The IT Nerd

A reader of this blog forwarded me yet another extortion phishing scam. Here’s what the reader got:

I am sorry to inform you but your device was hacked.

That’s what happened. I have used a Zero Click vulnerability with a special code to hack your device through a website.
A complicated software that requires precise skills that I posess.
This exploit works in a chain with a specially crafted unique code and such type of an attack goes undetected.
You only had to visit a website to be infected, and unfortunately for you it’s that simple for me.

You were not targeted, but just became one of the many unlucky people who got hacked through that webpage.
All of this happened in August. So I’ve had enough time to collect the information.

I think you already know what is going to happen next.
For a couple of month my software was quietly collecting information about your habits, websites you visit, websearches, texts you send.
There is more to it, but I have listed just a few reasons for you to understand how serious this is.

To be clear, my software controlled your camera and microphone as well.
It was just about right timing to get you privacy violated. I have made a few pornhub worthy videos with you as a lead actor.

I’ve been waiting enough and have decided that it’s time to put an end to this.
Here is my offer. Let’s name this a “consulting fee” I need to get, so I can delete the media content I have been collecting.
Your privacy stays untouched, if I get the payment.
Otherwise, I will leak the most damaging content to your contacts and post it to a public website for perverts to view.

You and I understand how damaging this will be to you, it’s not that much money to keep your privacy.

I don’t care about you personally, that’s why you can be sure that all files I have and software on your device will be deleted immediately after I receive the transfer.
I only care about getting paid.

My modest consulting fee is 1700 US Dollars to be transferred in Bitcoin. Exchange rate at the time of the transfer.
You need to send that amount to this wallet: [BITCOIN ADDRESS REDACTED]

The fee is non negotiable, to be transferred within 2 business days.

Obviously do not try to ask for help from the law enforcement unless you want your privacy to be violated.
I will monitor your every move until I get paid. If you keep your end of the agreement, you wont hear from me ever again.

Take care and have a good day.

So let’s ignore the questionable English in this email and start with you cannot see. The email address was spoofed so that it seems like it was sent from your account, but it really wasn’t. That’s meant to get your attention. Second, it claims that you were hit with via “zero click vulnerability”. I call BS on that. Basically, they’re trying to take advantage of people’s lack of knowledge of computers by saying that they used some super scary exploit to hack you. To be clear, there are such things as “zero click” vulnerabilities, but they are so valuable that a guy like this wouldn’t have access to them. Or anyone with that level of skill would be working for a nation state trying to do some form of espionage and not trying to extort people.

So as usual, the scumbag claims to have recorded you “pleasuring yourself” so to speak. And they even mention PornHub. That’s pretty ballsy. I’ll dole out my usual advice. If you are worried about some piece of software using your camera to record you without your knowledge, put some tape over your camera.

And judging from the fact that when I checked his Bitcoin wallet, there were no deposits in it, it either means that nobody has fallen for this scam. Or nobody has fallen for it yet. Seeing as you’re reading this, you won’t be falling for this scam.

Finally, the scumbag says to not to go to law enforcement for help. Whatever.

Really, the quality of these extortion phishing email scams is really low. I’ve shown off a few of them in the last couple of weeks and I remain unimpressed. Absolutely nobody should be falling for these because they are so badly done. And I do mean nobody.

I swear, there more scams these days than Elvis impersonators in Vegas. This time it’s Revenue Canada who is being used in a scam. And that scam starts with this email:

Now right off the top, this email caught the attention of Apple Mail that told me that it was from a mailing list. That’s a major red flag as emails from Interac would be directly addressed to you. So I new it was as scam without having to click on anything. But I did my usual due diligence and checked the email address of the person who sent this:

Interac sends transfers from notify@payments.interac.ca. So this further validates that this is a scam. But in the interest of seeing what the scammers were up to, I clicked the “Choose your financial institution” button. Which by the way you should never do after looking at the grammar and spotting the mix of French and English, and the word “october” which doesn’t have a capital. Seriously, scammers really need to use an app like Grammarly if they don’t want their scam emails deleted the second that they hit an inbox because the writing is so poor.

In any case, here’s what I got:

Ahhhh… The old banking credential phishing scam. That involves choosing your bank, typing in your credentials, and getting pwned. Then you bank account empties. And there’s lots of choice here including banks that I don’t normally see as part of this type of scam. Someone has been busy. But they really didn’t put a whole lot of time into this scam based on this:

This isn’t even close to how the actual CIBC web page looks. I’ve seen other scams where the scammer tried way harder than this to replicate the web page to fool the unsuspecting into typing in their card number and password which will allow them pwn you. Thus this will likely tip most people off that this is a scam. And the fact that I am putting this story out there will likely inform the rest to not fall for such a poorly executed scam by someone who clearly has no skills. But they did do something interesting:

The website acts like you’re going get a validation code on your phone. But you’re never going to receive it because you have just been pwned. Interesting.

So what’s the bottom line? I am guessing that because the Federal Government announced a number of new programs today including a GST credit, this scam was timed to take advantage of that. Thus if you get an email like this, delete it and move on with your life.

I Guess that the scumbags behind extortion phishing emails must really be bored as they are all coming out of the woodwork with new scams to separate you from your money. I have now come across a third variant of this scam thanks to a reader of this blog that I would like to share with you and then tell you why it is a scam:

Greetings!

I have to share bad news with you.
Approximately few months ago I have gained access to your devices, which you use for internet browsing.
After that, I have started tracking your internet activities.

Here is the sequence of events: 
Some time ago I have purchased access to email accounts from hackers (nowadays, it is quite simple to purchase such thing online).
Obviously, I have easily managed to log in to your email account (EMAIL ADDRESS REDACTED).

One week later, I have already installed Trojan virus to Operating Systems of all the devices that you use to access your email.
In fact, it was not really hard at all (since you were following the links from your inbox emails).
All ingenious is simple. 😉

This software provides me with access to all the controllers of your devices (e.g., your microphone, video camera and keyboard).
I have downloaded all your information, data, photos, web browsing history to my servers.
I have access to all your messengers, social networks, emails, chat history and contacts list.
My virus continuously refreshes the signatures (it is driver-based), and hence remains invisible for antivirus software.

Likewise, I guess by now you understand why I have stayed undetected until this letter…

While gathering information about you, I have discovered that you are a big fan of adult websites.
You really love visiting porn websites and watching exciting videos, while enduring an enormous amount of pleasure.
Well, I have managed to record a number of your dirty scenes and montaged a few videos, which show the way you masturbate and reach orgasms.

If you have doubts, I can make a few clicks of my mouse and all your videos will be shared to your friends, colleagues and relatives.
I have also no issue at all to make them available for public access.
I guess, you really don’t want that to happen, considering the specificity of the videos you like to watch, (you perfectly know what I mean) it will cause a true catastrophe for you.

Let’s settle it this way:
You transfer $1650 USD to me (in bitcoin equivalent according to the exchange rate at the moment of funds transfer), and once the transfer is received, I will delete all this dirty stuff right away.
After that we will forget about each other. I also promise to deactivate and delete all the harmful software from your devices. Trust me, I keep my word.

This is a fair deal and the price is quite low, considering that I have been checking out your profile and traffic for some time by now.
In case, if you don’t know how to purchase and transfer the bitcoins – you can use any modern search engine.

Here is my bitcoin wallet: [BITCOIN WALLET ADDRESS REDACTED]

You have less than 48 hours from the moment you opened this email (precisely 2 days).

Things you need to avoid from doing:
*Do not reply me (I have created this email inside your inbox and generated the return address).
*Do not try to contact police and other security services. In addition, forget about telling this to you friends. If I discover that (as you can see, it is really not so hard, considering that I control all your systems) – your video will be shared to public right away. 
*Don’t try to find me – it is absolutely pointless. All the cryptocurrency transactions are anonymous.
*Don’t try to reinstall the OS on your devices or throw them away. It is pointless as well, since all the videos have already been saved at remote servers.

Things you don’t need to worry about:
*That I won’t be able to receive your funds transfer.
– Don’t worry, I will see it right away, once you complete the transfer, since I continuously track all your activities (my trojan virus has got a remote-control feature, something like TeamViewer).
*That I will share your videos anyway after you complete the funds transfer.
– Trust me, I have no point to continue creating troubles in your life. If I really wanted that, I would do it long time ago! 

Everything will be done in a fair manner!

One more thing… Don’t get caught in similar kind of situations anymore in future!
My advice – keep changing all your passwords on a frequent basis

So let’s unpack this. This guy seems to be less able to execute this scam well as unlike previous variants that I have seen, he has not spoofed your email address to get your attention. He simply pastes it in. Which implies that this is a form letter of some sort with a list of email addresses that just get fed into it hoping that someone who isn’t technically savvy will fall for it.

What a loser.

And judging from the fact that when I checked his Bitcoin wallet, there were no deposits in it, it either means that nobody has fallen for this scam. Or nobody has fallen for it yet. Seeing as you’re reading this, you won’t be falling for this scam.

Other things that I would like to point are the usual items that are part and parcel of these scams:

• This email also says that the so called hacker installed the “trojan virus” on your computer which is a piece of software that can download your data, log your keystrokes and control your webcam and microphone. Now this software does exist. But if you have up to date and functional anti-virus software, it should be able to deal with it. And if you want a bit of extra security, cover up your webcam with a piece of tape. The scammer’s talk about changing signatures of his software to evade detection is BS by the way. If he could do that, he’d be working for some nation state launching targeted spyware and ransomware attacks rather than doing scams on individuals.
• The scammer wants you to pay him via Bitcoin and he even says that “All the cryptocurrency transactions are anonymous. Which means that there’s no way for the scammer to know that you’ve paid him which means that there’s no way for him to delete the data that they allegedly have on you.
• The English used in this phishing email is not that good.
• It tries to play on your fears of being outed for watching porn and “pleasuring” yourself. In fact, this one really plays heavily on that. Even going as far as not to tell your friends or law enforcement.

The bottom line is that this guy has created a scam that isn’t all that good and is likely to convince few people to hand over their cash. But since the number of people who could fall for this is not zero, I’m putting this out there so that the number gets closer to zero.

Stay safe out there.

Yesterday, the Philippine senate launched an investigation to identify the attackers behind a massive phishing campaign of millions of text messages sent to mobile users in hopes of capturing personal login credentials for fraudulent transactions.

The country’s two biggest telecoms providers have said they blocked more than 1 billion spam and suspicious text messages between them this year. PLDT and Globe have assured their combined 156 million mobile subscribers that cybercriminals have not breached their security systems.

Senator Grace Poe, who heads the senate’s public services committee, called for tighter measures against cybercriminals.

“This is a staggering number of messages that prey upon the vulnerable like those who are unemployed, in need of money or are just unfamiliar with these schemes,” Poe said.

Consumers have reported a surge in phishing attempts during the pandemic as people relied heavily on mobile devices for shopping and food delivery orders and banking.

The scale of this campaign is nuts. And something needs to be done. But apparently an attempt to deal with this was squashed:

Poe said it was time for lawmakers to revive a bill, vetoed last year by then President Rodrigo Duterte, that would require SIM card buyers to register with network providers to prevent scams and misinformation. read more

And Nick Ascoli, VP of Threat Research at PIXM has this to say:

There is a need for regulations that represent a sincere and holistic attempt at taking steps towards curbing cybercrime operations affecting the region. Unfortunately, scammers use many techniques to send luring text messages to victims, few of which involve the actual purchase of a physical phone and SIM card. Most involve the use of internet based SMS Gateways. While the specific proposal would likely not address the issue, it represents a hopeful sentiment that Southeast Asian governments will increase their use of federal resources in stopping cybercrime.

One of the best ways to deal with cybercrime is to go after the threat actors and take away the money gained from these crimes and take away their liberty. The next best thing is to make it harder for cybercriminals to execute their schemes. That’s what the law that was squashed last year would do and hopefully it gets enacted so that this issue is addressed.

I swear, these extortion phishing scams are multiplying like weeds. Hot off of this scam that I brought to your attention a few days ago, another one has been brought to my attention. Before I get to that, let me recap what this scam is all about.

The scammer claims to have recorded you while watching porn and has video proof of that. The scammer then goes on to claim that they will release it to your friends, family and the like if you don’t pay them in Bitcoin which is untraceable. So what the scam is doing is leveraging the fact that watching porn and “pleasuring” yourself to put it kindly is seen as something negative. And having a video of you doing this would be embarrassing. Thus you would be inclined to pay to keep it quiet.

Now over to today’s scam. The email that I got looks like this:

Hello!
Have you recently noticed that I have e-mailed you from your account?
Yes, this simply means that I have total access to your device.

For the last couple of months, I have been watching you.
Still wondering how is that possible? Well, you have been infected with malware originating from an adult website that you visited. You may not be familiar with this, but I will try explaining it to you.

With help of the Trojan Virus, I have complete access to a PC or any other device.
This simply means I can see you at any time I wish to on your screen by simply turning on your camera and microphone, without you even noticing it. In addition, I have also got access to your contacts list and all your correspondence.

You may be asking yourself, “But my PC has an active antivirus, how is this even possible? Why didn’t I receive any notification?” Well, the answer is simple: my malware uses drivers, where I update the signatures every four hours, making it undetectable, and hence keeping your antivirus silent.

I have a video of you wanking on the left screen, and on the right screen – the video you were watching while masturbating.
Wondering how bad could this get? With just a single click of my mouse, this video can be sent to all your social networks, and e-mail contacts.
I can also share access to all your e-mail correspondence and messengers that you use.

All you have to do to prevent this from happening is – transfer bitcoins worth $1450 (USD) to my Bitcoin address (if you have no idea how to do this, you can open your browser and simply search: “Buy Bitcoin”).

My bitcoin address (BTC Wallet) is: [Bitcoin Address Redacted]

After receiving a confirmation of your payment, I will delete the video right away, and that’s it, you will never hear from me again.
You have 2 days (48 hours) to complete this transaction.
Once you open this e-mail, I will receive a notification, and my timer will start ticking.

Any attempt to file a complaint will not result in anything, since this e-mail cannot be traced back, same as my bitcoin id.
I have been working on this for a very long time by now; I do not give any chance for a mistake. 

If, by any chance I find out that you have shared this message with anybody else, I will broadcast your video as mentioned above.

So let’s unpack this:

• The email appears to have come from your email account. But all that means is that that someone has spoofed your email address. This is surprisingly easy to do. And scammers leverage that to make these scam emails seem more legitimate. But they’re not and the scammer doesn’t have control over anything.
• This email also says is that the so called hacker installed the “trojan virus” on your computer which is a piece of software that can download your data, log your keystrokes and control your webcam and microphone. Now this software does exist. But if you have up to date and functional anti-virus software, it should be able to deal with it. And if you want a bit of extra security, cover up your webcam with a piece of tape. The scammer’s talk about changing signatures of his software to evade detection is BS by the way. If he could do that, he’d be working for some nation state launching targeted spyware and ransomware attacks rather than doing scams on individuals.
• The scammer wants you to pay him via Bitcoin as that’s untraceable. But that works both ways. There’s no way for the scammer to know that you’ve paid him which means that there’s no way for him to delete the data that they allegedly have on you. Related to that, I checked the value of the Bitcoin address and it seems that plenty of people have fallen for that scam based on the number of transactions that have been made into this wallet.
• The email claims to be able to transmit to the scammer when you’ve opened the email. That sounds like the scammer has embedded a tracking pixel into the email. Marketing companies use these to see if you’ve opened an email along with gathering information about you, and Apple for example has countermeasures against all of that. I found no evidence that this email contained anything like this.
• As usual, the English used in this email is poor. A hallmark of scam emails.

This in short, this is a scam email that you should delete the second it hits your inbox. While scam emails like this don’t have to have a huge number of people falling for it to be successful, you shouldn’t be the person who falls for it. And if you have any concerns about the security of your computer, I would contact a professional who can take a look at your computer to see if there are any issues with it.

 

Recently I was contacted by a couple who was hit with a torrent of emails that claimed that they had been watching porn and “pleasuring” themselves, and that a threat actor had installed remote access software and stolen their data. Right off the top, I was pretty sure that this was an extortion phishing scam. I’ve written about this many, many. times in the past. But I did agree to investigate it.

Let’s start with the email that they received. Which between the two of them they got 116 times over a five hour period:

Hello there!

Unfortunately, there are some bad news for you.

Some time ago your computer was infected with my private trojan, R.A.T (Remote Administration Tool), if you want to find out more about it simply use Google.

My trojan allows me to access all controllers of your computer, such as video camera, microphone and keyboard.

I have managed to download all your personal data, as well as web browsing history and photos to my servers.

That’s why I know your password: [PASSWORD REDACTED]

You truly enjoy checking out porn websites and watching dirty videos, while having a lot of kinky fun.

I HAVE RECORDED SEVERAL KINKY SCENES OF YOU, WHERE YOU REACH ORGASM WHILE PASSIONATELY MASTURBATING!

If you still doubt my serious intentions, it only takes couple mouse clicks to share the video of you with your friends, relatives, all email contacts and on social networks.

All you need is $1500 USD in bitcoin (BTC) transfer to my account (bitcoin equivalent based on exchange rate during your transfer).

After the transaction is successful, I will proceed to delete everything without delay.

Afterwards, we can pretend that we have never met before.

In addition, I assure you that all the harmful software will be deleted from your computer.

Be sure, I keep my promises.

If you are unaware how to buy and send bitcoin (BTC) – Google: Where to buy bitcoin (BTC), to send and receive bitcoin (BTC), you can register your wallet for example here: www.blockchain.com

Or download: Exodus Wallet, from: www.exodus.com – with the software you can buy and send bitcoin (BTC).

My bitcoin (BTC) address is: [BTC Address Redacted]

Copy and paste my address, it’s (cAsE-sEnSEtiVE).

You are given not more than 48 hours after you have opened this email (2 days to be precise).

Everything will be carried out based on fairness!

Before I forget…moving forward try not to get involved in this kind of situations anymore!

An advice from me – regularly change all the passwords to your accounts and update your computer and browser.

So let’s unpack this scam. Which by the way isn’t new as this specific variant of this scam has been around for a while.

• The so called hacker has the password of the user. That’s to add some perceived legitimacy to the email. But chances are they don’t know anything more than that. Thus the first thing that you should do if you get one of these emails is to change the password to any email or online service that is associated with that email. And if you’re wondering how they got your email and password, it was likely part of a data breach. You can find out which one by going to haveibeenpwned.com and typing in your email address. It will likely come back with the fact that you’ve been part of a data breach that includes your email address and password.
• This email is leveraging the fact that watching porn and “pleasuring” yourself is seen as something negative. And having something like this would be embarrassing would it to be made public via a recording. This email also says is that the so called hacker installed RAT software on your computer. RAT stands for Remote Access Trojan. It’s a piece of software that can download your data, log your keystrokes and control your webcam and microphone. Now this software does exist. But if you have up to date and functional anti-virus software, it should be able to deal with it. And if you want a bit of extra security, cover up your webcam with a piece of tape.
• Thus there’s no way for the scammer to tie you to the money that they could get from you as Bitcoin is anonymous by design. Which means that they have no way to delete the data that they allegedly collected if you pay them. Which by extension means that they’re lying about having data on you.
• The English used in this email is poor. A hallmark of scam emails.
• I checked the Bitcoin address that was referenced in this email. It looks like four people have fallen for this scam based on the wallet having $6000 or so in it.

In this case, I did examine both computers in question and found no remote access trojans or anything else. I also ran their email addresses on haveibeenpwned.com and found that they had been part of several data breaches. Including a few that included that included the password that was referenced in the email. Thus I advised that they change their passwords to not only ensure their long term security, but to also ensure that if they get an email like this in the future that they will know it is fake immediately.

Oh yeah, the fact that this email was sent to them over 100 times is just stupid. Either the person behind this is new at this scam, or they are desperate. If you want to make sure that your scam email is ignored, this is a great way to make sure that it is ignored.

The fact is that this email is aimed at getting maybe a handful of people to fall for it. Because a scam doesn’t have to be successful in quantity to be successful. Don’t be that person. If you see an email like this in your inbox, delete it and move on with your life.

I was alerted to this scam a couple of months ago. But I forgot about it until a reader of this blog alerted me to a version of this scam today. Thus in the interest of making sure that the readers of this blog are aware of new scams that are out there, I’m writing about it today.

I have to admit that on one hand it is kind of lame. But on the other hand I can see how it might be effective as it might tempt you to engage with the threat actor. It starts out with the text message:

Now if it were me, I’d delete this text message. But I can see a scenario where someone might reply and engage with the threat actor. Thus confirming to the threat actor that they have a live person and facilitating the threat actor an opportunity to try and carry out the scam. Here’s another screenshot that was sent to me by a client of mine where they did respond before thinking twice about doing so and emailing me for help:

The next thing that happened is that the initial message was followed up with a link which likely would take you to a phishing site where I am guessing that whomever is behind this scam will try to get you to hand over your banking details. In the case of my client, I didn’t get the link that they were sent. And fortunately for them, they did not click on the link. Which for the record you should never, ever do. Thus I was unable to test the link out and go down the rabbit hole to understand the scam in greater detail like I normally do with scams that are brought to my attention. But that seems like a likely hypothesis.

Based on my research, this scam has been going since April of this year and is still ongoing. Thus I would say that if you get a text that looks like the examples above, your best defence is to not respond to the text and delete it.

It seems that a phishing scam involving TD Bank is back. Like the last one, it is delivered by text message. Specifically looking like this:

Now a quick look at the URL should tell you that wasn’t sent by TD Bank as their official URL is td.com in Canada and tdbank.com in the US. But a few people might be fooled by this as the URL starts with “TD”. Remember, a scam doesn’t have to be successful in quantity to be successful.

In any case, if you click on the URL, which by the way you should NEVER EVER DO, this is what you will see:

You get taken to an exact clone of the TD website. I got my wife to have a look at this as she’s a TD customer and she confirmed that this website is so good, there’s almost no difference between this phishing website and the real website. Thus it might fool people.

So this is where I got curious, I typed in a bogus credit card number and a password that was nonsensical and was promptly presented with this when I clicked login:

So this website actually takes into account two factor authentication. Very sophisticated as at first glance they are either trying to convince you that this is the real website, and/or they want to get your mobile number to do a SIM swap or something similar so that they can take control or you bank account. Bonus points for that. Though this website didn’t validate the bogus card number I put in. So I’ll deduct some points for that. For giggles, I clicked call me where I expected a prompt for a phone number. Instead I got this:

Well that’s a wee bit of a mistake But I am pretty sure that they are assuming that you will click on “text me” rather than call me. Thought it really doesn’t matter at this point because if you actually typed in your real TD card number and password in the previous steps, you’ve been pwned and your bank account will be drained in short order. And the fact that they didn’t ask for a phone number means that they were simply trying to gain your confidence that this was the real website.

I should note that when I tested this in Safari on macOS, it was spotted as a deceptive website right away. Ditto for Firefox on macOS. But that wasn’t the case in Chrome on macOS or Edge on macOS which allowed me to access the site to take these screen shots. That interesting. And not in a good way if you’re a Chrome or Edge user.

In any case, I reported this to TD and sent them all the documentation that they requested. Though the last time that I came across a scam like this, TD wouldn’t or couldn’t shut the scam down. Thus I am not holding my breath in terms of TD taking action on this. Which means that you need to be on your toes as this example proves that the bad guys are getting more and more savvy when it comes to their attempts to separate you from your money.