The Recent Increase in Email-based Blackmail and Extortion Scams

If you get an email that threatens to expose you to colleagues, contacts, or law enforcement agencies, don’t get overly concerned; unless, of course, you’re a criminal. These kinds of emails have been around for a while, but have recently been on the increase and, in some cases, they are using an upgraded attack methodology.

The Porn Site Scam

This scam seems to be spreading at a serious rate. Although it has been widespread in Australia and the Middle East, it has only recently been showing up in the U.S. It seems that the criminal behind it is exploiting a large database of email addresses. The basic scam is that he says he has proof (possibly photographic/video proof gleaned from your web cam) that the victim has recently visited a porn site he has compromised. Unless the victim pays in Bitcoins, he will send this proof to all of his/her contacts.

The email gets through filters by using actual (probably compromised) email addresses. Here is the header (victim’s address changed) from the most recent attacks as outlined in Dynamoo Blog.

From:    Hannah Taylor [bill@adulthehappytimes.com]
Reply-To:    bill@adulthehappytimes.com
To:    contact@victimdomail.tld
Date:    31 October 2017 at 15:06
Subject:    ✓ Tiскеt ID: DMS-883-97867 [contact@victimdomail.tld] 31/10/2017 03:35:54 Maybe this will change your life
Signed by:    adulthehappytimes.com

Other subject headers have been: “You not first, you not last”, “I would not want you to be very upset”, and “All in your hands”. There are probably more.

Most of these begin with permutations of the following sentences: “I do not want to judge anyone”, “I do not want to judge you”, “I do not presume to judge anyone”, and, most recently, “I sincerely anticipate that I will not hurt ur feelings.” They all end with something like the following: “You can complain to cops for a help, but they wont search out me” or “I do not think that cops can find me”. You are then given a Bitcoin address and told that you have a limited amount of time to pay around $300.

Dynamoo traced the domain address to Russia and someone named Alexey Pokachalov. He discounted that this owner was the actual scammer because “you wouldn’t post real contact details on the WHOIS and then solicit anonymous payments through BitCoin”. True, but maybe the attacker was not as sophisticated as he thinks.

I traced the name through a number of Russian forums where the same gmail address was used. The poster used the nickname of, ‘legzzi”. Of course, the hacker may have used the nickname of the original owner to post on sites the owner already belonged to. But that doesn’t really matter. Only the topic of the posts would matter, especially the most recent posts. For those who may want to pursue this further, here are the contact details he is using.

blackmail

He uses the name, legzzi, on forums and on one of these he complains, or so it seems, that he was unable to use card numbers that he bought, probably on the black market. It seems he wants to buy or sell things that he may have bought from legitimate markets with Bitcoins. In one post, he complains that Russian customs stopped his order.

scammer warned

In another post, it seems he has run into trouble with the Russian government and is asking for advice on how to avoid prosecution. He frequently asks for help in manipulating databases, leading one to believe that he has gotten his hands on a database with email addresses and wants to learn how to use it to send out spam emails.

A new wrinkle on this scam is that these blackmail emails have been showing up in corporate email inboxes. Maybe the hacker believes the threat of being exposed to work colleagues and management will make people pay up. But don’t bother. In short, this looks like a scam run by a low level, technologically inept Russian hacker who simply wants to make a few bucks or Bitcoins. The bottom line is that you can simply delete these emails without worrying.

DDoS Extortion

A distributed denial of service attack (DDoS) uses botnets to overpower a site’s server and effectively knock it offline. As I noted in a recent post, such attacks can be quite costly. Here, however, I’m referring to fake DDoS attacks that try to extort money from companies. Usually, someone in a company gets an email like this.

ddos scam

It is very difficult to tell if the threat is real or not. With the price of prevention relatively low (around $700 in the scam above), as compared to what the cost of a real DDoS attack would be ($2.5 million average), the attackers hope the companies will just pay up rather than take the risk.

In July, the FBI warned of such attacks that hide behind the names of successful DDoS hacking groups such as Anonymous and Lizard Squad. Recently, these scammers have appeared again posing as Armada Collective or Phantom Squad, as seen in the above email. Both groups have successfully launched DDoS attacks against companies in the past. Other names the fake attacks use are New World Hackers, LulzSec, and Fancy Bear.

There are a couple of ways that a company can determine whether this is a scam or not. First of all, the ransom demand is too low. Renting or buying a botnet large enough to bring down a major company for a destructive length of time costs a lot of money. This being the case, the attackers will not be settling for hundreds or even thousands of dollars.

Secondly, check with scam services, the Better Business Bureau, or simply type in an unusual sentence from the email on Google to see if others are being scammed in the same way. True operators behind a DDoS attack don’t have the resources to attack many companies at the same time. Usually, they can only organize a botnet to affect one company at a time. Attack warnings on numerous companies are generally the result of spamming attacks that hope to pick up some easy money from nervous companies.

If the above mentioned signposts are found, simply wait until the deadline (usually 24 hours) has passed. Most companies that have been threatened by these attacks and haven’t paid the ransom found that nothing happened. The attackers just went away.

Of course, it’s normal to be upset by such emails. Some companies have paid the ransom demanded which, of course, will inspire the criminals to keep going. Actual DDoS threats will sometimes do a demo takedown to prove their strength. This could also be a more elaborate scam as botnets are priced according to how long the attackers want the attack to continue. In such cases, it’s up to individual companies to determine whether they want to take the risk of ignoring the ransom demand or not. Just remember that these attackers can’t afford to continue these attacks forever.

The Plagarized Essay Scam

Pay $1500 or be exposed for using essay website to cheat”.

This somewhat elaborate scam is targeted at all the students who aren’t reading this post. However, because of its somewhat more intricate attack vector, it is worth looking at in some detail. Similar scams could eventually evolve that use this same template.

Most schools realize that plagiarism is a problem and, despite the warnings, they understand that students will continue to buy essays from essay writing services or copy material from online sites. This scam, which was exposed by a student at Curtin University in Australia, may be the beginning of a scam that could easily make its way around the globe.

It began with a student visiting an online forum for help with writing an essay. It was akin to offering yourself up as a victim. The student received advice from one forum member and was event sent a sample essay. Then the trap closed, The forum member who helped him now wanted “tutoring fees”. The student refused to pay, as there had been no previous talk of payment.

Probably because the student had given the scammer his email address to receive the sample essay or possibly from information on the forum, the scammer was able send numerous demands from different email addresses demanding $1500 for not telling the university that he had plagiarized an essay.

As it turned out, however, the student never used the essay he was sent because he felt it was unethical to do so. When he continued to refuse to pay, the scammer sent a fake email that pretended to be from the school’s vice chancellor. This email outlined the plagiary case against the student. One wonders what the student would have done had he actually used the essay or if this angle had already worked on others.

This scam is a little more involved than most and takes a little more work for the scammer. However, the victims come to him on these essay forum help sites and all the scammer needs is their email address to begin the scam. The essay the scammer sends is probably one that they realize will be detected by plagiarism detecting software. They will then need to find the name of some authority at the school the person attends. They may have found this information on their social media sites, which they could have tracked down through their name or email address. Often, the victims are foreign students who may worry that their plagiarism will not only get them in trouble with their professors, but may get them kicked out of the country. Foreign students would be more likely to pay, especially if they used the sample essay. Therefore, if you are a foreign student and receive such emails, report them to the person that the attacker is pretending to be. And, don’t plagiarize.

I should note here that some paid essay writing sites are absolute frauds. This includes essaydom.com which has received 23 out of 23 one-star reviews for writing essays that appear to be cut and pasted together or written by uneducated nonnative speakers, most of whom, it is believed, live in Pakistan.

Students are not the only victims of targeted scams. There are a number of scams that target specific groups. One particularly sinister extortion email targets only Spanish speakers with threats to kill family members unless they pay a few hundred dollars. These emails are sent with pictures of family members that have been taken from the victim’s Facebook page.

Most scams are obvious and can just be ignored. Often the poor English gives them away. Many are filtered into the spam folder by your email provider, but, occasionally, some get through. If you are not sure if the email is legitimate or not, paste a unique sentence from the email into Google search and see if it leads you to similar scams. You can also check some scam information sites like Scambusters.org (though I can’t seem to get their search engine to work for me). However, if you really feel like someone is trying to extort money from you for whatever reason, it’s time to contact law enforcement.

About Steve Mierzejewski

Marketing consultant for InZero Systems, developer of the next generation in hardware-separated security, WorkPlay Technology. I've worked in Poland, Japan, Korea, China, and Afghanistan. I'm a writer, technical editor, and an educator. I also do some work as a test developer for Michigan State University.
This entry was posted in Uncategorized and tagged , , , , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s