By now, most Internet users have heard about ransomware and ransom requests via Internet. For spammers who
lack sufficient hacking skills, it is a simple matter to attempt a scam in which they pretend to have
hacked your computer, and ask the payment of a ransom for not spreading private videos of you in
"compromising" situations in front of your webcam. In the vast majority of cases, they have no
video and have not hacked your Facebook account and computer, and they are only hoping that you are
sufficiently anxious about the video being spread to your contact list that you might actually pay without
analyzing the situation and the likelihood that what they say is true.
For example, this is a ransom request I received very recently:
Text of ransom request.
One first thing to note is that the text of the ransom request was sent as a JPG picture, probably to
avoid the message being flagged as spam. My e-mail software (Thunderbird) did flag it as probable spam
because the message contains only a picture, and no text.
Further points of interest:
The text contains a large amount of grammar, syntax and spelling errors, as well as poor general English
form. It was obviously not written by a person with a significant education, let alone a formal training
in writing. Judging from the wording, the writer is "most probably" not a native English
speaker but a West African. The writer even tacked a question mark at the end of the last sentence,
where it makes no sense. Easily observable technical details in the source code show that the ransom
demand was sent from an Android device, which would not be my first choice for careful word processing.
At a superficial analysis, the e-mail does appear to come from one of my e-mail accounts. However, a
quick examination of the logs on my e-mail server shows that no such message was sent from my account.
The sender only spoofed my address, which is a rather simple thing to do and can be done by scripting
and exploiting an insecure e-mail relay (so the same message can be automatically sent to a long list of
addresses). This is a first indication that the message is in fact just a mass mailing, no different
from spam.
The ransom request contains absolutely no proof that the sender is in possession of any private
information on the destinatary (or any information at all, except the e-mail address - which in my case
is publicly available). Probably hundreds of millions of persons in the world engage in solitary sex
and/or visit porn sites (and neither of these activities is a crime), so it is easy for the sender to
cast a wide net in the hope of netting a few easily embarrased persons. I do not visit porn sites except
by mistake or by following misleading links, and normally I don't have a webcam connected to my
computer, which makes the claims in the ransom demand even more unlikely.
A careful examination of the source code of the e-mail message shows that it does not contain any link
to Facebook. It only contains the picture shown above, as an encoded binary file in the text. The claim
that the sender is using "a Facebook pixel" to detect that the message has been read is
therefore just an empty threat, and removes any remaining credibility from the ransom request. In any
case, most e-mail clients can be configured to never automatically access web contents unless the user
gives consent. Thunderbird is configured by default in this way, so it never automatically accesses
Internet contents unless its configuration is manually changed.
The instructions to "copy and paste" [the Bitcoin wallet address] make no sense, since one
cannot copy text to the clipboard from an image. This proves that the ransom demand was hurriedly
written, without much attention to simple logic and common sense. This makes it difficult or impossible
for inexperienced users, who are the most likely to be fooled by this ransom demand, to follow the
instructions and make the payment before having time to think twice.
One detail worth mentioning is the "co-workers" in the last sentence. Most people have
co-workers, but I have none. I am retired. One more detail that shows this is not a true ransom request,
but just a variety of Nigerian letter/spam.
One thing that may help to
identify the would-be scammers or bind them to other ransom demands
is their Bitcoin wallet address. I can easily tell, for example, that at the time of writing the Bitcoin
wallet of the spammers has not received any transactions, so their goal has failed (at least with this
wallet):
Transactions on the spammers' Bitcoin wallet.
I am pasting below the ransom request OCR-converted to text, including the address, so that it can be
stored by Google Search and other web crawlers and made available in public web searches. This might be
useful to others who have received ransom demands with a similar text and/or the same Bitcoin wallet
address:
This account has been infected! Modify your password immediately!
You probably do not heard about me and you may be most probably wondering why you're reading this email,
right?
I'mhackerwho crackedyour email boxand all devicesseveral months ago.
It will be a time wasting to attempt to talk to me or alternatively seek for me, it is hopeless, since I
directed you this message from YOUR account that I've hacked.
I developed malware soft to the adult vids (porn) site and guess you have spent time on this website to
have a good time (think you understand what I want to say).
While you have been keeping an eye on video clips, your browser started out operating as a RDP (Remote
Control) with a key logger that granted me authority to access your desktop and netvork camera.
Then, my software programgatheredall info.
You entered passcodes on the sites you visited, I caught them.
Surely, you'll be able to change them, or possibly already changed them.
But it really doesn't matter, my program renews information every time.
And what I have done?
I compiled a reserve copy of your system. Of all files and contacts.
I formed a dual-screen videofile. The 1 part presents the film you had been watching (you have a very good
preferences, wow ... ), the 2nd screen displays the recording from your own webcam. What actually should
you do?
So, in my view, 1000 USD is basically a reasonable amount of money for our very little riddle. You will
make your payment by bitcoins (if you do not know this, search "how to buy bitcoin" in any
search engine).
My bitcoin wallet address:
1FKD6ujjGrh2vY4nPaxyUJTRpAKq7qpDjH
(It is cAsE sensitive, so copy and paste it).
Warning:
You have only 2 days to send the payment. (I built in an exclusive pixel to this letter, and right now I
know that you've read this email).
To tracethe reading of a letterand the activitywithin it, I usea Facebook pixel. Thanks to them. (That
whichis appliedfor the authorities may also helpus.)
If I fail to get bitcoins, I will certainly transfer your videofile to all your contacts, such as family
members, co-workers, and many more?
Needless to say, I simply ignored the ransom request except for sending a polite heads-up e-mail to an
e-mail service which, based on the e-mail headers, might have been hijacked to send the ransom
demand. Years have passed since the "deadline" of the scammers, and nothing further has
happened.
PS - After a few weeks, I received another e-mail, sent through a different insecure
e-mail relay to another of my e-mail addresses. This one was identical to the first, except for minor
spelling changes and a different Bitcoin wallet address (which also received no money so far).
Thanks to the original wallet address listed above having been
reported to bitcoinabuse.com by multiple users, as well as the second e-mail I received, we can tell that the would-be extortionist is generating a new
JPG (from a slightly different text) for each batch of e-mails, but the bitcoin wallet within each batch
of e-mails remains the same. Since the programmer has been lazy and the bitcoin wallet address is re-used
in multiple e-mails instead of being unique for each e-mail, we can tell that no one has fallen for this
particular batch of e-mails and paid the ransom.
This also proves that the would-be extortionists, within the same batch of e-mails, do not have any way to
find out who paid the ransom and who did not. Therefore, evenif the spammers did have a
"compromising" video of a person, they would have no way to detect whether this particular
person has paid the ransom or not. In reality, they have no interest in knowing who actually paid, and
only hope that a fool or two will fall for the scam.
Yet another
example
Here is a very similar fake ransom request. This example was delivered to me by bouncing an e-mail with
spoofed "From" address on an e-mail server in Russia (and an identical copy on a server in China
within minutes from the first, which tells us this is a mass mailing using the same address list). The
actual e-mail was sent to a non-existent e-mail address (so that it would bounce back to my spoofed
address) through the networks of a S. Korean and an Indian provider, respectively. My e-mail address is
publicly available, so anyone is welcome to attempt spamming it.
Come on guys, your message is way too wordy and long-winded. The more you say, the more obvious it becomes
that this is a collection of empty threat. Just say whatever you want to say in a single paragraph or two,
save your time, and get it done with. Even better, get a real job that pays real money, instead of wasting
your lives trying to make money from old and tired mass-mailing tricks that have been known for decades.
An obvious giveaway: the text "I could effortlessly log in to your email account as well (f0970115@kawkazrg.ru)". The message bounced on a Chinese server says "(gfjkb@swust.edu.cn)" in the same
place. These guys are too clumsy to realize that these are not my e-mail addresses, but the addresses they
used to bounce their e-mail on shoddily configured e-mail servers. If they cannot even get a simple script
right, what is the likelihood that they have been able to hack into someone's computer and to plant
sophisticated tracking software?
Hello!
Unfortunately, I have some unpleasant news for you.
Roughly several months ago I have managed to get a complete access to all devices that you use to browse
internet.
Afterwards, I have proceeded with monitoring all internet activities of yours.
You can check out the sequence of events summarize below:
Previously I have bought from hackers a special access to various email accounts (currently, it is rather
a straightforward thing that can be done online). Clearly, I could effortlessly log in to your email
account as well (f0970115@kawkazrg.ru).
One week after that, I proceeded with installing a Trojan virus in Operating Systems of all your devices,
which are used by you to login to your email. Actually, that was rather a simple thing to do (because you
have opened a few links from your inbox emails previously). Genius is in simplicity. ( ~_^)
Thanks to that software I can get access to all controllers inside your devices (such as your video
camera, microphone, keyboard etc.). I could easily download all your data, photos, web browsing history
and other information to my servers. I can access all your social networks accounts, messengers, emails,
including chat history as well as contacts list. This virus of mine unceasingly keeps refreshing its
signatures (since it is controlled by a driver), and as result stays unnoticed by antivirus software.
Hereby, I believe by this time it is already clear for you why I was never detected until I sent this
letter...
While compiling all the information related to you, I have also found out that you are a true fan and
frequent visitor of adult websites. You truly enjoy browsing through porn websites, while watching
arousing videos and experiencing an unimaginable satisfaction. To be honest, I could not resist but to
record some of your kinky solo sessions and compiled them in several videos, which demonstrate you
masturbating and cumming in the end.
If you still don't trust me, all it takes me is several mouse clicks to distribute all those videos with
your colleagues, friends and even relatives. In addition, I can upload them online for entire public to
access. I truly believe, you absolutely don't want such things to occur, bearing in mind the kinky stuff
exposed in those videos that you usually watch, (you definitely understand what I am trying to say) it
will result in a complete disaster for you.
We can still resolve it in the following manner:
You perform a transfer of $1590 USD to me (a bitcoin equivalent based on the exchange rate during the
funds transfer), so after I receive the transfer, I will straight away remove all those lecherous videos
without hesitation.
Then we can pretend like it has never happened before. In addition, I assure that all the harmful software
will be deactivated and removed from all devices of yours. Don't worry, I am a man of my word.
It is really a good deal with a considerably low the price, bearing in mind that I was monitoring your
profile as well as traffic over an extended period.
If you still unaware about the purchase and transfer process of bitcoins - all you can do is find the
necessary information online.
My bitcoin wallet is as follows: 1MW4maqRuqi62YiRNMaBiHT65WJJMEAvQw
You are left with 48 hours and the countdown starts right after you open this email (2 days to be
specific).
Don't forget to keep in mind and abstain from doing the following:
- Do not attempt to reply my email (this email was generated in your inbox together with the return
address).
- Do not attempt to call police as well as other security services. Moreover, don't even think of sharing
it with your friends. If I get to know about it (based on my skills, that would be very easy, since that I
have all your systems under my control and constant monitoring) - your dirty video will become public
without delay.
- Don't attempt searching for me - it is completely useless. Cryptocurrency transactions always remain
anonymous.
- Don't attempt reinstalling the OS of your devices or even getting rid of them. It is meaningless too,
because all your private videos are already been available on remote servers.
Things you should be concerned about:
- That I will not receive the funds transfer you make.
Relax, I will be able to track it immediately, after you complete the funds transfer, because I
unceasingly monitor all activities that you do (trojan virus of mine can control remotely all processes,
same as TeamViewer).
- That I will still distribute your videos after you have sent the money to me.
Believe me, it is pointless for me to proceed with troubling you after that. Besides that, if that really
was my intention, it would happen long time ago!
It all will be settled on fair conditions and terms!
One last advice from me... Moving forward make sure you don't get involved in such type of incidents
again!
My suggestion - make sure you change all your passwords as often as possible.
And these guys' newly created Bitcoin wallet, unsurprisingly empty as of May 3, 2022. I will update this
page if the balance on this Bitcoin wallet changes.
As of May
6, 2022, it seems that three people have fallen for the fake ransom demand (the exact amounts in USD vary
a little, because the exact Bitcoin exchange rate keeps changing). A little more money has also come in,
which means that the wallet owners are using it for multiple purposes. Every new transaction on the same
wallet makes it a little easier to catch them, because the date, time and amount of each transaction makes
it easier to find the one Bitcoin wallet that contains the exact combination of all the transactions with
these exact times and amounts. The more transactions, the more unique is their combination. It is like
when the police discovers a very small part of a fingerprints (it tells very little, and could have been
made by lots of different leople), and then a larger and larger piece of the same fingerprint, until the
whole fingerprint database contains only one possible match for the find.
Don't make a complete fool of yourself. Don't do like these three people. They have wasted their money for
absolutely no reason. Nothing at all would have happened to them, if they had simply gone on with their
lives and not paid. The would-be hackers never were in possession of any "compromising"
information, they were just hoping to catch a few fools ready to believe anything they were told.
As of May 7, 2022, this Bitcoin wallet has been reported 135 times on
bitcoinabuse.com
(now called chainabuse.com), so the whole scheme is indeed a mass mailing. This is exactly what these
would-be hackers need to do since, like many others, they lack the skills and resources necessary to do
some real hacking.
Note - An earlier variant of this scam uses easily available databases of hacked social
media passwords to try and convince the destinatary that the hacking pretense is real. See for example
information on krebsonsecurity.com. Don't fall for this variant of the extortion. Also in this case, the e-mail contains no convincing
evidence that the spammers are in possession of any "compromising" videos, and the simple
possession of an old password is no such evidence.
You can see below a further example of a very similar extortion attempt, also sent as a mass-mailing.
This clumsy sextortion attempt is notable for a few things:
It was sent as text, instead of as a picture. To circumvent the spam filters, several characters in the
most obvious "giveaway words" have been replaced with Unicode characters that look
superficially similar to English characters.
It is extremely wordy, to the point of being
logorrhoic. We can
turn this to our advantage to take apart, piece by piece, the credibility of the message:
It is unlikely (though not impossible) that my PC was compromised via RDP, because RDP is not
enabled on my PC (this leaves a connection via RDP still possible only if the attacker has an
administrator's password).
My PC is behind a firewall that blocks incoming RDP connection requests (among a great many other
things).
MY ISP uses NAT between the Internet and the customers. The customers are assigned private IP
addresses and all incoming connection requests from the Internet are simply dropped.
The attacker cannot have used my PC's webcam to collect "compromising" evidence, because
my webcam is physically disconnected and points toward a wall when not in use.
From the spammer's vague description, I am aware that the spammer has no clue about what I have or
have not been doing, so the spammer is just throwing a wide net, hoping to catch some inexperienced
PC users. None of the things he mentions are violations of the law, in any case. The only law
transgressions are the spammer's.
The language used by the spammer suggests a native English speaker of average to high education level,
probably a teenager or young adult, experienced in writing English text with correct spelling,
punctuation and formatting (e.g. school essays). The text lacks the mistakes/misspellings commonly made
by poorly educated American English speakers. It contains nothing of the pidgin English characteristic
of Nigerians. Some of the expressions, however, would not be used by adult English writers with a
professional experience.
The Bitcoin wallet 1BrY4RnjzNdQDNxGmNTQQiFeVjxTw1cJuh is now reported to
https://www.chainabuse.com/ (at the time of
writing, 4 more reports, in addition to my own, which is further proof that this sextortion attempt is a
mass mailing and not a targeted attack). The IP address 180.229.114.202, used by the
spammer, leads to South Brisbane, Australia. The e-mail server is registered with an Iranian domain name
(bill.ir) but actually located in a network administered by a London, UK company.
Yet another
example
