CHOICE membership

Email extortion scam


#1

I routinely receive scam emails, most of which are automatically filtered by my internet service provider, with many of the remaining being automatically filtered by my email client. However, one which landed in my inbox last week caught my attention because it cited my credentials - i.e. a login/password combination that I use - in the subject line and in the body of the email.

The email content was a long dissertation claiming to have placed malware on an unnamed but disreputable website which the blackmailer claimed I visited. This malware purportedly enabled the web browser to operate as a “remote desktop with a keylogger”, supposedly allowing him to view my display screen, access my web cam to videotape me, and to access details of all of my contacts.

The blackmailer threatened to release an embarrassing video to all of my personal contacts unless I paid $7,000 in Bitcoin, exhorting me to “think about regarding the humiliation that you receive”.

Naturally, I just deleted the email, but it strikes me that this strategy of inflicting shame and mortification is probably quite successful for blackmailers by embarrassing potential and actual victims into remaining silent.

So I’m using this opportunity to get the message out there to people not to believe the assertions of such emails and certainly not to give in to threats like this.

A former colleague who recently migrated to Australia received a phone call purportedly from the Department of Immigration advising him that his visa application - previously approved - was now deemed to be invalid due to a clerical error. He recognised the caller ID as the Department of Immigration’s phone number so believed the call to be legitimate. He was told that, if he paid a substantial fee via cash transfer, the matter would be resolved. He paid it and it turned out to be a scam. This was a matter of considerable embarrassment to him, let alone the financial loss, though he did report the matter to Police.

In my case, the credentials referenced are those I use for various recruitment websites so my credentials and contact details were probably harvested from the recent PageUp data breach. I’ve since trawled through the sites and changed my password. At the time I received the email, I reported it to ScamWatch.

On the evening after receiving the email, my landline - which rarely makes a peep - was ringing hot. I have no idea if it was my dear extortioner (who had given himself the charming moniker of “Vilhelm Grabar”) but I didn’t bother answering the phone.


#2

Scammers are becoming more sophisticated as people become aware of past scams and less likely to be tricked. They evolve their methods to try and keep ahead of public knowledge of current scams.

One practice worth adopting is never to provide any private details (including credit card or other payment details) to anyone who makes contact through email of phone (unsoliciated contact). This removes the opportunity to provide such information to scammers.

One should only provide any such details if one contacts the business/organisation directly using contact details from the phone book, invoices/correspondence one has received on regukar basis in the past or from a website where one enters the address in the browser web address bar.


#3

The phone book. I remember it well :laughing:


#4

I have a simple rule with respect to emails. If it’s not expected, ie not from relatives, friends or businesses I deal with, or has a subject that implies I need to read the email or action it, I simply drag the unopened email to my junk email folder where I can safely open it and check the sender details, the email header properties and any links in the email for suspicious values. If it’s a legitimate email, it gets dragged back into my inbox. It doesn’t take long and I now find I only have to do this a few times a week as I’ve built up experience identifying suspect emails.


#5

Curious, what makes your junk/spam folder ‘safer’ than any other folder? Most email clients just label an email junk/spam to categorise them, and many flag emails as suspicious no matter what folder they might be in.


#6

Under what circumstances are macros, scripts etc prevented from running and attachments locked up so they cannot be opened?


#7

I received a similar one recently - as have a couple of my contacts.

I think your point is well made that it is a scam, and extortion - and to avoid any doubt nothing I’m about to write will change that - if people receive these, ignore them … certainly do not panic or pay anything to anyone … but there is one thing you might be able to follow up on …

Here’s an example of the email so people know what we are talking about:

I am well aware XXXXXXXXXXXX is your pass. Lets get straight to purpose. No-one has compensated me to check you. You don’t know me and you’re most likely thinking why you are getting this email?

In fact, I actually installed a malware on the 18+ streaming (porn material) web-site and guess what, you visited this site to have fun (you know what I mean). When you were watching videos, your web browser began working as a Remote control Desktop that has a key logger which gave me accessibility to your screen as well as web cam. Immediately after that, my software program obtained your complete contacts from your Messenger, social networks, and email . After that I created a double video. First part displays the video you were watching (you’ve got a nice taste rofl), and second part shows the recording of your cam, and its u.

You do have a pair of choices. Why dont we study the options in aspects:

First option is to dismiss this message. In this situation, I most certainly will send out your video recording to all your your contacts and visualize regarding the disgrace that you receive. And likewise in case you are in a loving relationship, precisely how it will eventually affect?

Number 2 choice should be to compensate me $1000. Let us regard it as a donation. Subsequently, I will asap remove your video footage. You could keep going on everyday life like this never took place and you would never hear back again from me.

You’ll make the payment through Bitcoin (if you do not know this, search for “how to buy bitcoin” in Google search engine).

BTC Address: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
[case-SENSITIVE, copy and paste it]

Should you are making plans for going to the law, anyway, this mail can not be traced back to me. I have taken care of my steps. I am also not looking to charge a fee a lot, I want to be compensated. You have one day to make the payment. I have a specific pixel within this e mail, and now I know that you have read through this e mail. If I don’t receive the BitCoins, I will, no doubt send your video to all of your contacts including relatives, co-workers, and many others. Having said that, if I receive the payment, I will destroy the video right away. It is a non:negotiable offer, so don’t waste my time & yours by responding to this e mail. If you want proof, reply with Yeah and I will certainly send out your video recording to your 8 friends.

So the part that might be actionable is this - in my case, and that of my contacts, we use passwords that are unique to the sites we access. The password quoted in each of our cases was correct for the same site we have all used - a well known computer parts retailer based in Queensland.

One of my contacts has raised this with the business concerned, and while they have acknowledged receipt of the report there has been no action so far to notify customers. It seems fairly clear that information they store about their online users has been compromised.

He is keen to see them do the right thing. I’m not so patient.

This is a good example where the use of unique passwords both protects you against multi site attacks by others and informs you of who not to trust :wink:

My main concern is where they are opened. For me, email (or anything else for that matter) that is particularly ‘interesting’ is always examined in complete isolation on a burnable test bed … That said, it has to be very interesting to be bothered.


#8

I use Microsoft Outlook 2016/365 as my email client on both my PCs and phone. The Junk Email folder automatically disables hyperlinks, attachments and displays the fully resolved email address, which is often different to the displayed address. According to Microsoft, suspect emails are safe to open in the Outlook Junk Email folder, and many years of using Outlook has never seen any issues with opening suspect emails in the Junk Email folder. I rarely use web browsers to open emails and never open anything that I think might be suspicious until I able to use Outlook to help me screen them.


#9

That is part of my question. In what way does the where influence the range of possible actions, especially in the context of spam or junk folders.


#10

I think that is a very good question. As one who has worked in the hosting/content provision/etc world, the multinational outsourcing world, and other worlds I’m not at liberty to talk about - I fear for the ‘normal person’ as such, it is so hard to know what to do and how to react/respond, if not impossible. Let alone the know-how to set up test beds that offer easy and quick access to evaluate even the remotest threat in a safe way. For people who have tackled security issues over a decade or three it’s something you do while cooking the rice, but for the average person, they have no clue - nor should they - they could be a brilliant person in their chosen field, but they can’t be expected to be an IT security expert, or whatever that means. So as ‘Fox’ would have said - “TrustNo1” - good advice, and my mother is constantly telling me how she’s taken my advice and harassed-back some offshort call-centre dude who tried to convince her of some cr*p and/or how she’s challenged someone who sounded legit but they asked for some details that were personal. Yes, 80-something year old people can ‘get it’ - but I’d never ask her to set up an isolated burnable test environment to assess risks of some payload or exploit :slight_smile:

If I read between the lines of your posting, I’d have to agree that paranoia is a reasonable response to most if not all of this online assault on our money/privacy/webcam/etc - and while I don’t like the word paranoia, lets call it cynicism, distrust, whatever - it seems to be the safest mode for the vast majority of people. It is probably what I have effectively taught my mother - yet she was my cynicism guru :wink: Maybe that makes the teacher a good student … what goes around …


#11

Conclusion, @iam_61 has his ‘hand on the mouse’ if he has set/confirmed all of the ‘protections’, but from the myriad google hits they are not automatically defaulted, Outlook version dependent. My conclusion is that anyone using Outlook (or any email client) still needs to check that their rules are set accordingly and not accept the vendor’s statements of what ‘can be done’ as compared to 'what their installation ‘is doing’.

I could add some links but there are so many, Outlook (Office) version dependent, so anyone using Outlook might do well to google ‘outlook 20xx spam’ or so on. As I wrote, Outlook is essentially an A380 solution for a Piper Cub problem, although businesses love it because of its formal support (chuckles) and work flow integration and management features. eg. lots of menus and boxes to tick or untick as the case may be.

A few random hits, 2007, 2013, 2016/365 and another for 2016/365.


#12

So the answer is if you told me then you would have to kill me. All I wanted was to know if the different ways of handling, isolating or identifying emails actually do anything to prevent dangerous payloads from being delivered.

I agree that using an isolated test environment to examine doubtful email is not practical but that wasn’t the question. Do junk folders, spam folders, virus vaults etc that come with commercial email clients and virus checkers do anything useful or not? If so how useful?


#13

That wasn’t your question either. Your question (initially) was:

In my response, I strongly implied there is no guarantee they can’t be opened. You then ‘clarified’ the question with:

Which I also responded to, strongly implying that anyone without the resources to assess should simply take the advice of the software and/or classification and delete. Admittedly I used a lot more words.

I hope that clarifies my responses.


#14

I am surprised that the scammer would have chosen a computer parts business as the claimed source of the information as not that many people buy their wares.
I would have expected them to choose something with wide spread appeal such as Facebook so as to have a greater chance of correctly guessing where you might visit, especially after the recent Facebook data breaches.
Likewise, choosing Qld which represents only around 20% of the Australian population also limits their chance of correctly guessing where you live.
Perhaps the scammer did establish that you buy computer parts and live in Qld, not from the computer shop’s database but through social media.
Judging by the grammar, it certainly appears that this person’s main language is not English.


#15

Hi Fred,

Draughtrider had attributed the hacked credentials to the computer parts retailer because he/she uses unique passwords for each site. Therefore, if the credentials show up in a breach (in this case a scammer demonstrated knowledge of the password), it’s traceable to the only site for which draughtrider had used that password.

That’s the reason why many security experts recommend the use of unique passwords for different sites - to mitigate your risk in the event your credentials are breached. In my case, I didn’t follow that recommendation and I used the same password for all of the careers/employment sites on which I had created accounts when I was looking for work. I only have low-level information on those pages so a breach of the credentials doesn’t pose a big risk to me. However, when my credentials appeared in the scammer’s email, I had to trawl through all of those sites and change my passwords - a time-consuming task!

Hackers know that many people re-use the same password across multiple accounts. Therefore, if they are successful in hacking users’ credentials from some obscure system, there is a probability that the same credentials can be used to access other, more “attractive” target systems.

Hackers’ motivations may vary and some may target a system on the basis that it is easier to compromise, and just for the heck of it, or to impress peers.

The hacker and scammer are not necessarily the same party.

There is an Australian security expert by the name of Troy Hunt who gathers hacked credentials which are in the public domain, aggregates them in a database and provides a free search tool on this site: “have I been pwned?”: https://haveibeenpwned.com/

If I enter my email address into that tool, it shows up in a list of breaches in which my credentials were stolen and disclosed. In some case, the stolen password was encrypted but using a loose encryption methodology hence weaker security. I already know about some of these breaches because the sites alerted me at the time (LinkedIn is one example). I’ve long since changed the passwords but it’s interesting to know where my credentials have been hacked. One example is “QuinStreet” - I’ve never heard of this organisation. However, one of the technology forums QuinStreet hosted was “codeguru.com” and I did have an account on that site.

So the take-home message is:

  • ideally: don’t re-use the same password on different sites;
  • use complex passwords;
  • routinely update your passwords.

Regards,
Margot


#16

Hi Margot,
Thanks for your effort and the tip regarding https://haveibeenpwned.com/ website.
I just tried my main email address and my Hotmail address and neither one has been affected.


#17

@TheBBG I agree with your comments. It doesn’t matter what one uses to manage emails, when it comes to security, knowing the default settings, how to change them and why should be a high priority to learn.

As for using Outlook as my email client, I use it every day at work, so being essentially lazy and already having Office licenses for my home computers, I can’t be bothered learning another client. :wink: :smile:


#18

This is why it is important to use one of these to manage ones passwords:

Choice has also reviewed password managers in the past (member content):

We currently have 111 separate website logins and there is no way one could remember so many without using the same one (which would be disastrous should one login be exploited by a hacker).


#19

I had the exact same thing happen to me - an attempt to extort $7000. I am unashamed to say that they reported, in poor English, to say they had evidence of me watching porn. Obviously there was no such evidence as I am abhorred by such behaviour. However they did possess a password I have used. About a month before this email I found I couldn’t get into my Amazon account. I had to ring the USA and get it changed back to my email Address with a different password. I am very sure that is how this scammer obtained my password and threatened me feeling this would be enough to convince me to pay. The new owner of my Amazon account had a Russian email address. I did not respond to this email either.

I too have had much more ‘junk’ in my inbox as I guess selling on my details was a benefit to the perpetrators.

All I can say is that if you think leaving ‘accounts’ open on your home computer is not as safe as you may think. Since this incident I try to be vigilant to log out of all my accounts as obviously people do have the skills to enter open accounts and take your details.


#20

Unless the recipient already had an account on a cryptocurrency exchange with $1000 of funds, there is no way that a one-day deadline could be met.
Setting up an account requires proof of ID and validation (2-14 days); once approved, funds must be transferred to the account (with Osko this could be done immediately, with BPay transfers, funds are processed after the next weekday evening. So it would take a minimum of 2-3 days before a BTC payment could be made.

So while a crypto holder could theoretically panic and pay up in time, a crypto-newbie could not possibly meet the deadline. And since these scammers never email back, once the deadline had passed with no consequences, hopefully most people would realise the threat was not genuine.