Week 27: Fake email senders and hacked email accounts

12.07.2022 - The NCSC received even fewer reports last week. Current fake sextortion emails look like they have been sent from the victims' own email accounts. At the same time, fraudsters are using login data from a data leak and hacking email and social media accounts to bolster their demands. Last Tuesday, the NCSC also received a report that the domain ncscs.ch had been misused for a fraudulent email.

Fake sextortion – seemingly from one's own email account

People who find a so-called fake sextortion email in their mailbox for the first time are initially very frightened. The email usually claims that a hacker has taken over their computer and used the camera to film the owner during intimate moments. In order to prevent the footage from being published, the hacked person is told to transfer a certain amount of money to a cryptocurrency account.

The email password supposedly used for this purpose is sometimes provided as proof. The passwords given are mostly from old data leaks and no longer valid. Sometimes the emails are sent with the sender's own email address as purported proof. However, in reality, the sender is fake – this can be done very easily and with minimal knowledge.

In the case of the reports recently received by the NCSC, however, the fraudsters are now apparently using data from a new data leak. The passwords listed "as proof" are up to date. In addition, the fraudsters try to log into the email and social media accounts with the email address and password. Where they succeed, they leave pornographic content.

Fake sextortion with fake sender [1], current password [2] and cryptoaccount [3]

The fact that it is not genuine blackmail can be seen from the cryptoaddress provided. This is used multiple times, so the fraudster cannot trace which hacked individuals paid the ransom and which did not. This means that any hacked email or social media accounts will not be returned to the victims.

Unfortunately, in the example given here, it seems that nine people have already transferred the amount demanded – with a cryptoaccount, the account balance and the number of transactions can be openly viewed.

Do not allow yourself to be intimidated.
Forward the email to reports@stop-sextortion.ch.
Always use a separate password for each online service.
Use multi-factor authentication whenever possible.

Bogus emails supposedly from the NCSC

Cybercriminals misuse well-known organisations and companies as senders in bogus emails in order to appear more trustworthy, and the NSCS is no exception. Last Tuesday, the NCSC received a query as to whether it was indeed the sender of an email purporting to refund seized financial assets. The email was written in peculiar German and allegedly came from a "Michael Pearson" of the NCSC, the "Head of Defensive Cyber operations and Financial Departement" – the NCSC had unexpectedly gained a "new" employee.

However, the NCSC was alarmed by the email address used for the fraud attempt: ncscs.ch - i.e. the " ncsc" domain with an additional "s", something that can easily be overlooked. We previously reported in detail on this scam with similar domains in weekly review 8.

The fraudsters use a domain that looks confusingly similar to that of the NSCS.

Fortunately, the domain reserved for these fraudulent intentions was quickly deactivated, so this advance payment scam the fraudsters were planning seems to have been thwarted.

Report fraudulent domains to the NCSC.
Fraudsters are constantly devising new scenarios to encourage victims to react rashly. For this reason, do not let yourself be taken off guard, instead think about the situation calmly and, if in doubt, ask friends, work colleagues or the NCSC how to assess the matter.

Current statistics

Last week's reports by category:

Current figures