The IT Nerd

Yesterday I got a panic call from a client who received a very scary email from someone who wanted Bitcoin or else they were some embarrassing videos would be released. This is of course the classic extortion phishing scam. But this one has a twist that makes it very scary. I have reprinted it verbatim with personal information redacted:

[NAME REDACTED], I suggest you read this message carefully. Take a moment to chill, breathe, and analyze it thoroughly. We’re talking about something serious here, and I ain’t playing games. You don’t know anything about me whereas I know you and right now, you are thinking how, right? I know that calling [PHONE NUMBER REDACTED] or knocking [ADDRESS REDACTED] would be a convenient way to contact you in case you don’t take action. Don’t even try to escape from this, I know where your family lives and you have no idea what all I can do in [CITY REDACTED]. You’ve been treading on thin ice with your browsing habits, clicking through those girlie videos and clicking on links, stumbling upon some not-so-safe sites. I placed a Malware on one such website & you visited it to have fun (if you know what I mean). And when you got busy accessing that website, my malware gave me total control over your device and your smartphone started out working as a RDP (Remote Protocol). I can look at everything on your display, switch on your camera to record you, and you wouldn’t even notice. Oh! you guessed it right, I have recorded you and I’ve got access to all your contacts, and social media accounts too. Been keeping tabs on your pathetic existence for a while now. It’s simply your misfortune that I saw your misdemeanor. I put in more days than I should’ve looking into your life. Extracted quite a bit of juicy info from your system. and I’ve seen it all. Yeah, Yeah, I’ve got footage of you doing filthy things in your house (nice setup, by the way). I then developed videos and screenshots where on one side of the screen, there’s the videos you were watching, and on the other part, it is your vacant face. With just a single click, I can send this filth to all of your contacts. Your confusion is clear, but don’t expect sympathy. Genuinely, I’m ready to wipe the slate clean, and allow you to get on with your life and forget you ever existed. I will give you two alternatives now. First Option is to turn a blind eye to my email. Y ou should know what is going to happen if you take this path. Y our video will get sent to your contacts. The video was lit, and I can’t even fathom the embarrasement you’ll face when your colleagues, friends, and fam see it. But hey, that’s life, ain’t it? Don’t be playing the victim here. Second wise option is to pay me, and be confidential about it. We will name it my “privacy fee”. Let’s discuss what happens if you choose this path. Your filthy secret remains your secret. I’ll wipe everything clean once you come through with the payment. You will make the payment by Bitcoin only. Pay attention, I’m telling you straight: ‘We gotta make a deal’. I want you to know I’m coming at you with good intentions. I’m a person of integrity. Amount to be paid: $ 2000 BTC ADDRESS: [BITCOIN WALLET ADDRESS REDACTED] (Copy it carefully) Once you pay up, you’ll sleep like a baby. I keep my word. And of course: You got one day to sort this out and I will only accept Bitcoins (I’ve a unique pixel in this email message, and now I know that you have read this mail). Once my system will catch that full Bitcoin payment, it’ll wipe out all the dirt I got on you. Don’t even think about replying to this or negotiating, it’s pointless. The email and wallet are custom-made for you, untraceable. If I suspect that you’ve shared or discussed this email with anyone else or online, the shitty video will instantly start getting sent to your contacts. And don’t even think about turning off your phone or resetting it to factory settings. It’s pointless. I don’t make mistakes, [NAME REDACTED]. Honestly, those online tips about covering your camera aren’t as useless as they seem. I am waiting for my payment.

This was sent in the form of a PDF. And that was likely done to evade spam filters which would look for keywords in the body of the email in order to filter out emails like this one. A PDF solves that problem for the threat actor as it is an attachment that at best is scanned to confirm that it isn’t malware, but isn’t scanned for keywords that would indicate that it is a scam.

What makes this specific scam email unique is that the threat actor is using the name, address, and phone number of the recipient. That’s something that I haven’t seen before, and I am sure that it would freak out anyone who receives such an email. The thing is that it isn’t hard to come up with this sort of information. Two methods that come to mind are a data leak of some sort where a threat actor gets their hands on this information to use it in a scam like this. Or via Open Source Intelligence which is the use of publicly available information. Threat actors can use this information to go after a target. In this case, I’m thinking that this came from a data leak. The sort of people who do these sorts of scams need to get thousands or tens of thousands of emails out there hoping that 1% fall for it which in turn results in a payday for the threat actor. Thus they don’t have time to use Open Source Intelligence to pick and choose their victims. This is strictly a numbers game for them. By the way, you can find out if your address has been part of a data breach by going to haveibeenpwned.com and typing in your email address.

As for the rest of the email, it has the usual traits of a extortion phishing email:

• The email claims that the threat actor has installed malware that has recorded you doing “naughty” things. Fun fact, anybody who was capable of creating malware of that sort would be working for a nation state employed to go after high value targets such as politicians and sensitive industries. They would not be trying to get Bitcoin from anyone that they send an email to. So the threat actor is lying about that.
• The threat actor claims that if you pay them, they will know about it and instantly delete everything. This is also false. Bitcoin transactions are anonymous. So there’s no way the threat actor would know who paid them. As an aside, I checked the Bitcoin wallet that was in the email and there was no Bitcoin in it. So at the time of writing, nobody has fallen for this. Yet.
• Next up is the purported use of the webcam to record the victim. It is possible to remotely take over a webcam in a laptop. So if you’re the least bit paranoid about that, cover yours with tape. Or you can disable it entirely. Ditto for the microphone as well.

Finally, I will leave you with two pieces of advice. If you’re the least bit concerned about whether your system is compromised, consult a computer professional and have them check things over. It would also be a good idea to make sure your anti-virus is up to date and fully functioning as well.

And my final piece of advice is that under no circumstances should you pay up. It only encourages the scumbag threat actors, which in turn creates more victims. Thus don’t pay them. Ever.