KNOWNHOST WIKI

User Tools

Site Tools


security:misc:blackmail-email-scams

Blackmail Email Scams 2019

Don't panic! This has become an increasingly common and widespread scam attempt.

A relatively new type of scam email has been making the rounds lately: a scam that tries to use blackmail to extort unaware users into paying Bitcoin in return for not releasing compromising material of an adult nature that is in their possession. These emails are increasingly sent from a spoofed email address, sometimes appearing to be sent from user's own email address.

Identifying the Scam

A typical subject will typically be "This account has been hacked! Change your password right now!". The exact content of the message varies1) but parts of the email body will content similar to the following samples. These parts have been pulled from tickets our customers have opened with our Support Department:

You may not know me and you are probably wondering why you are getting this e mail, right?
I’m a hacker who cracked your email and devices a few months ago.
Do not try to contact me or find me, it is impossible, since I sent you an email from YOUR hacked account.

I hacked this mailbox more than six months ago,
through it I infected your operating system with a virus (trojan) created by me and have been monitoring you for a long time.
If you don't belive me please check 'from address' in your header, you will see that I sent you an email from your mailbox.

Do not try to contact me or find me, it is impossible, since I sent you an email from YOUR hacked account.
I setup a malware on the adult vids (porno) web-site and guess what, you visited this site to have fun (you know what I mean).
While you were watching videos, your internet browser started out functioning as a RDP (Remote Control) having a keylogger which gave me accessibility to your screen and web cam.
After that, my software program obtained all information.

You entered a passwords on the websites you visited, and I intercepted it.
Of course you can will change it, or already changed it.
But it doesn’t matter, my malware updated it every time.
What did I do?

There are variations on how they claim to have accessed your device as well as what actions they have taken, but the claim of having compromising pictures/video is almost standard as well as the demand that a certain amount of Bitcoin (or other crytocurrency) be sent to a digital wallet within 24 to 72 hours to prevent the release of material in the "hacker's" possession:

Important:
You have 48 hour in order to make the payment. (I’ve a unique pixel in this e mail, and at this moment I know that you have read through this email message).
To track the reading of a message and the actions in it, I use the facebook pixel.
Thanks to them. (Everything that is used for the authorities can help us.) If I do not get the BitCoins, I will certainly send out your video recording to all of your contacts including relatives, coworkers, and so on.

Sometimes this supposed "hacker" will get sanctimonious, saying they have "hope [they] taught you a good lesson":

send the above amount on my BTC wallet (bitcoin): {redacted} As soon as the above amount is received, I guarantee that the data will be deleted, I do not need it.
Otherwise, these files and history of visiting sites will get all your contacts from your device.
Also, I'll send to everyone your contact access to your email and access logs, I have carefully saved it!
Since reading this letter you have 36 hours!
After your reading this message, I'll receive an automatic notification that you have seen the letter.
I hope I taught you a good lesson.

What to Do

These scam emails are generally sent out by compromised machines, and are spammed in bulk – you aren't their only target.

Use Strong Passwords

Any passwords included in the spoofed scam-email are usually gleaned from previous data breaches2) – however, you should be using strong passwords that are unique to every email, social media, cPanel (etc.) account you log into. Now is a good a time as any to change your passwords if you have not changed your password in a long while, if the passwords you use are weak, or if you use (or have used) the same password for more than one login.

Apply Security Updates

Now is also a good time to make sure that all of your various devices (computers, smartphones, tablets, etc.) have the latest updates for the device's operating system (and related components) and also for any 3rd-party software installed on the device (these updates may be inconvenient to perform, but many updates include important security fixes and/or improvements.)

Scan Your Devices

A full virus/malware scan of your local workstations/laptops/personal computers probably isn't necessary – most virus/malware scanning applications for personal devices are set by default to run in the background and scan newly created files and files in memory. However it's not a bad idea to run a scan (after making sure the software and it's definitions are up-to-date) for peace of mind.

Email Authentication

You can reduce the chances of these spoofed scam emails ever hitting your email's inbox by ensuring you have working Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM) DNS records enabled for any domain you host: these are important tools used to authenticate email. Our Support department can assist you with these records for any domain on KnownHost services – if your DNS is managed on a KnownHost service, we can set the records for you.

Spam Filtering

Another measure that can prevent these types of emails from ever reaching you is enabling one or more forms of Spam Filtering. There are a lot of options available (far too many to cover in this article) but having SpamAssassin enabled on your server is a great step, and catches most spam with a default installation. SpamAssassin is enabled by default on our server lineup, and is enabled for our Shared & Reseller lineup as well.

References

1)
the content appears to be generated from a list of phrases
2)
See the NYT article
security/misc/blackmail-email-scams.txt · Last modified: 2019/07/25 15:21 by Daniel P.