes, and yes” answers about our ability to avoid scammers that we presented at the top of the article are suddenly sounding less certain.

Indeed, and as you may have seen or guessed already, porn scammers who are active in 2024 have taken to including new wording in their boilerplate that’s meant to tap right into our contemporary cybersecurity fears, notably our concerns about AI.

They’ve also taken to stating explicitly that they’re scammers, and therefore that we should be fearful of them for any and all reasons we can think of:

Porn scams and sextortion: Fact and fiction in cybercrime - SolCyber

Sadly, as some parts of the cybersecurity industry themselves embrace an ever-larger collection of automated tools and responses, and an ever-less human-centric attitude towards protecting against cybercriminality…

…we’re increasingly at risk not only of assuming that we (or our automated tools) will indeed always be able to say “Yes” to spotting scammers, but also at risk of assuming that everyone else should be able to avoid scammers as well.

It’s an astonishingly small step from that sort of assumption to the self-serving convenience of victim blaming: “We’ve already explained how to spot that sort of scam, so we can’t waste our online lives worrying about those who can’t or won’t listen.”

Porn scams and sextortion: Fact and fiction in cybercrime - SolCyber

When the cure doesn’t match the disease

As we’ve already mentioned, when there’s one sort of online scam that experts have decided is easy to figure out, and for which simple and definitive preventative advice can be given, there may be another scam that sounds surprisingly similar for which that very same advice is entirely invalid, or even dangerous.

A worrying and important example is the cybercrime commonly known as sextortion.

As the portmanteau name suggests, this is a serious crime that combines sex and sexuality with extortion, or blackmail as it is also known.

Unfortunately, the word ‘sextortion’ has been, and sometimes still is, used as a synonym for what we have referred to above as porn scamming, which also brings together sex and blackmail.

In the case of porn scams based on claims of screenshots and webcam videos that the crooks simply don’t have, we can fall back on straight-talking advice such as, “It’s all a pack of lies; delete the message and think no more of it.”

(If the crooks really did have those illegally-scraped videos and screengrabs, surely they’d send you a frame from their video as proof, instead of falling back on the much less convincing ruse of telling you your own phone number or postcode?)

But the crime for which we should now specifically reserve the word sextortion is much more troubling, because the criminals very likely do have revealing videos or photos of their victims, shared in good faith but under false pretences.

In other words, the advice that, “It’s all a pack of lies; just ignore the threat and move on,” which is glibly accurate advice for dealing with the porn scam messages we described above, is not just incorrect but potentially dangerous for sextortion victims.

And although blackmail based on sexual images shared by adults is a serious matter in its own right, the crime is especially troubling when younger people are drawn in, and has even led under-age victims to kill themselves in despair.

Sextortion explained

As the US Federal Bureau of Investigation (FBI) warns, youngsters may be even more fearful of their family or community than they are of the criminals who have entrapped them, potentially leading to a dreadful spiral of trouble:

“Sextortion can start on any site, app, messaging platform, or game where people meet and communicate. In some cases, the first contact from the criminal will be a threat. The person may claim to already have a revealing picture or video of a child that will be shared if the victim does not send more pictures. More often, however, this crime starts when young people believe they are communicating with someone their own age who is interested in a relationship or with someone who is offering something of value.

After the criminals have one or more videos or pictures, they threaten to publish that content, or they threaten violence, to get the victim to produce more images. The shame, fear, and confusion children feel when they are caught in this cycle often prevents them from asking for help or reporting the abuse. Caregivers and young people should understand how the crime occurs and openly discuss online safety.”

In a similar vein, the US Federal Trade Commission (FTC), which looks after consumer rights and safety, has warned about similar blackmail criminality on adult dating sites and chat forums:

“The FTC is hearing about scams targeting people on LGBTQ+ dating apps, like Grindr and Feeld. And they aren’t your typical I-love-you, please-send-money romance scams. They’re extortion scams.

They usually work something like this: a scammer poses as a potential romantic partner on an LGBTQ+ dating app, chats with you, quickly sends explicit photos, and asks for similar photos in return. If you send photos, the blackmail begins. They threaten to share your conversation and photos with your friends, family, or employer unless you pay — usually by gift card.

Other scammers threaten people who are closeted or not yet fully out as LGBTQ+. They may pressure you to pay up or be outed, claiming they’ll ruin your life by exposing explicit photos or conversations.

Whatever their angle, they’re after one thing — your money.”

Pre-paid gift cards are widely exploited by cybercriminals who are looking for fast, illicit payments that don’t run into tens of thousands of dollars from each victim.

Gitf cards are widely available to buyers of all ages; they don’t require the victim to set up an online account and go through an anti-money-laundering check as cryptocurrency purchases do; and they can be cashed out or sold on quickly, easily and largely anonymously, even by technically unsophisticated cybercriminals.

What to do?

Clearly, if you’re advising other people, whether they’re friends and family, or colleagues you look after as part of an IT team, you need to bear in mind that these two scams have very different potential personal impacts.

In the first case, the crooks are trying to frighten victims into providing them with leverage they didn’t have before, whereas in the second case they’re exploiting significant leverage they already have.

Remember, therefore, that any advice you give should take into account the risk that the victim already faces.

Having said that, here are some suggestions:

  • Be aware before you share. Don’t be in a hurry to share personal information with people you don’t know, or have only met online. Be very wary of sharing information that could be used to defraud you (such as bank details or your social security number), and even more cautious of sharing anything that could be used for extortion, coercion or abuse (such as intimate personal information, your home address, or revealing photos). Once you’ve given away a photo or other personal information, there is no reliable way to recall it, and no way to tell who else it has been shared with.
  • Don’t be afraid to seek advice from someone you know and trust. You may understandably be unwilling or unable to talk to anyone in your family or circle of friends, but many countries have cybercrime reporting sites that you can access confidentially to make the authorities aware that you’re being victimised by criminals.
  • Don’t pay up. In the porn-scam case, the crooks have nothing on you unless and until you pay up, after which the very fact that you’ve paid gives them leverage against you that they didn’t have before, so they can keep coming back for more money. In the sextortion case, an even bigger risk exists of being blackmailed again. There is no way to tell whether the crooks really did delete the pictures you sent them as they said they would, or that they didn’t already sell the data on, or even get breached by criminal rivals. (Cybercriminals are often astonishingly bad at cybersecurity themselves.)
  • Protect network users with a mix of technology and awareness. Email filtering, endpoint security and other cybersecurity tools can eliminate threatening messages before they reach your users. Note, however, that because sextortion often begins with personal messages or private interactions, human-led counselling and advice is the best way of preparing your users to stay out of harm’s way. This advice also helps users to avoid scams such as “friend in trouble/send money now”, investment fraud, and financial scams such as being lured into buying worthless shares or cryptocurrencies.
Porn scams and sextortion: Fact and fiction in cybercrime - SolCyber

More About Duck

Paul Ducklin is a respected expert with more than 30 years of experience as a programmer, reverser, researcher and educator in the cybersecurity industry. Duck, as he is known, is also a globally respected writer, presenter and podcaster with an unmatched knack for explaining even the most complex technical issues in plain English. Read, learn, enjoy!

Paul Ducklin
Paul Ducklin
05/15/2024
Share this article:

Table of contents:

The world doesn’t need another traditional MSSP 
or MDR or XDR.

What it requires is practicality and reason.

Related articles

The world doesn’t need another traditional MSSP or MDR or XDR.
What it requires is practicality and reason.

And security that won’t let you down. It's time to put an end to the cyber insanity once and for all.
No more paying for useless bells and whistles.
No more time wasted on endless security alerts.
No more juggling multiple technologies and contracts.

Follow us!

Subscribe

Join our newsletter to stay up to date on features and releases.

By subscribing you agree to our Privacy Policy and provide consent to receive updates from our company.

CONTACT
©
2024
SolCyber. All rights reserved
|
Made with
by
Jason Pittock

I am interested in
SolCyber XDR++™

I am interested in
SolCyber MDR++™

I am interested in
SolCyber Extended Coverage™

I am interested in
SolCyber Foundational Coverage™

I am interested in a
Free Demo

7705