This is a clever exploit of the way most people do not appreciate how much data has been breached. It seems convincing if you don’t just how many email and street address pairs are effectively public, and once you get them to panic a reliable fraction of the population isn’t going to pause and reconsider that assumption.
>It seems convincing if you don’t just how many email and street address pairs are effectively public
I don't think it's that convincing even if you're unaware of that fact because if someone tries to "sextort" you, if they've indeed owned you, why wouldn't they just send you a piece of that footage? I'd assume anything else is by default a bluff even if I knew nothing about tech
Remember that this is a numbers game. They don’t need to convince everyone, just enough people that they make a profit. Say they get their hands on a breach data set with 50 million people – if you live in a low cost of living country with negotiable law enforcement like, say, Nigeria or Russia how many of them do you need to sucker at $1,400 apiece to pay for the cost of generating a few million emails? I’d bet that anything over the first few is pure profit.
Also, you want your scam to not be too sophisticated as that would make your live harder. A less sophisticated scam will auto-filter those with critical thinking skills upfront, so you don't even have to try to convince them. Which gives you more time to focus on those you can convince.
> Far-fetched tales of West African riches strike most as comical. Our analysis suggests that is an advantage to the attacker, not a disadvantage. Since his attack has a low density of victims the Nigerian scammer has an over-riding need to reduce false positives. By sending an email that repels all but the most gullible the scammer gets the most promising marks to self-select, and tilts the true to false positive ratio in his favor.
yes, but doesn't apply here. there's nothing complicating anything. they either pay or they don't. but if you have to engage in communication to make the scam work then you'd want to weed out the smart people.
It only takes a moment of weakness to fall for it, you need to spread information of these scams so people are prepared for it. Sex is shamefull for so many people that they will not talk about being scammed.
On the opposite side of this I've gotten several pieces of junk mail from some home flipper guy offering to buy my home that include a photo of my house, along with a disclaimer to the effect of "No we weren't creepy and driving by your house, we just pulled this off of Google Maps."
Same - if it was up to me, it’d be illegal to sell mortgage information since I’m sure those sleazy companies pretending to sell insurance or home services do it because it’s profitable.
This type of scam is so lazy and obvious I'm surprised it's not been reported before. Anyone with your name and approximate location, provided your name isn't something insanely common like John Johnson, can yield your address within a few minutes. Seems like just a variation of the "I have your IP address" scams prevalent in IRC a long ass time ago, even the tone of the letter sounds the exact same.
It is the type of thing nobody thinks about though. Sure it is easy to figure out where I live (though odds are good you will get a previous address), but most people never attempt to do that and so don't realize how easy it is. It seems like if you know where I live you just have gone through a lot of effort. I have no doubt someone could break into my house and install hidden cameras without leaving a trace, but it would be a lot of effort, and it seems like the hardest part is finding my house.
>I have no doubt someone could break into my house and install hidden cameras without leaving a trace
Yes, but it feels like it would be hard to do that without the risk of witnesses. Sure, you could probably muddy the waters by claiming to be official or something, but it only takes one person to actually check your credentials or call the cops or even just tell the person "Hey this person went into your house, did you hire them?" to blow up your spot.
Pretty much all of your examples require some level of home surveillance, either neighbors or a good camera system. If you don't have nosey neighbors and don't have alerting cameras, it would be almost trivial to pick a standard lock and place a few small mics or pinhole cameras while the house is empty during work/school hours.
The real deterent here is that nobody cares enough about some random normal person to do this. It's much easier to send email spam to trick a tiny percentage of gullible people into believing it and paying up.
If someone is going to do a B&E on your house then they have many better options of getting a payday than some weaksauce sextortion scheme. And worse, law enforcement might actually care enough to investigate if you're going that far out of your way. High risk low reward. It's a bad scheme.
Weirdly getting the Google street view of my house makes the threat seem less credible. If they have the ability to send me a picture and they don't include one of the blackmail shots as proof and instead just something easily scraped from the web then they've already shown that they have nothing. At least when these threats were text only there was a plausible reason why they wouldn't send the proof right from the start and if people aren't thinking about it they might not realize that the scammer has provided basically zero details that aren't public knowledge. Sending the useless picture just highlights the scam.
Ten years ago someone told me that you can find out where someone lives by typing their name into Google Maps. I tried it on a few friends and it was shockingly accurate. I was completely mystified by how it worked (we were all college kids and none of us owned property) Doesn't seem to work any more though.
Assuming you are referring to phone books white/yellow pages, which do still exist - the major difference being of course that these could be trivially opted out of by calling the phone company. These days, you cannot come even close to reliably opting out of the digital “phone book” and it contains much more than your name, number, and address.
Mostly being facetious. But at the time, I never knew someone who opted out. It just wasn't seen as a danger. It was a great way to find Doc Brown or Sarah Connor.
Honestly, it’s just not a common knowledge. I still can shock people by telling there are practically free versions of Clearview-like services online. Like finding people in random pictures by doing a reverse image search.
I'm curious how many people just send back nude photos of themselves and just call the bluff. You can always claim it was AI generated, wait, send back AI generated nudes and see if it also works.
I hate that I typed any of this on HN. Programmer brain of trying to break software.
Preemptively go online and talk about the dangers of AI generated content, post a modified yet non lewd image of yourself and expose the scam in a write-up telling the story of how people have tried to blackmail you with false, manufactured information. Problem solved.
"It makes sense that you'd know about insert act here, it involved your mother" - what you tell the scammer before ignoring any further communications from them
Business model?
Create AI generated versions of a person in similarly compromising situations to basically just flood ones network and drown out the actual sextortion images.
That's ingenious: the technology simultaneously makes and breaks the scam.
The cleverest business name idea that comes to mind is also the one most likely to get this comment deleted: consider the Scunthorpian[1] business name Cuntermeasure.
Not sure if I want risk all the images going online and plenty of it even if it’s fake. What you should do is just let time run its course and just don’t focus on the subject which is what the entire scam is standing on, which is embarrassment.
When someone blackmails you, even if you pay them, they will continue to have leverage on you and ask for additional payments. So payment doesn't guarantee anything.
If you agree to pay, they can ask you for more in response.
When they cannot confirm that you have read an e-mail, simply don't respond to it. Do not even let them know you have received the message.
Even if they capture video, who would actually watch it? I'm certainly interested in the preventative or reactive security steps to address this sort of thing. But I just don't see myself caring about somebody seeing me do something that basically everyone does.
I was hit by this exact scam this weekend. Hilariously, they didn't even get the photo right, and sent me a picture of some neighborhood I had never seen.
That might help you identify which data breach had that as your address. I know at least one person who has trouble passing those shoddy identity validation services because one of the data aggregators have incorrect data for them and no error correction process.
I guess a lot of people would be uncomfortable with this. But I’d just tell them I don’t give a shit if people see something I didn’t expect them to see.
Depending on where you live you could get into trouble. It might be legal (in some countries it is now) to take nude pictures of yourself and share them with adults, but it is still immoral to some people. Your community can make life difficult.
Note that it isn't just your current community. Something you did 40 years ago can haunt you. If there is any possibility you will run for political office. Community morals change over time, what was once normal can become illegal (sexual harassment rules have changed a lot since 1970)
Imagine if you are a school teacher and they threaten to send the pictures to all of your students? You'll never teach again. Parents would be calling for your head on a pike, even though you are technically the victim. The administrators aren't going to save you.
I started getting some of these recently. They try to be threatening about porn watching and stuff like that. I just "Report Phishing" and move on. The threat itself is not that great: they'll send videos of your self-love to everyone. That's not outrageously threatening, if I'm being honest.
Not only that—anyone who's ever tried to have FaceTime sex knows that the only video they would capture is of your face watching porn... it's not like they can see your body unless you're specifically placing your phone in order to show it to someone else (which is actually kind of challenging and definitely nothing like how you'd use your phone to watch porn). They're basically threatening to send pictures of your "O face" which really wouldn't be that embarrassing at all to me, at least.
I think of it like a lot of the security discussion where nerds like us like to talk about all of these cool, complicated attacks because they are technically challenging but when you look at how normal people are suffering it’s mostly boring stuff like password reuse for anyone who hasn’t pissed off the Mossad.
Commenters on HN, please note: The word ”m*sturbate” (uncensored) is an auto-ban word. If you include it in a comment, your comment is automatically banned.
I mention this because I see three comments have been banned by this already, in this thread.
There is a long list of "guidelines" on this site, calling HN "the last bastions of free speech as a forum" is silly, there are way less moderated websites out there.
That's very surprising to me. Is there a rationale or discussion you can link? I have used way more sexually explicit words, and even slurs, in HN comments.
Edit: I see the link under a sibling. Fascinating.
Note to future readers: This comment by GaggiX was indeed initially banned (or “dead” as is the official HN term). The comment was presumably either unbanned by the moderators, or more likely vouched by enough users to automatically un-ban it.
