Blackmail
is alive and well. And thanks to the Internet it is becoming a
favoured cash cow of cyber-criminal gangs. In their rush to milk
their victims of BitCoin or other cyber currencies as quickly as
possible, these gangs operate almost purely on bluff – attempting
to create the fear in their target that perhaps they do have some
juicy information that is worth paying to keep under wraps. Or more
commonly, the threat that dodgy evidence will be created about the
victim, and it will be sent to all of their contacts.
This
article takes a look at the forms of blackmail that is being
perpetrated across the Internet, and how it differs from blackmail of
earlier ages. We will lift the veil on a sample black-e-mail, and
examine the reasons why you should not respond to it in any way. We
also take a look at what you can do if you receive one of these
emails.
Ye Olde Blackmail
In
your classic movie sequence blackmail, the blackmailer would contact
the intended victim by post, phone call, visit from a third-party
messenger, or, if they were really ballsy, in person. The blackmailer
would ask for some form of compensation from the victim, in return
for not carrying out a threatened action. Generally they would have
some form of evidence (real or contrived) that would led credence to
their opportunity to carry out the threat.
Because
blackmailers in the past had to rely upon a closer physical proximity
to their victims, and the use of traceable communications, it would
be unwise for them to conduct too many concurrent blackmail attempts,
or to conduct too may within the same locale. Such activities would
increase the likelihood of detection and interference from
authorities.
This
meant that the blackmailer’s opportunity to make a living from
their exploits was limited. Therefore, every attempt they made
needed to have a reasonable chance of success, and a reasonable size
reward. If not, then there would not be enough financial incentive
for the blackmailer to continue against the risk of being caught.
If
the blackmailer picked the wrong target, the risk being caught would
increase. If the threat was not real or credible, the victim would
not pay.
Why Blackmail Works
Blackmail
works upon the lynch-pin of a credible threat, that the victim
believes the perpetrator is capable of delivering upon. The threat
can be real or perceived, so long as the victim believes that the
impact of the consequences outweighs the value of the money being
extorted, and the risk that the perpetrator will carry out the threat
is large enough.
Blackmail
may range from something that is straight thuggery – a school bully
threatening to beat up others for their lunch money – to something
far more sophisticated. The more sophisticated the blackmail attempt,
the more the perpetrator must know about the victim to be able to
successfully carry it off.
Blackmail in the Digital World
Online
blackmail can be delivered and executed with huge amounts of
sophistication, but just like blackmail in the offline world it takes
time and effort to set it up right. This then reduces the reward for
effort benefit that the criminal is looking for. The advantage that
the Internet offers for blackmail operations is that even if the
threat the blackmailer offers is not highly credible, the Internet
offers the blackmailer access to thousands of potential victims. As
long as one or two of those victims can be duped into believing the
threat is credible, then the blackmailer will have earned their keep.
And
here is where blackmail operators in the digital world come to rely
upon the naivety and lack of knowledge that many people have regards
the line between what is reality and fiction in the cyber world. In
short, digital blackmailers rely upon the lack of detailed computing
knowledge of the general masses to be able to dupe victims with
perceived threats on a large scale. Blackmailers who operate with
such methods, do not care about the victims who do not give in, and
therefore are less likely to have the means, time or willingness to
go to the effort of delivering the consequences promised.
Dissecting a Sample Black-e-Mail
I
had been considering an article regards online blackmail for some
time, but I was suffering a kind of writer’s block. Then last week
I received an email from a blackmailer. Perfect. Inspiration and an
example for the article.
Initially
when I opened the email I was suspicious and I felt genuinely
concerned. As I read through the email however, I became less and
less concerned. Below is the content of the email, along with my
notes for each part of the email regards the credibility of the
threat.
I
am well aware m8a8lane is your pass. Lets get directly to point. You
don't know me and you are probably thinking why you are getting this
e-mail? None has paid me to check about you.
Well,
I actually installed a software on the X vids (sexually graphic)
web-site and do you know what, you visited this site to have fun (you
know what I mean). When you were viewing video clips, your internet
browser began working as a Remote Desktop with a key logger which
gave me access to your display screen and also web camera.
Immediately after that, my software gathered your complete contacts
from your Messenger, social networks, and email . And then I created
a double-screen video. 1st part shows the video you were viewing (you
have a fine taste rofl), and next part shows the recording of your
webcam, yea it is you.
You
do have only 2 possibilities. Lets take a look at these options in
particulars:
1st
alternative is to ignore this e mail. Then, I will send out your tape
to just about all of your personal contacts and also consider about
the humiliation that you receive. And as a consequence if you happen
to be in an affair, precisely how it is going to affect?
Number
2 alternative should be to give me $8000. Let us regard it as a
donation. Then, I will instantaneously eliminate your videotape. You
could keep going your daily life like this never happened and you
will never hear back again from me.
You
will make the payment via Bitcoin (if you do not know this, search
for "how to buy bitcoin" in Google).
BTC
Address: 1EkQBrFKfBYdo5wjsiz5SnQap2qaMyB6JF
[CASE-sensitive
copy and paste it]
If
you may be thinking of going to the cops, okay, this email cannot be
traced back to me. I have covered my steps. I am also not trying to
demand very much, I only want to be rewarded. You have one day in
order to pay. I have a special pixel in this email message, and now I
know that you have read this email. If I do not get the BitCoins, I
will certainly send out your video to all of your contacts including
family members, coworkers, and so forth. Nonetheless, if I do get
paid, I'll destroy the recording immidiately. If you want to have
evidence, reply Yup! then I will certainly send out your video
recording to your 11 contacts. It's a non-negotiable offer, that
being said please don't waste mine time and yours by replying to this
e-mail.
What the scammer said. |
My notes |
“I
am well aware m8a8lane is your pass”
|
I
assume you mean password, and no that is not my password for
anything.
|
“You
don't know me and you are probably thinking why you are getting
this e-mail?”
|
Poor
grammar, typical of someone who is not of an English-speaking
background.
That
does not mean that this is not legitimate, but eastern European
and Soviet threat actors are well known for using this type of
scam.
|
“None
has paid me to check about you.”
|
Grammar
getting worse as the scammer is trying to make a case for you to
pay them. Because no one else has paid them is a pretty lame
reason.
|
“Well,
I actually installed a software on the X vids (sexually graphic)
web-site and do you know what, you visited this site to have fun
(you know what I mean)”
|
First,
no I did not. But let’s humour you for a moment Mr Scammer. If I
had of visited the site indicated for any purpose, why is it that
you feel the need to remind me what the site is. Surely if I had
that much fun I would not need reminding
|
“When
you were viewing video clips, your internet browser began working
as a Remote Desktop with a key logger which gave me access to your
display screen and also web camera. Immediately after that, my
software gathered your complete contacts from your Messenger,
social networks, and email .”
|
Ok
– this part is a little concerning, simply because these things
are technically possible. It is not that concerning because I know
that my computer’s firewall and patching is up to date.
|
“And
then I created a double-screen video. 1st part shows the video you
were viewing (you have a fine taste rofl), and next part shows the
recording of your webcam, yea it is you.”
|
Whilst
technically possible to create such a video, I'm not sure how my
face looks anything like the underside of a post-it note, because that is
all that my web-cam would see.
Also
note the attempt to deliver a put-down regards the ‘quality’
of the video I was supposedly watching. Such a play is an attempt
to make the victim feel more helpless – to feel that the scammer
is in control.
|
“1st
alternative is to ignore this e mail. Then, I will send out your
tape to just about all of your personal contacts and also consider
about the humiliation that you receive. And as a consequence if
you happen to be in an affair, precisely how it is going to
affect?”
|
This
alternative shows that the scammer knows little to nothing about
me, and has not taken the time to find out. They clearly do not
know if I have been having an affair, or if I am even in a
relationship. If they had hacked into my personal contacts (lets
assume Facebook and Twitter), they would have some idea about my
current relationships.
Therefore,
they are less likely to be targeting me as an individual, and this
email is more likely part of a larger campaign aimed at thousands
in the hope of duping two or three victims. In all likelihood,
this email and thousands of others were created by feeding a list
of email addresses to an automated email generation script.
|
“Number
2 alternative should be to give me $8000. Let us regard it as a
donation. Then, I will instantaneously eliminate your videotape.
You could keep going your daily life like this never happened and
you will never hear back again from me.”
|
Yeah,
sure. NOT!
If
a video tape did exist – lets pretend I did what you said I did,
and that you had hacked my computer – first you have given me no
evidence that it does exist. Second, you have not allowed me to
trust that you would destroy it if I did pay. That lack of trust
is a deal breaker.
Thirdly,
if I was to allow myself to be suckered into paying you, I expect
that you would contact me again within a month claiming to have
kept the video, and demand more money.
|
“I
am also not trying to demand very much, I only want to be
rewarded. You have one day in order to pay.”
|
You
are not trying to demand very much? $8,000 - ‘not very much’?!
How much do you think I earn? You obviously have not hacked my
bank account otherwise you’d know that I consider $800 to be too
much.
And
24 hours to pay $8,000? Converting such sums of money to BitCoin
or another foreign currency would attract the attention of Federal
authorities in Australia. This in turn strips credence away from
this email as it indicates that the blackmailer has not thought
through what they are doing. Whilst the trail of money might
become difficult to follow once it goes to a BitCoin wallet, if a
number of people started to transfer the same amount of money to
BitCoin around the same time, this would surely arouse the
suspicion of the authorities and prompt an investigation.
Again
this is more evidence that this is probably a
mass-randomly-generated email campaign of blackmail.
|
“I
have a special pixel in this email message, and now I know that
you have read this email. If I do not get the BitCoins, I will
certainly send out your video...”
|
A
special pixel would be in the form of an image, or a hyper-text
reference to an image stored on a server. The image could be
white, or light grey and therefore hard to detect to the naked
eye. The theory being that when you view the email, your email
client will download the image, and the scammer can track that you
have read the email.
Taking
the option to view the original source data of the email, allows
for a search of the raw text and formatting markups. There were no
images embedded in the email, and no hyper-text file references or
inclusions – therefore no ‘special pixel’ present.
|
“If
you want to have evidence, reply Yup! then I will certainly send
out your video recording to your 11 contacts.”
|
So,
if I have the temerity to answer this email directly, and call
your bluff, you will send out the video that I know you do not
have? That is just silly.
And
again, you obviously have not hacked anything of mine. I know how
many contacts I have, and the number is nowhere near 11.
|
So,
in-short, too many things in this email do not make a whole lot of
sense, and in fact help destroy the credibility of the threat posed.
Whether or not I had visited a porn site called X vids and had a real
fun time, the fact that my webcam is covered over when not in use
really spoils the credibility of the scammer behind this.
Am
I concerned that the scammer could have used images of me to compose
a video to harm my credibility? It is a possibility, but for someone
to go to the trouble of creating a fake or doctored video would mean
a lot of effort. The kind of effort that should be supported by an
email that was carefully crafted – not one as dodgy as that sent.
Blackmail is a Mind Game: Be Strong, Be Assertive
Blackmail
is a confidence trick. It is a mind game. Even more so when played
out across the Internet. The scammers are relying on their potential
victims panicking. They know that they could be targeting someone who
has done something that is worthy of blackmail material and has not
taken precautions against hackers, or that they could be targeting
someone who is not confident with technology, and may become easily
overwhelmed by the situation. In fact, they are counting on it.
Hasty
actions will likely lead to bad decisions. Stop. Breathe. Take the
time to read the email slowly. Does the email feel like the scammer
really knows you, or does it feel like some cheap marketing campaign?
It is easy to read the words that the scammer wants you to focus on,
but thinks beyond those words, is there something that the scammer is
hiding?
Have
confidence in yourself, and the knowledge of what you have done. Your
money and time is your own, you have earned it. The scammer has done
nothing worthy of claiming your money or your pride, so do not give
in.
When Threatened: Do Not
-
When threatened with one of these emails, do not pay the scammer a single cent. That will only encourage them to keep trying, and they will likely target you again the future. You should also treat the person/people at the other end of the scam as unscrupulous and void of morals. Do not expect that they would honour their word. Some might, but you have no guarantee. They might destroy whatever ‘evidence’ they have of that thing that you didn’t do. Or they might hand you back a copy, and keep a copy to use again in the future as a way of guaranteeing your future return business.
-
Do not respond to their email. If you do, it will only serve to confirm that your email address is correct, and that you are not ignoring them. These people are oxygen thieves, don’t give them anything.
-
Do not click any links that they put in the email. None at all.
When Threatened: Do
-
Mark the email and any other email from that sender to be automatically deleted.
-
Contact the authorities. For something this sinister the most appropriate Australian authority is ACORN (Australian Cybercrime Online Reporting Network – https://www.acorn.gov.au)
