Sextortion Lookup FAQ


What is sextortion?

Sextortion encompasses a broad range of cybercrimes involving non-physical forms of coercion. In this case, sextortion refers to a phishing scam that threatens the release of sexual images or information to extort cryptocurrency.

The typical phishing sextortion scenario begins when a victim receives an email from a hacker who claims to have installed malware on their system. They threaten to send purported compromising information—such as pictures sexual in nature—to the victim’s friends, family or co-workers – unless the victim agrees to pay the hacker a bitcoin ransom.

What makes the email especially believable is that to prove their legitimacy, they begin the emails showing you a password you once used or currently use from data breach information or data dumps that they have acquired. 

What is the nature of this specific sextortion campaign / threat?

Cofense Labs the newly formalized research and development arm of Cofense Inc., discovered a “for rent” botnet in June 2019 used primarily to send sextortion emails. Cofense Labs is monitoring the botnet’s activity on a daily basis to observe changes in the malware it is spreading as well as tracking new email addresses being targeted for sextortion phishing emails.

What is Cofense doing to help?

  • Cofense has created a website that your prospects and customers can access to lookup their email account or domain to see if they have been targeted by or are at risk of a sextortion attack. To access the website, click here.
  • Cofense issued a threat alert to customers whose domains were found in the Sextortion botnet’s data file
  • In addition, Cofense has created a useful infographic as well as a guide to combatting Sextortion, which is available for download.
  • Customers of Cofense PhishMe will have access to simulations and notices around Sextortion and Cofense Intelligence customers will be receiving intelligence on this type of attack.

What actions can people take to help mitigate the threat?

If an email address was found in a target list used by the botnet, there’s an increased chance of receiving a sextortion email, or other phishing attacks.

People should:

  • Change passwords immediately
  • Consider using a password manager to keep passwords strong and unique
  • Enable two-factor authentication whenever that is an option on online accounts
  • Use a webcam cover – malware can access webcam’s without user knowledge
  • If a sextortion email is received, we recommend that you do not respond to the email or pay the ransom.

What are the trends surrounding this type of attack? How big of an issue is sextortion/who is a target? Do you have any data on that?

Sextortion uses tried and tested motivators of fear and urgency to coerce victims to pay a ransom. Whilst the core narrative remains consistent throughout campaigns, the tactics and techniques employed evolve, alongside other threats. Once limited to purely text-based emails, the abilities of filtering technologies to identify and block sextortion emails improved. In response, those responsible for creating and sending sextortion campaigns borrowed from more sophisticated threats to ensure delivery to the intended recipient. In the 2019 Phishing Threat and Malware review, we highlighted a sextortion campaign that makes heavy use of images of text, and the inclusion of QR codes linking to bitcoin wallets to circumvent controls.

How are targets identified by attackers for these sextortion campaigns?

A true ‘spray and pray’ attack, sextortion campaigns are indiscriminate, targeting anyone who’s data is unlucky enough to be included in previous breaches. Based on the data identified by Cofense Labs, the campaign currently being tracked has data on over 332 million unique email addresses that it is using for targeting.

The scammers in this case likely matched up a database of emails and stolen passwords and sent this scam out to potentially millions of people, hoping that enough of them would be worried enough and pay out that the scam would become profitable.

My domain is in the database and I’d like to get the specific email addresses? How do I do that?

After completing your search query on the Sextortion info center website, you can submit a form to request the specific email addresses for your domain. Your request will be securely transmitted to our Cofense Labs team, who will validate the request and then reply in 3-5 business days.

How did Cofense discover this data set of compromised domains? When did Cofense discover it?

Cofense Labs has been monitoring a specific mail spam botnet that’s been sending sextortion phishing emails for several months. Beginning in June, Cofense Labs was able to extract the compromised email addresses.

Why has it taken you this long to share this information?

We identified this scam in June and we wanted to validate that this scam was, in fact, using old data acquired through previous breaches. Then we had to determine the usage and the scope of the scam.

The good news is we know that this botnet IS NOT currently infecting computers to acquire new data sets (ala Emotet). It’s just recycling email addresses acquired through various means over time.

From what time frame is the data you collected? (When were these people compromised?)

We don’t know exactly. The data set includes credentials culled from multiple breaches dating back at least 10 years. We know this because the database includes an email address of our lead researcher that he hasn’t used for over a decade. The address was for a dial-up service that doesn’t exist anymore.

The good news is we know that this botnet IS NOT currently infecting computers to acquire new data sets (ala Emotet). It’s just recycling email addresses acquired through various means over time.

Will this data update “live”? Will Cofense continue to monitor for updates, or does the database represent a moment in time?

If there are updates, we will update. This specific botnet is a “for rent” botnet that is currently being principally used for Sextortion. If the botnet ingests new email addresses we have the ability to see those. We are monitoring the activity of the botnet to see what malware it is using. We are looking at any new pieces of malware that this botnet might be using – daily.

Is this the first time Cofense has seen this specific attack in action?

Sextortion has been growing in relevance in the last couple of years. It’s a pervasive problem that continues to evolve. The evolution is reflective of the “cat and mouse” game of gateways trying to stay a step ahead of threat actors (and vice versa).

To provide some idea of the scope of the problem, From January 1, 2019 to June 30, 2019 we analyzed 7MM sextortion related emails. About 1200 people ponied up bitcoin, which we estimate to be more than $1.5M in bitcoin ransom payments.

Does Cofense plan to notify companies / individuals directly?

We are making this information publicly available to help consumers / businesses protect their information and to broaden awareness around this threat and cybercrime in general.

In addition, we have reached out to all Cofense customers whose domains were found in the data dump.

Is there any way of knowing if these targeted emails have already addressed this issue/changed their passwords etc.? 

Because this is predominantly an older set of email addresses and passwords, there’s a high likelihood that for corporate domains… passwords have been changed. But it’s a good idea to always change your password frequently and use two-factor authentication.

What are you doing to safeguard the data? i.e. what’s to prevent a threat actor from now attempting to steal it from Cofense?

The database that we’ve made available publicly is purely email addresses and does not contain passwords. We’ve implemented appropriate and reasonable safeguards to prevent any breach of those email addresses.

Is this a global threat or limited to only businesses in one region?

The emails and domains come from ISPs and businesses located in countries around the world.

Regarding the specific botnet that was discovered, what IOCs (if any) have you found?

Specifically relating to the botnet in question – IOCs would be of limited value as there is no single sender or source IP address. If we were to compile a listing of seen senders or IP addresses, that list would scope into the millions.

In terms of detection, most of these types of emails spoof the sender email address so that it appears to be coming from the recipient’s email account. If you can detect any external emails where the sender address contains your corporate domain and is the same as the recipient address, that could be a potential indicator. Note: this detection doesn’t mean it is always going to be a bad email, as a lot of external services may perform similar activity.

For customers of Cofense Triage, there are several existing Triage Yara rules for detecting/flagging emails as possible Sextortion. They include multiple keywords (for both body and subject line) found across a spectrum of samples. We utilize a keyword listing, vs static defined content/strings, on these rules due to the varied nature of the emails themselves. Cofense updates Yara rules on an ongoing basis as new intelligence emerges.