Update 4/9/20: A large email extortion campaign is underway. More information can be found in today's Large email extortion campaign underway, DON'T PANIC! article.

Reports are coming in about a new extortion scam where scammers email you stating that they know the recipient's password, have installed malware on the computer, created videos of the recipient using adult web sites through their webcam, and have stolen the recipient's contacts.

Example Extortion Email (Click to enlarge)

The good news is that this is just a scam and no one has caught the recipient doing anything they don't want seen on video. The bad news, though, is that these attackers may actually know a recipients password from data breaches.

Yesterday a BleepingComputer member posted in our forums about this type of email scam and then security researcher SecGuru discovered a similar email, shown above, today.

@malwrhunterteam This looks legitimate ;-) p.s. the password comes from Leakforums. BTC Address: 1KiCTVUq5A9BPwoFC8S965tsbtqcWr8bty pic.twitter.com/rjXGW2oboZ — SecGuru (@SecGuru_OTX) July 12, 2018

SecGuru told BleepingComputer that the extortionists are finding leaked account credentials from data breaches and using those leaked passwords when contacting the victim. This adds a sense of legitimacy to the emails as the victims will see passwords that they are currently using or have used in the past.

Once again, this is a scam, nothing has been installed on your computer, and they do not have any video of you doing anything. Therefore, do not be concerned if you receive one of these emails. At the same time, if the passwords sent in the email is one that you are currently using, I strongly suggest you change it immediately.

The full text of one of these extortion email scam can be seen below:

From: Beitris Englert Date: July 12, 2018 Subject: (username + password) It seems that, (password), is your password. You may not know me and you are probably wondering why you are getting this e mail, right? actually, I setup a malware on the adult vids (porno) web-site and guess what, you visited this site to have fun (you know what I mean). While you were watching videos, your internet browser started out functioning as a RDP (Remote Desktop) having a keylogger which gave me accessibility to your screen and web cam. after that, my software program obtained all of your contacts from your Messenger, FB, as well as email. What did I do? I created a double-screen video. 1st part shows the video you were watching (you've got a good taste haha . . .), and 2nd part shows the recording of your web cam. exactly what should you do? Well, in my opinion, $2900 is a fair price for our little secret. You'll make the payment by Bitcoin (if you do not know this, search "how to buy bitcoin" in Google). BTC Address: 1KiCTVUq5A9BPwoFC8S965tsbtqcWr8bty (It is cAsE sensitive, so copy and paste it) Important: You have one day in order to make the payment. (I've a unique pixel in this e mail, and at this moment I know that you have read through this email message). If I do not get the BitCoins, I will certainly send out your video recording to all of your contacts including relatives, coworkers, and so on. Having said that, if I receive the payment, I'll destroy the video immidiately. If you need evidence, reply with "Yes!" and I will certainly send out your video recording to your 6 contacts. It is a non-negotiable offer, that being said don't waste my personal time and yours by responding to this message.

These scammers have my password! Now what?

If you receive one of these extortion emails and it contains one of your actual passwords, you should immediately change it at any and all sites that you are currently using it. It is also strongly suggested that you use unique passwords at every site you visit and setup 2 factor authentication if its available.

You should also enter your email address at Troy Hunt's https://haveibeenpwned.com/ site to see what data breaches your account credentials were included in. Have i been pwned? is a site where you can enter an email address and get a list of data breaches where your email address was disclosed to attackers.

You can then use this information to change the password used at any sites that were affected by this breach.

Even though this particular scam campaign is all fake and they do not have video of you, if you are concerned and live in the U.S.A. you should also file a complaint with the FBI using the ic3.gov site. For other countries, do a similar search for "cybercrime complaint" to submit the complaint to your country's associated law enforcement agency.