Information Services > Security > News & Updates > Sextortion Scam - 10/11/21

Sextortion Scam - 10/11/21

Screenshot of part of one variant of the malicious email:

A screenshot of a malicious email. The malicious email attempts to trick victims into sending money to a cryptocurrency wallet used by a scammer.

In mid-October, 2021, the Information Security Team noticed a slight resurgence of so-called "sextortion" scams. This type of social engineering scam has been going around for a few years, and occasionally pops back up.

The email attempts to trick/scare targets into sending the scammer money via a crypto-wallet. This is achieved through a variety of social engineering methods.

First, the email will often spoof the From field, in order to make it look like it came from the target's email address. At DePaul, this notion is easily dispelled by the existence of the [EXT] tag prepended to the subject line, which indicates that the email is coming from outside of DePaul's email system.

Second, the email will often include an entirely fabricated scenario as to how the target compromised and how the malicious actor "gained control" of all the target's accounts and devices, and how they have (non-existent) recordings of the target visiting adult websites or engaging in sexual activity. The scammer will often utilize nonsense technical jargon, to confuse the target and make the scammer's story sound more legitimate.

Third, the email will threaten to release the (non-existent) recordings to the target's friends, family, and colleagues, unless they receive payment in cryptocurrency, and provide the target with a wallet address that they control, where they demand the ransom be paid. The scammers will also often (falsely) state that they're tracking your every move and will know if you report the email, and threaten to release the (non-existent) recording immediately if you do.

The story and threats are completely fabricated. As such, these emails can be safely ignored and deleted, unless the victim receives a variant that contains a password:

Sometimes, the malicious actors will include an old password of the target's, typically obtained from an old data breach at an external site that the victim registered for with their DePaul email address. For example: if the target registered for an account at an online retailer, and used their DePaul email address to sign up, and then that non-DePaul-affiliated online retailer later suffered a data breach that exposed the target's password to that account at the online retailer, the scammer may include that password in the email. The logic behind the scammer doing this is that they try to use it as "evidence" to scare the victim into thinking that the scammer really does have access to their accounts and devices, when in reality, the scammer simply pulled leaked external organization data that was readily available online.

Any target that receives a variant of the sextortion scam that contains a password should ensure that they do not have any accounts that utilize that password, and change it anywhere where they might. The concern is not that the malicious actor may have access to the target's devices, but that the inclusion of a password indicates that the target me vulnerable to credential stuffing attacks. In this type of attack, a malicious actor can use a target's known password at one website (e.g. an online retailer that had a data breach) to login to any other accounts where the target has re-used that password.

As a reminder, password re-use is an extremely dangerous. Your password for accessing DePaul resources must be unique and secure. If you have difficulty remembering a variety of unique passwords, you may look into potentially utilizing a well-known, legitimate, encrypted, and secure password manager product/application.

It would also be a good idea to look into breach notifications from retailers and other entities where you have accounts, as your accounts at those external (non-DePaul) sites may be compromised.

After the recipient has ensured that the old password is not actively being used anywhere, the email can be safely ignored and deleted.

Some indicators that these emails are malicious, but fake:
-Spoofed From field (remember to check for the [EXT] tag in the subject line)
-Convoluted and fabricated story
-An attempt to create a sense of urgency, and an attempt to scare targets into not reporting the email
-Manipulations of intense emotions (fear of social stigma and privacy concerns)

If you have any questions, please contact our team at​