Post Syndicated from Bruce Schneier original https://www.schneier.com/blog/archives/2018/07/reasonably_clev.html
Imagine you’ve gotten your hands on a file of e-mail addresses and passwords. You want to monetize it, but the site it’s for isn’t very valuable. How do you use it? You convince the owners of the password to send you money.
I recently saw a spam e-mail that ties the password to a porn site. The e-mail title contains the password, which is sure to get the recipient’s attention.
I do know, yhhaabor, is your password. You may not know me and you’re most likely thinking why you’re getting this email, right?
actually, I actually setup a malware on the adult video clips (pornographic material) web site and you know what, you visited this web site to have fun (you know what I mean). While you were watching videos, your web browser began operating as a RDP (Remote Desktop) having a key logger which provided me accessibility to your display and web camera. after that, my software obtained your entire contacts from your Messenger, social networks, and email.
What exactly did I do?
I created a double-screen video. First part shows the video you were viewing (you’ve got a fine taste ; )), and 2nd part displays the recording of your webcam.
What should you do?
Well, I believe, $2900 is a reasonable price for our little secret. You will make the payment through Bitcoin (if you don’t know this, search “how to buy bitcoin” in Google).
This is clever. The valid password establishes legitimacy. There’s a decent chance the recipient has visited porn sites, and maybe set up an account for which they can’t remember the password. The RDP attack is plausible, as is turning on the camera and downloading the contacts file.
Of course, it all fails because there isn’t enough detail. If the attacker actually did all of this, they would include the name of the porn site and attached the video file.
But it’s a clever attack, and one I have not seen before. If the attacker asked for an order of magnitude less money, I think they would make more.
EDITED TO ADD: Brian Krebs has written about this, too.