Automated Sextortion Spyware Takes Webcam Pics of Victims Watching Porn

Sextortion-based hacking, which hijacks a victim's webcam or blackmails them with nudes they're tricked or coerced into sharing, has long represented one of the most disturbing forms of cybercrime. Now, one specimen of widely available spyware has turned that relatively manual crime into an automated feature, detecting when the user is browsing pornography on their PC, screenshotting it, and taking a candid photo of the victim through their webcam.

Researchers at security firm Proofpoint have published their analysis of an open-source variant of "infostealer" malware known as Stealerium. The company has seen this malware used in multiple cybercriminal campaigns since May of this year. Stealerium is designed to infect a target's computer and automatically send a hacker a wide variety of stolen sensitive data, including banking information, usernames and passwords, and keys to victims' crypto wallets.

Stealerium adds another layer of privacy invasion and sensitive information that you definitely wouldn't want in the hands of a particular hacker. "When it comes to infostealers, they typically are looking for whatever they can grab," says Selena Larson, one of the Proofpoint researchers who worked on the company's analysis. "This adds another layer of extortion and sensitive information that you definitely wouldn't want in the hands of a particular hacker."

"It's gross," Larson adds. "I hate it." The malware is distributed as a free, open source tool available on Github, with its developer describing themselves as a "malware analyst" based in London.

The program is for "educational purposes only," according to the page that describes the malware. However, this claim rings hollow given the malicious nature of the software. The developers statement also warns users that they will not be held accountable if used illegally, adding to the sense of impunity around using this tool.

Once installed, Stealerium is designed to steal a wide variety of data and send it to the hacker via services like Telegram, Discord, or the SMTP protocol in some variants of the spyware. The researchers were more surprised to see the automated sextortion feature, which monitors browser URLs for a list of pornography-related terms such as "sex" and "porn," which can be customized by the hacker and trigger simultaneous image captures from the user's webcam and browser.

Proofpoint notes that it hasn't identified any specific victims of this sextortion function, but suggests that the existence of the feature means it has likely been used. This is a relatively new development in the world of cybercrime, with actual, automated webcam pics of users browsing porn being "pretty much unheard of," says Proofpoint researcher Kyle Cucci.

The only similar known example was a malware campaign that targeted French speaking users in 2019, discovered by the Slovakian cybersecurity firm ESET. This pivot to targeting individual users with automated sextortion features may be part of a larger trend of some cybercriminals turning away from high-visibility, large-scale ransomware campaigns and botnets that tend to attract the attention of law enforcement.

"For a hacker, it's not like you're taking down a multimillion-dollar company that is going to make waves and have a lot of follow-on impacts," Larson says, contrasting the sextortion tactics to ransomware operations that attempt to extort seven-figure sums from companies. "They're trying to monetize people one at a time. And maybe people who might be ashamed about reporting something like this."

This highlights a shift in the world of cybercrime, where hackers are becoming more brazen and willing to take on individuals rather than large corporations. It's a stark reminder that even with the best security measures in place, no one is completely safe from the threats of cybercrime.