A "sextortion" scam that threatens to expose porn-viewing habits unless you pay a Bitcoin "ransom" has hit New Zealand.
The scam is in the form of an email claiming the sender has hacked the recipient's computer and got a copy of the website history.
The email says the victim has visited an adult website and the scammer has recorded what they were doing via the computer's webcam.
The message contains details of a real password created by the victim to add legitimacy.
Recipients are told to pay a ransom of between $1700 and $3000, often via Bitcoin. The scammer threatens to release the content to the victim's family, friends and workplace if they do not pay up.
The scam, which is also doing the rounds in the UK and US, is on the radar of CertNZ, the government agency tasked with improving cyber-security.
Police have been contacted by several victims.
Cert NZ senior incident manager Erica Anderson said scams where people claim to have access to webcams tend to go through spikes.
"That's what we're experiencing at present. Multiple reports are being received daily about this issue.
"We know that scams like this prey on people being too embarrassed to seek help, so we assume that the reports we've received are only the tip of the iceberg and may not be an accurate reflection of the true impact of an incident like this."
Anderson said the use of real passwords made the scam slightly different from others in the past.
"In reality, the scammer gets the password from one of the data leaks that have been posted online. They are taking advantage of finding this data leak and are trying to pretend they have access to your computer."
Cert NZ said it couldn't confirm whether video recordings existed or this was an "opportunistic scam".
"We haven't had any reports of scammers releasing a video when a ransom isn't paid."
The scam is also known to our two biggest telcos.
Vodafone's security team monitors many sources of information to identify credible threats. Team member Mark Corrigan said the "sextortion" email was flagged because of some unusual characteristics.
As well as containing real passwords there was no link to click on or attached file - add-ons that are common in scam emails and often attract the attention of anti-virus software or spam filters.
Corrigan thought the passwords were harvested from a major hack that happened in 2012.
"What they did do to personalise it, they managed to get the password or part of the password that had been disclosed on the internet a number of years ago.
"I think that was what they were hoping their key to success would be, that someone would see it and say 'crap, that's my password, so if that's real the rest must be real as well'."
Corrigan presumed the details about how to pay the Bitcoin ransom were legitimate. Even a .01 per cent response from 100,000 emails asking for $1000 ($10,000) would be a good return for a couple of hours' work, he said.
Spark had received a small number of reports from customers.
A spokeswoman said they recommended marking it as spam and reporting it by sending a screenshot to firstname.lastname@example.org
The Forbes website reported that a digital security researcher known as SecGuru had ascertained that more than 150 people had paid US$250,000 in Bitcoin as a result of the scam.
The Electronic Frontier Foundation has published several examples of emails like this.
An extract from one reads:
Experts say victims should not respond to such emails – and should certainly not pay the ransom.
HOW TO PROTECT YOUR DIGITAL PRESENCE
There's a huge amount of advice available. Here are three key tips from Vodafone's Mark Corrigan:
• Use strong passwords. Longer is stronger, preferably with a mix of numbers, letters and symbols. Use a mixture of upper and lower cases letters. The website https://random-ize.com/how-long-to-hack-pass/ will tell you how long it would take to hack a particular password, although you might not want to test your real one. It says it would take 73 seconds to hack "password". In contrast "MyPasswordIsSafe" would take more than 32,365,987,337 years.
• Don't re-use one password in multiple places and don't write your passwords down. If you do use one password for many sites, change them all because these sites could be at risk as a result of third party breaches.
• If you get an email asking you to log in or provide details (particularly from a bank or purchasing account, for example Amazon or iTunes), type the company's address into a web browser rather than clicking on the link. This will ensure you are directed to the company's genuine site and not a fake one designed to harvest your credentials.