According to the report, sextortion schemes work by a scenario in which a recipient gets an email that claims that malware has been installed on their computer that has gained access to images and video from the camera and browser history.
The email then claims that a 'porn video' was made of the recipient and, if they do not pay immediately, the video will be sent to friends and family, whose contacts scammers 'receive' when grabbing passwords.
The extortion demand is typically somewhere from $700 to $4000, payable to a Bitcoin address provided in the email, SophosLab said, noting that porn scammers who use the scenario have been known to make up to $100,000 in a month.
The scenario is completely fake, however, although the scammers include passwords into the email as "proof" that they have hacked the victim's computer. The password displayed can often turn out to be one that a victim actually once used or still uses.
"In truth, the passwords sent out in these scams have typically been dredged up from old data breaches", IT security specialist Paul Ducklin wrote in Sophos's Naked Security blog.
These passwords, not gained from accessing the victim's computer, however, should nonetheless immediately be changed if they are still being used.
There is no single source of the spam emails, as they can be spoofed to appear to come from different countries and servers. It has been revealed that most sextortion spam comes from innocent users whose computers have been infected with a piece of spam-sending malware known as a bot that sends the emails independently.
The best way to counteract the spam schemes is to ensure that your computer has not been infected with a bot and change your passwords.