Email Extortion Scam
This article describes an actual extortion scam. The scammer claims to have hacked an internet router and placed malicious code in it. Access to a computer operating system and files led to an alleged discovery of content, or evidence of online activity, which you would prefer remain hidden. This is then used in a threat - if payment is not made in Bitcoin then a video will be released to email contacts.
In some instances the email containing this threat may even appears to come from yourself, which gives credibility to the claim that your own email has been hacked.
Three variations of the same threat are shown below (all are real), with comments and useful information added on the right. This is followed by a technical analysis.
The text below is the content of an email received. In this instance, the sender used a valid email address and the email body was plain text.
I am a hacker who has access to your operating system.
I also have full access to your account.
I've been watching you for a few months now.
The fact is that you were infected with malware through an adult site that you visited.
If you are not familiar with this, I will explain.
Trojan Virus gives me full access and control over a computer or other device.
This means that I can see everything on your screen, turn on the camera and microphone, but you do not know about it.
I also have access to all your contacts and all your correspondence.
Why your antivirus did not detect malware?
Answer: My malware uses the driver, I update its signatures every 4 hours so that your antivirus is silent.
I made a video showing how you satisfy yourself in the left half of the screen, and in the right half you see the video that you watched.
With one click of the mouse, I can send this video to all your emails and contacts on social networks.
I can also post access to all your e-mail correspondence and messengers that you use.
If you want to prevent this,
transfer the amount of $500 to my bitcoin address (if you do not know how to do this, write to Google: "Buy Bitcoin").
My bitcoin address (BTC Wallet) is: 19MKVz5jTzrwXHmnPKyzKJrKzubGk7ybR2
After receiving the payment, I will delete the video and you will never hear me again.
I give you 50 hours (more than 2 days) to pay.
I have a notice reading this letter, and the timer will work when you see this letter.
Filing a complaint somewhere does not make sense because this email cannot be tracked like my bitcoin address.
I do not make any mistakes.
If I find that you have shared this message with someone else, the video will be immediately distributed.
Several threats are made in the content of this email. Several are based on plausible events:-
- A personal computer can be hacked by an unknown person via the Internet. Some hackers use port scanners which probe a range of IP addresses looking for vulnerabilities. Another method is to use a connection made during file sharing, downloads using torrent software, browsing adult sites, or some other online activity which involves risk.
- A person with access to a computer could install software called a key-logger which will trap the text of passwords as they are typed, thus enabling access to the operating system and other files.
- Software called a Remote Access Trojan can be used to access a webcam.
- If a hacker has gained access to your operating system then it may also be possible for them to access your email client or database containing contacts/
There are things that can be done to reduce the probability of any of these events occuring, which includes (but is not limited to):-
- Keep your operating system up to date.
- Use a firewall, and periodically check the firewall rules.
- Use a quality anti-virus software and internet security suite.
- Scan your whole system for vulnerabilities and do not rely only on automatic scans.
- Use strong passwords.
The text below is similar to Example 1, but a little more 'personal'. The date and the recipient email address which were both valid, have been redacted (removed) as shown.
I have very bad news for you.
[Date Redacted] - on this day I hacked your OS and got full access to your account [email address redacted]
So, you can change the password, yes... But my malware intercepts it every time.
How I made it:
In the software of the router, through which you went online, was a vulnerability.
I just hacked this router and placed my malicious code on it.
When you went online, my trojan was installed on the OS of your device.
After that, I made a full dump of your disk (I have all your address book, history of viewing sites, all files, phone numbers and addresses of all your contacts).
A month ago, I wanted to lock your device and ask for a not big amount of btc to unlock.
But I looked at the sites that you regularly visit, and I was shocked by what I saw!!!
I'm talk you about sites for adults.
I want to say - you are a BIG pervert. Your fantasy is shifted far away from the normal course!
And I got an idea....
I made a screenshot of the adult sites where you have fun (do you understand what it is about, huh?).
After that, I made a screenshot of your joys (using the camera of your device) and glued them together.
Turned out amazing! You are so spectacular!
I'm know that you would not like to show these screenshots to your friends, relatives or colleagues.
I think $749 is a very, very small amount for my silence.
Besides, I have been spying on you for so long, having spent a lot of time!
Pay ONLY in Bitcoins!
My BTC wallet: 14qdpR8q1hkrm1rEmJYS6hcC4RyotdwGV5
You do not know how to use bitcoins?
Enter a query in any search engine: "how to replenish btc wallet".
It's extremely easy
For this payment I give you two days (48 hours).
As soon as this letter is opened, the timer will work.
After payment, my virus and dirty screenshots with your enjoys will be self-destruct automatically.
If I do not receive from you the specified amount, then your device will be locked, and all your contacts will receive a screenshots with your "enjoys".
I hope you understand your situation.
- Do not try to find and destroy my virus! (All your data, files and screenshots is already uploaded to a remote server)
- Do not try to contact me (this is impossible, sender's address was randomly generated)
- Various security services will not help you; formatting a disk or destroying a device will not help, since your data is already on a remote server.
P.S. You are not my single victim. so, I guarantee you that I will not disturb you again after payment!
This is the word of honor hacker
I also ask you to regularly update your antiviruses in the future. This way you will no longer fall into a similar situation.
Do not hold evil! I just do my job.
Have a nice day!
If you received an email similar to the example on the left, and knowing that many of the claims made are possible, what would be the probability that your system was compromised as described? The email is real, but is the threat real?
The assumption that the recipient has something to hide - their online perverted activity - is a gamble by the scammer. In some, perhaps many, cases it will be true! If the recipient really does have something they would prefer to hide from their partner, family, friends or employer then the threat might just work!
If your online activities do involve some risk, then consider using a virtual machine (which can easily be trashed and rebuilt if compromised); and a virtual private network (VPN); or both.
If you received this email quite likely your heart rate would be up by the time you reached the end Have a nice day! So pause and take stock, reflect on past online activity and consider 'Is this a credible threat?'
Information which may assist in evaluating the threat level is provided with Example 3, below.
In this example the email body or content was actually an image which has been saved and reproduced here.
The more worrying aspect of this email is not the content however, it is the claim that the email was sent from within the recipient's own account, implying that the email account had been hacked. However, this can be done by a technique called email spoofing which is described in the analysis below.
The text of this email is contained in an image. All of the mis-spellings and conjoined words (no spaces) are exactly as sent by the scammer.
In terms of 'is this a credible threat' the use of an image including obvious mistakes does seem to point to someone for whom English is a second language, which does not diminish the threat level; or someone who is replicating a strategy designed by someone else. Someone trying it out for themselves without really knowing what they are doing.
So what else can we learn about the sender?
Some email client software, and some webmail interfaces, enable a logged-in user to 'View Source'. This feature reveals content in the email header. Instead of simply seeing the address From: email@example.com the header contains information about the sender, the domain name servers used by the sender, and possibly an email address for the domain registrant.
In Example 3, the header included several email addresses @windaka.com. It is possible to find out who owns this domain by using a service called whois. The website www.whois.com/whois/ is one of several online services which provide domain information.
A whois lookup showed that the domain windaka.com is registered in Beijing.
The email header also included the dns address 18.104.22.168. Using the whois lookup again revealed that the dns server is managed by China Mobile Communications Corporation, which is described as a 'Mobile Communications Network Operator in China' and an 'Internet Service Provider in China'.
So, this email was sent from China; possibly from a mobile phone - which would explain a preference for using an image instead of typing the content; and therefore probably from a person for whom English is a second language.
Does this information lower the threat level?
Yes. And the information from whois also provides an email address firstname.lastname@example.org which could be used to report the scammer.
So how did the email appear to come from my own account? This is a technique called email spoofing. If this email had been sent from my own account then the dns server address would match one of the dns servers used by the email service provider. Instead, as shown by the whois lookup, the sender's domain and my email domain do not match. The article How to Tell if an Email Has Been Spoofed provides a good explanation.
Scamwatch is part of the Australian Competition and Consumer Commission (ACCC).
Scamwatch provides information about different types of scams, how to get help, and how to report a scam.
Scamwatch website: https://www.scamwatch.gov.au/
Just for interest, let me tell you that I received an email (a genuine one this time) from an ISP admitting that 'An attacker exploited a vulnerability present in the third party email marketing application to gain unauthorised access to send out spam email.... The customer details accessed was limited to name, email address, company name and in some cases customer account number. No credit card or password information has been accessed.' The email went on to describe the actions subsequently taken. Of the several email accounts I operate via that ISP only one seems to have been exploited by the hackers. That account had only two users: one received all of the threatening emails like the examples above; the other received a considerable amount of spam. The threats have come mostly from the USA, China and Nigeria. The spam has come mostly from Russia, a few other European countries, and Taiwan. So once the email addresses were obtained they have been propagated among would-be hackers and extortionists world-wide.
And I basically ignored each threat. Although I did report one to see what, if anything, would happen.
This article is provided as information only. Anyone who has received a threat such as those described above should evaluate their own risk and determine their own strategy. An Internet Service Provider may be able to provide advice, and in Australia the Scamwatch website may be helpful too.
Information relating to Internet security changes rapidly. Use a search engine and keywords such as keylogger, remote access trojan, webcam hacking, email spoofing, ransomware, malware etc. to learn more.