The IT Nerd

One day after I told you about the latest extortion phishing scam, I have another one for you. Like yesterday’s scam and last four extortion phishing scams that I told you about in the last few months, this one again plays on the fact that you might have surfed for porn and that you might of done something else related to that. In other words, it is playing on your guilt about doing things that you perhaps should not be doing. Here’s the text of the latest scam email that I came across:

Hello.. .

This won\’t take too much of your study time, therefore direct to the point. I got a video of you commiting spermicide when at a pornpage you are went to, thanks to a fantastic arse software I\’ve been able to put on a few internet sites with that kind of content.

You click play and all the digital cameras and a microphone start working in addition it will save every damn detail coming from your personal pc, like contacts, passwords or shit such as dat, think where i got this e mail from?) And so now i know just who i will deliver that to, just in case you not necessarily going to compensate this with me.

I am going to put a account address down below so that you can send me 690 bucks within 3 days utmost via bitcoin. See, it\’s not that large of a sum to cover, suppose that would make me not that bad of a man.

You are allowed to complete whatever the shit you want to, yet in case i will not see the total in the period of time mentioned above, clearly… u undoubtedly realize what can happen.

So it\’s under your control at this point. I\’m not going to proceed through all the info and crap, just simply don\’t have time for this as well as you possibly know that internet is loaded with text letters similar to this, therefore it is also your final choice to believe in this not really, there may be just one way to figure out.

Here is the bitcoin wallet address- <Bitcoin Address redacted>

Have a great time and remember that time clock is ticking))

The first thing that I note about this latest scam is that it doesn’t offer up a password that you might of used as “proof” that they hacked your computer. But it does offer up all the usual elements of these scams like installing some sort of trojan that takes control of your computer, in particular the webcam and microphone, and steals stuff like contacts. I’ve said it before and I will say it again, such software does exist. But if you have functioning and up to date antivirus software, it should be a non-issue.

Now,  like all the other variants of this scam, the scumbags behind it got the email address and password as part of a data breach. You can find out which data breach by going to haveibeenpwned.com and typing in your email address. It will likely come back with the fact that you’ve been part of a data breach of some sort. The fact that they don’t have a password that you might have used indicates that you were part of a breach that didn’t include passwords. Thus it is highly likely that the low life behind this scam is less sophisticated and not that bright when compared to the others who run scams like these.

Having said all of that, if you’re the least bit concerned about whether your system is compromised, consult a computer professional and have them check things over. Another thing I am strongly suggesting to my clients is that they change the passwords to things like email, online banking and the like as a preventative measure. That way if they get an email like this, they will know it is fake immediately.

These scams are starting to get out of hand. Thus I strongly suggest that you take measures to prevent yourself from becoming a victim. These scumbags want you to be the 1% of people who fall for something like this because they make lots of money off that 1%. Don’t be part of that 1%. Ignore an email like this and use my advice above to protect yourself.

Today, I am going to expose another extortion phishing scam email. And for the record, I will keep shining a light on these and others who try to take advantage of honest hard working people because cockroaches like them hate the light. Like the last four extortion phishing scams that I told you about in the last few months, this one again plays on the fact that you might have surfed for porn and that you might of done something else related to that. In other words, it is playing on your guilt about doing things that you perhaps should not be doing. Here’s the text of the latest scam email that I came across:

Hello!

My nickname in darknet is kevan45.

I hacked this mailbox more than six months ago, through it I infected your operating system with a virus (trojan) created by me and have been monitoring you for a long time.

So, your password from <Email redacted>  is <password redacted>

Even if you changed the password after that – it does not matter, my virus intercepted all the caching data on your computer and automatically saved access for me.

I have access to all your accounts, social networks, email, browsing history.

Accordingly, I have the data of all your contacts, files from your computer, photos and videos.

I was most struck by the intimate content sites that you occasionally visit. You have a very wild imagination, I tell you!

During your pastime and entertainment there, I took screenshot through the camera of your device, synchronizing with what you are watching.

Oh my god! You are so funny and excited!

I think that you do not want all your contacts to get these files, right? If you are of the same opinion, then I think that $811 is quite a fair price to destroy the dirt I created. Send the above amount on my BTC wallet (bitcoin): <Bitcoin Wallet Redacted>

As soon as the above amount is received, I guarantee that the data will be deleted, I do not need it. Otherwise, these files and history of visiting sites will get all your contacts from your device. Also, I’ll send to everyone your contact access to your email and access logs, I have carefully saved it!

Since reading this letter you have 48 hours!

After your reading this message, I’ll receive an automatic notification that you have seen the letter.

I hope I taught you a good lesson.

Do not be so nonchalant, please visit only to proven resources, and don’t enter your passwords anywhere!

Good luck!

The first thing that this email says is that they installed trojan on the computer that takes control of the system and allows the person who installed it to log your keystrokes and control your webcam and microphone. Now this software does exist. But if you have up to date and functional anti-virus software, it should be able to deal with it. But in this case, I can say that never happened.

So, how can I say that this never happened? That’s because like all the other variants of this scam, the scumbags behind it got the email address and password as part of a data breach. You can find out which data breach by going to haveibeenpwned.com and typing in your email address. It will likely come back with the fact that you’ve been part of a data breach that includes your email address and password. And chances are that the breach in question took place longer than the six months that the scumbags claim that they have had access to your system.

Having said all of that, if you’re concerned about an email like this, and if you’re the least bit concerned about whether your system is compromised, consult a computer professional and have them check things over. Another thing I am strongly suggesting to my clients is that they change the passwords to things like email, online banking and the like as a preventative measure. That way if they get an email like this, they will know it is fake immediately.

Only about 1% of people who get an email like this pay up Thus these scumbags want you to be the 1% of people who fall for something like this because they make lots of money off that 1%. Don’t fall for this. Never respond to an email like this. Never pay up. Just ignore them and make sure that whatever password that they have isn’t in use by any of your online accounts. They are scumbags and don’t deserve your attention or more importantly your money.

Yesterday, I got one of those scam emails that I’ve been writing about for weeks now. Like the last three extortion phishing scams that I told you about, this one plays on the fact that you might have surfed for porn and that you might of done something else related to that. In other words, it is playing on your guilt about doing things that you perhaps should not be doing. Here’s the text of the latest scam email that I came across:

Hi, dear user of [DOMAIN DELETED]
We have installed one RAT software into you device.
For this moment your email account is hacked (see on “from address”, I messaged you from your account).
Your password for [EMAIL ADDRESS DELETED]: [PASSWORD DELETED]

I have downloaded all confidential information from your system and I got some more evidence.
The most interesting moment that I have discovered are videos records where you masturbating.

I posted my virus on porn site, and then you installed it on your operation system.
When you clicked the button Play on porn video, at that moment my trojan was downloaded to your device.
After installation, your front camera shoots video every time you masturbate, in addition, the software is synchronized with the video you choose.

For the moment, the software has collected all your contact information from social networks and email addresses.
If you need to erase all of your collected data, send me $800 in BTC (crypto currency).
This is my Bitcoin wallet: [BITCOIN WALLET DELETED]
You have 48 hours after reading this letter.

After your transaction I will erase all your data.
Otherwise, I will send video with your pranks to all your colleagues and friends!!!

And henceforth be more careful!
Please visit only secure sites!
Bye!

The first thing that this email says is that they installed RAT software on your computer. RAT stands for Remote Access Trojan. It’s a piece of software that can download your data, log your keystrokes and control your webcam and microphone. Now this software does exist. But if you have up to date and functional anti-virus software, it should be able to deal with it. The second thing is that they have your email address. But it was likely part of a data breach. You can find out which one by going to haveibeenpwned.com and typing in your email address. It will likely come back with the fact that you’ve been part of a data breach that includes your email address and password. In my case, the password that the scumbags got their hands on was one that I had used at least five years ago. That alone tells me that this is a bogus email and I should ignore it. But if you’re concerned about an email like this, and if you’re the least bit concerned about whether your system is compromised, consult a computer professional and have them check things over. Another thing I am beginning to suggest is that you change the passwords to things like your email, online banking and the like as a preventative measure. That way if you get an email like this, you’ll know it is fake immediately.

The bottom line is this. These scumbags want you to be the 1% of people who fall for something like this because they make lots of money off that 1%. Don’t be a victim. Don’t respond. Don’t pay them. Just ignore them and make sure that whatever password that they have isn’t in use by any of your online accounts. They are scumbags and don’t deserve your attention or more importantly your money.

It now appears that there’s a brand new extortion phishing scam that’s out in the wild. like the last two that I told you about, this one plays on the fact that you might have surfed for porn and that you might of done something else related to that. In other words, it is playing on your guilt. Here’s the text of the latest scam email:

Hello!
I’m a member of an international hacker group.

As you could probably have guessed, your account [Email Redacted] was hacked, I sent message you from it.

Now I have access to you accounts! You still do not believe it?
So, this is your password: [Password Redacted] , right?

Within a period from July 5, 2018 to September 21, 2018, you were infected by the virus we’ve created, through an adult website you’ve visited.
So far, we have access to your messages, social media accounts, and messengers.
Moreover, we’ve gotten full damps of these data.

We are aware of your little and big secrets…yeah, you do have them. We saw and recorded your doings on porn websites. Your tastes are so weird, you know..

But the key thing is that sometimes we recorded you with your webcam, syncing the recordings with what you watched!
I think you are not interested show this video to your friends, relatives, and your intimate one…

Transfer $700 to our Bitcoin wallet: [Bitcoin Wallet Redacted]
I guarantee that after that, we’ll erase all your “data” 😀

A timer will start once you read this message. You have 48 hours to pay the above-mentioned amount.

Your data will be erased once the money are transferred.
If they are not, all your messages and videos recorded will be automatically sent to all your contacts found on your devices at the moment of infection.

You should always think about your security. We hope this case will teach you to keep secrets.
Take care of yourself.

Now in this case, the so called hacker has the password of the user. That’s to add some perceived legitimacy to the email. But chances are they don’t know anything more than that. Thus the first thing that you should do if you get one of these emails is to change the password to any email or online service that is associated with that email. And if you’re wondering how they got your email and password, it was likely part of a data breach. You can find out which one by going to haveibeenpwned.com and typing in your email address. It will likely come back with the fact that you’ve been part of a data breach that includes your email address and password.

Now under no circumstances should you pay up. The main reasons are that not only does it make the scumbags behind this scam want to keep doing it, but because many BitCoin exchanges or ATMs do not require you to verify your identity. Thus there’s no way for the scammer to tie you to the money that they could get from you. Which means that they have no way to delete the data that they allegedly collected if you pay them. Which means that they’re lying about having data on you. Thus never pay these scumbags a single cent.

Next up is the purported use of the webcam to record the victim. It is possible to remotely take over a webcam in a laptop. If you’re the least bit paranoid about that, cover yours with tape. Or you can disable it entirely. Ditto for the microphone as well.

Finally, if you’re the least bit concerned about whether your system is compromised, consult a computer professional and have them check things over. It would also be a good idea to make sure your anti-virus is up to date and fully functioning as well.

The bottom line is this. These scumbags want you to be the 1% of people who fall for something like this because they make lots of money off that 1%. Don’t be a victim. Don’t respond. Don’t pay them. Just ignore them and make sure that whatever password that they have isn’t in use by any of your online accounts. They are scumbags and don’t deserve your attention or more importantly your money.

Over the last few months I’ve been telling you about a scam where a scammer sends someone an email claiming that they have evidence of you watching porn and that they will delete it if you pay them in bitcoin. Then this scam got a bit more scary when the hackers started to serve up your password to prove that they were not lying. According to Motherboard, those who fell for that scam have netted the scammers about $500,000 based on research done by security company Banbreach who looked at the bitcoin wallets used by the scammers:

Banbreach looked at around 770 wallets in total, according to a spreadsheet the company shared with Motherboard. The majority of those, around 540, did not receive any funds. But the remaining ~230 had over 1,000 transactions, receiving a total of around 70.8 BTC.

At today’s exchange rate, 70.8 BTC works out to just under $500,000. Not a trivial amount of money. But according to the company, this is likely a conservative estimate and the actual dollar value that the scammers scored is likely much higher. Considering that these scammers are using information from other hacks and are doing mass emails based on that, the return on investment is high given the skill level to pull this off is low. And chances are, the money that they’re making is only coming from 1% – 3% of people actually responding to this which shows that it doesn’t take a lot of victims for scammers to make a lot of money from something like this.

A few months ago I told you about a scam the takes advantage of you if you have been surfing for porn. It leverages the fact that your email address might have been part of data breach in the past to try and get you to send a few hundred dollars to a bitcoin wallet. This is called extortion phishing. Well, I have been investigating a new version of this scam that has recently started to make the rounds. Unlike the last one, potential victims get more specific and the dollar value is higher. Here’s an example of what potential victims get:

I know <Password Deleted> one of your passphrase. Lets get right to purpose. Nobody has compensated me to check about you. You may not know me and you’re most likely wondering why you are getting this e-mail?

Well, I placed a software on the X videos (pornographic material) web-site and guess what, you visited this site to have fun (you know what I mean). When you were viewing video clips, your browser started out working as a Remote control Desktop with a key logger which provided me with access to your screen and also cam. after that, my software program obtained all your contacts from your Messenger, social networks, as well as e-mail . After that I created a double-screen video. First part displays the video you were watching (you’ve got a nice taste ; )), and next part displays the recording of your web cam, & its you.

You do have two alternatives. Lets analyze these possibilities in details:

Very first choice is to skip this email message. As a result, I will send out your very own video to all your your contacts and also think regarding the shame that you receive. And as a consequence if you are in a romance, just how this will affect?

In the second place solution would be to compensate me $7000. We are going to describe it as a donation. As a consequence, I most certainly will promptly erase your video. You can carry on your way of life like this never happened and you will never hear back again from me.

You’ll make the payment through Bitcoin (if you do not know this, search “how to buy bitcoin” in Google search engine).

BTC Address: <Bitcoin address deleted>
[CASE-sensitive copy & paste it]

Should you are thinking of going to the authorities, good, this email message can not be traced back to me. I have covered my actions. I am also not trying to ask you for money a lot, I want to be paid for. You have one day to pay. I’ve a special pixel in this mail, and now I know that you have read through this mail. If I don’t get the BitCoins, I definitely will send your video recording to all of your contacts including friends and family, colleagues, and so on. Nonetheless, if I do get paid, I will destroy the recording immediately. This is the non:negotiable offer, and thus do not waste my personal time & yours by responding to this email. If you want to have proof, reply with Yea then I will send out your video recording to your 7 friends.

Now let’s dissect this message. The fact that the scammer has the victim’s password is likely due to the fact that the victim has been a victim of a data leak which included the victim’s password along with their email address. Both are now being used to give the message that the scammer sends some degree of validity. But in reality, they don’t know anything more than the email address and password. The second thing that you should note is that the scammer claims to have covered his tracks and you should not respond to this message. but if you want proof you should respond to this message and the scammer will send a video to seven of your friends. That makes no sense. Now just for fun, I ran a check on the bitcoin address and it had no transactions. Now the person who got the above email didn’t pay up and to nobody’s surprise, no videos were emailed out.

In short, this is a complete scam. So how do you avoid being scammed? Here’s a list of things that you can do.

1. If you have received an email like the one above. Remember that this is likely a scam. But if you want to be sure you can call in a professional to check your computer over to make sure that there’s nothing lurking on it. There likely won’t be but you can never be too careful.
2. Under no circumstances should you pay up. The main reasons are that not only does it make the scumbags behind this scam want to keep doing it, but because many BitCoin exchanges or ATMs do not require you to verify your identity. Thus there’s no way for the scammer to tie you to the money that they could get from you. Which means that they have no way to delete the data that they allegedly collected if you pay them. Which means that they’re lying about having data on you.
3. You should check to see if your email address has been part of a data breach that would be the source of this email. Take a visit to www.haveibeenpwned.com and type your email address into it. You’ll likely find that it has been and your email and password have been compromised and are floating around the Internet. You should discontinue the use of that password immediately and change it. In fact, you should use different passwords for your online services that is made up of a mix of uppercase and lowercase letters, numbers and special characters.
4. If you are the least bit paranoid of someone recording you through your webcam, cover it with a piece of tape or a cover when not in use. Or you can disable it entirely. Ditto for the microphone. You should also have up to date antivirus as well.

The bottom line is this. These scumbags want you to be the 1% of people who fall for something like this. Don’t be a victim. Don’t respond. Don’t pay them. Just ignore them. They are scumbags and don’t deserve your attention or more importantly your money.

One of the things that I seem to be getting a lot of business from in the last year or so are Tech Support Scams. I’ve covered a couple of the ones that I’ve tripped over in the last year or so, and I am preparing myself to get more business based on what Microsoft has had to say about the subject:

In 2017, Microsoft Customer Support Services received 153,000 reports from customers who encountered or fell victim to tech support scams, a 24% growth from the previous year. These reports came from 183 countries, indicating a global problem.

Approximately 15% of these customers lost money in the scam, costing them on average between $200 and $400. In some cases, victims pay a lot more. In December 2017, Microsoft received a report of a scammer emptying a bank account of €89,000 during a tech support scam in the Netherlands.

That’s truly scary. It’s clear that everyone needs to take action to make these scams less effective. I have some advice on how to avoid getting scammed here. But the best defense is to get the word out about these scams to as many people as possible. That way when the scumbags behind these scams try to take someone’s money, they will fail miserably.

Last night I got a text message that got my attention. I snagged a screenshot of it for your viewing pleasure:

At first glance it looks like an Interac e-Transfer. And it comes from a Ontario area code to make it look legit. Except that when you look closer, specifically under the words “Deposit your INTERAC e-Transfer” you see a domain called frontsolut-1.com. That’s important because Interac has never used that domain. Besides, I am pretty sure that Interac doesn’t use GoDaddy to register their domains. Because when I ran the domain in question through the Whois database on GoDaddy, I found this:

Domain Name: FRONTSOLUT-1.COM
Registry Domain ID: 2247282825_DOMAIN_COM-VRSN
Registrar WHOIS Server: whois.godaddy.com
Registrar URL: http://www.godaddy.com
Update Date: 2018-04-03T01:30:36Z
Creation Date: 2018-04-03T01:30:36Z
Registrar Registration Expiration Date: 2019-04-03T01:30:36Z
Registrar: GoDaddy.com, LLC
Registrar IANA ID: 146
Registrar Abuse Contact Email: abuse@godaddy.com
Registrar Abuse Contact Phone: REDACTED 
Domain Status: clientTransferProhibited http://www.icann.org/epp#clientTransferProhibited
Domain Status: clientUpdateProhibited http://www.icann.org/epp#clientUpdateProhibited
Domain Status: clientRenewProhibited http://www.icann.org/epp#clientRenewProhibited
Domain Status: clientDeleteProhibited http://www.icann.org/epp#clientDeleteProhibited
Registry Registrant ID: 
Registrant Name: Dean Ataman
Registrant Organization: 
Registrant Street: REDACTED
Registrant City: Belle River
Registrant State/Province: Ontario
Registrant Postal Code: REDACTED
Registrant Country: CA
Registrant Phone: REDACTED
Registrant Phone Ext:
Registrant Fax: 
Registrant Fax Ext:
Registrant Email: REDACTED
Registry Admin ID: 
Admin Name: Dean Ataman
Admin Organization: 
Admin Street: REDACTED
Admin City: Belle River
Admin State/Province: Ontario
Admin Postal Code:REDACTED
Admin Country: CA
Admin Phone: REDACTED
Admin Phone Ext:
Admin Fax: 
Admin Fax Ext:
Admin Email: REDACTED
Registry Tech ID: 
Tech Name: Dean Ataman
Tech Organization: 
Tech Street: REDACTED
Tech City: Belle River
Tech State/Province: Ontario
Tech Postal Code: REDACTED
Tech Country: CA
Tech Phone: REDACTED
Tech Phone Ext:
Tech Fax: 
Tech Fax Ext:
Tech Email: REDACTED
Name Server: NS47.DOMAINCONTROL.COM
Name Server: NS48.DOMAINCONTROL.COM
DNSSEC: unsigned
URL of the ICANN WHOIS Data Problem Reporting System: http://wdprs.internic.net/
>>> Last update of WHOIS database: 2018-04-03T12:00:00Z <<< 

Seeing as Interac is not located in Belle River Ontario, this is clearly fake. Thus validating that this is a scam. Even though I redacted some potentially personal information, that info is likely fake as well. Having said that, if Interac or law enforcement are interested in what I found, feel free to contact me and I’ll hook you up.

I decided to dig in a bit deeper to find out what this scammer was up to. So I copied the link to my test iPhone and clicked on it. I got this:

Oooooo. It looks like I am going to get some money. Well, actually no. If you look at the URL in the browser, it’s the same frontsolut-1.com address that I mentioned above. Clearly what this scam is counting on is that you won’t notice that. In the interest of science, I chose my financial institution and got this:

Now that’s a very good copy of the Canadian Imperial Bank Of Commerce website. To illustrate that, here’s the real Canadian Imperial Bank Of Commerce website:

It’s pretty close except that the domain frontsolut-1.com is still present. Again, the scammers are hoping that you won’t notice.

At this point it’s pretty clear what this is all about. This is an attempt to get your username and password to your online banking account so that the scammers can drain it dry. I have to admit that this is pretty crafty as if you’re not paying attention to things like the domain that is in use, you might fall for it. Thus my advice is to pay attention to any Interac e-Transfer that you get. Look for weird looking URLs and anything that doesn’t seem “normal.” If you receive a notification for an Interac e-Transfer that you weren’t expecting, contact the sender through a different communication channel to verify. If the notification comes from someone you don’t know, or you suspect it may be fraudulent, do not respond or click any links. Forward the email or take screenshots and forward those to phishing@interac.ca.

In the meantime, I am reaching out to Interac with all the info that I complied on this scam so that they can hopefully put an end to it. Or at least put it on their radar.

UPDATE: A new variant of this scam has appeared. I posted a few Tweets on it last week:

I’m going to assume that this is a scam. pic.twitter.com/XIJghcQMvm

— The IT Nerd (@The_IT_Nerd) January 25, 2019

Yep. Total scam. It’s a banking scam that steals your online banking credentials. The big hint is the fact that all the URLs are on a server that is at 142.93.205.79 regardless of what bank you pick.

cc: @interac pic.twitter.com/D4KoOZE1y9

— The IT Nerd (@The_IT_Nerd) January 25, 2019

I pinged Interac on this and got this response:

Thanks for flagging! I'll share with our Fraud Prevention Team.

— INTERAC (@INTERAC) January 27, 2019

So if you get a text message like this, it’s a scam. Just delete the message and carry on with your life.

Over the last couple of weeks, Canadian wireless customers, and I am sure this is true in the US as well may have experienced the following:

1. The phone rings once and stops.
2. The phone’s owner checks the phone and it’s a number from the country code of 235 (Chad) or 232 (Somalia).

Now you’re likely tempted to phone the number back. I am here to say don’t do that. No. seriously. Don’t phone the number back. That’s what these scammers want you to do. And it is a scam called the “One Ring” scam. The whole idea is that the scammers are trying to get you to call them back. But when you do, you’ll get billed an astronomical amount of money per minute. I’ve heard of $400 a minute in one case which is insane.

Now in my case, I’ve received four of these calls over the last week. In every case, I’ve blocked the number in hopes that this will stop the calls. Seeing as two of them were at 3AM, that’s important to me. But blocking calls may not solve the problem as the scumbags behind this scam often use caller ID “spoofing” or deliberately falsifying the information transmitted to your caller ID display to disguise their identity. Thus it may end up being a situation where it’s like playing “Whack A Mole.”

The best way to avoid being a victim is to not to call back these numbers. Ever. But here’s a couple of other tips that may be of use:

• Check any unfamiliar area codes before returning calls. Google or whatever search engine that you prefer can help with this. Now this scam seems to use 3-digit country codes connect callers to international telephone numbers. Thus if you see a three digit code before the number, it’s likely a scam.
• If you do not otherwise make international calls, ask your local or wireless phone company to block outgoing international calls on your line. That way you can’t be a victim if you can’t actually dial the number back.

But if you do end up getting burned by this, I would recommend calling your phone company and seeing what they can do to credit the bill. On top of that, you should report it. In Canada, that means that you should go to the Canadian Anti-Fraud Centre. In the US, you can file a complaint with the FCC. Though, because of the nature of this scam, there’s likely not much that either party can do. Thus the best way to protect yourself is to not to call back.

UPDATE: I have also confirmed that calls are coming from 269 (Comoros), strangely 573 (A Missouri area code, but it is possible that it is country code 57 which is Colombia) and 267 (Botswana)

This past week I got three calls from clients who are all men who got emails similar to this one: