(This letter, which is a brief summary of this article I published in my Spanish blog, was published on RISKS, Volume 30, Issue 78.)
The blackmailing scam consisting on hacking a user's webcam while he or she is involved in interacting with pornographic material and threatening with the publication of the recordings unless a payment is made has not only been reported in the past ([1, 2]) but has inspired some recent fiction works (Black Mirror - "Shut up and dance").
We have also seen the next iteration of this scam, in which, while no recording is available, the attacker tries to fool the victim by offering a recognizable password, and implying that a hacking operation took place (3).
I wonder if we are yet to see another step further: from having the recording, to pretending to have the recording, to be able to fool the victim's contacts and make them believe a recording is available. I can only expect this to happen as the skills and technologies for this attack to become readily available at a scale:
- Find victim.
- Obtain pictures and videos from the public Facebook database.
- Generate a deepfakes video of the kind mentioned above.
- Proceed with the blackmailing scam as before, now armed with a recording that, while not legit, might look as such to third parties.