Crowdsourced Threat Radar

As a tech consultant supporting a large user community, I’m frequently contacted when people experience things that are out of the ordinary. So, I’m regularly made aware of phone scams, fake antivirus programs, imposter tech support pop-up ads, and malicious email campaigns. It’s like a crowdsourced human radar system for early detection of wide-spread threats.

There’s an email scam that’s been going around for a while and it remains effective because of how it’s crafted. People who have received these emails have contacted me for advice.

The Tactics of Manipulation

Here are some of the tactics used in the email in order of how they are presented.

  1. Name. The email is personally addressed to the recipient by their first name. Unlike impersonal mass mailings and spam, the email seems to be sent from someone who knows about the recipient. This immediately establishes a familiarity.
  2. Password. In the email, the sender discloses a password that had been used by the recipient in the past, typically a long time ago, but if the person is still using the password then it’s a recent or current password. This establishes that the sender has been able to obtain otherwise private information about the recipient. This is startling to the recipient because they are hearing from someone they don’t know who seems to know personal things about them. The recipient doesn’t know the email was obtained from a dark-web trove of over one billion user accounts from hacked websites like Facebook and Yahoo.
  3. Hacked. The sender claims to have hacked the victim’s computer. This seems plausible since the sender has the person’s name, email address, and password — things that could have been obtained from the computer. At this point, at least some of the mystery is unveiled and the recipient has a logical explanation as to how the sender has obtained their information.
  4. Video. The sender claims to have used malware to record an embarrassing video of the recipient visiting a porn website. Someone who doesn’t visit porn sites will be fairly certain the email is a scam.
  5. Threat. The sender threatens to share the video with all the recipients contacts if they are not paid a sum of money. The threat seems plausible, under the presumption that the sender had access to the list of contacts on the computer.
  6. Isolation. For the person who has been visiting porn sites and believes the email is a legitimate threat, they may be embarrassed and not want to talk to anyone about their predicament. This puts them in a vulnerable place of isolation.
  7. Spread. The scam is able to spread and be effective because nobody is talking about it. Those who have lost money from the scam will be doubly embarrassed. They didn’t want to tell anyone when it happened (see #6 above) and after having been scammed they won’t want to tell anyone and be perceived as having been foolish and easy to deceive.

All of the above factors make this email scam harder to stop.

Sample of the Email Message

The following example is from a 2018 KrebsOnSecurity article, so it provides what is presumably close to the original emails. Subsequent waves of this message being sent out could be slight variations on the original to make them less likely to be identified and blocked by email spam filters.

You don’t know me and you’re thinking why you received this e mail, right?

Well, I actually placed a malware on the porn website and guess what, you visited this web site to have fun (you know what I mean). While you were watching the video, your web browser acted as a RDP (Remote Desktop) and a keylogger which provided me access to your display screen and webcam. Right after that, my software gathered all your contacts from your Messenger, Facebook account, and email account.

What exactly did I do?

I made a split-screen video. First part recorded the video you were viewing (you’ve got a fine taste haha), and next part recorded your webcam (Yep! It’s you doing nasty things!).

What should you do?

Well, I believe, $1400 is a fair price for our little secret. You’ll make the payment via Bitcoin to the below address (if you don’t know this, search “how to buy bitcoin” in Google).

BTC Address: 1Dvd7Wb72JBTbAcfTrxSJCZZuf4tsT8V72
(It is cAsE sensitive, so copy and paste it)

Important:

You have 24 hours in order to make the payment. (I have an unique pixel within this email message, and right now I know that you have read this email). If I don’t get the payment, I will send your video to all of your contacts including relatives, coworkers, and so forth. Nonetheless, if I do get paid, I will erase the video immidiately. If you want evidence, reply with “Yes!” and I will send your video recording to your 5 friends. This is a non-negotiable offer, so don’t waste my time and yours by replying to this email.

[Source: KrebsOnSecurity, 12 Jul 2018]

Further Reading

Here are some articles to learn more about this particular email extortion scam.

  • Business Insider, Kif Leswing, 28 Jul 2018 – 1:57 PM. Excerpt: “Basically, the attackers don’t actually have video of you or access to your contacts, and they haven’t been able to install malicious code on your computer. In reality, they’re taking a password from a database that’s available online, sending it to you, and hoping you’re scared enough to believe their story and send them bitcoin.” [More…]
  • KrebsOnSecurity, Brian Krebs, 12 Jul 2018. Excerpt: “The basic elements of this sextortion scam email have been around for some time, and usually the only thing that changes with this particular message is the Bitcoin address that frightened targets can use to pay the amount demanded.” [More…]
  • The Guardian, Jack Schofield, 17 Jan 2019 – 2:00 PM. Excerpt: “Most email services have no way of authenticating the From: and Reply to: fields in email messages, so spammers can fill these fields with anything they like. Your attacker simply made the From: address the same as the To: address, so it looked as though you had sent the email yourself. You hadn’t.” [More…]