You’re minding your own business, when suddenly you receive an email from your own account that your account has been hacked. Shocked, you open it to find a startling claim: someone has installed malware on your computer, and they have video of you in a compromising situation.
If you don’t send them a bunch of money via cryptocurrency, they’re going to share the video with your friends.
Most people would be a bit nervous at the sight of such an email. But as it turns out, this is a complete farce. Let’s dive into these scam emails and see why they’re bogus so you never hand over your money to scammers.
I’ve Been Hacked?!
We’ve received two similar scam emails in the past few weeks. Each one seems to come from your own email address, and claims that an attacker has fully taken over your system thanks to malware installed while visiting an adult site.
Here’s the first one:
And here’s the second:
Notably, Gmail recognizes that the first message is dangerous and was used to take advantage of people. The only reason these even made it to my inbox is because I’ve set up a filter to make sure messages from @makeuseof.com email addresses never go to spam. But I’m glad I received them, as they make a good illustration.
Because they sent an email “from your own account,” the attacker claims this is proof of their access. The scammer claims to have video of you using adult material, and threatens to send this to your contacts if you don’t pay hundreds of dollars in Bitcoin within a day or two. Of course, they ask for Bitcoin because it’s untraceable.
Let’s pick out specific lines from these emails to illustrate why this is nonsense.
It’s Easy to Fake Emails
The first email made this claim:
I sent this email from your email account (if you didn’t see, check the from email id). In other words, I have full access to your email account.
The second one goes even further:
Did you detect i’ve emailed you this message using your own e-mail address? This means i posses COMPLETE access to your system!
As you might know, it’s relatively trivial to spoof an email. Someone can send an email to your friend and make it look like the message came from your address.
This is the same as what’s happened here. Nobody has actually broken into your email; they’ve simply spoofed the message to make it look like it came from your own account.
Further, the claim that gaining access to your email account means they have control of your system is a lie too…
They Don’t Control Your System
•I visited an adult web site
•Trojan malware makes itself at home
•douche gets remote access to Voyager & old email
•he watches & records me
•he emails me from my own account & demands bitcoin payment
•If I pay him, he leaves me alone
— ?Don Kelleone? (@Kellthulhu) December 24, 2018
Both emails insist that they have access to your personal data and computer system:
The malware gave me full access and control over your system, meaning, I can see everything on your screen, turn on your camera or microphone, and you won’t even notice about it. I also have access to all your contacts.
This backdoor downloaded itself onto your device and provides me complete access to all your accounts, e-mails, data, contacts and so on.
While malware does exist that can spy on your webcam without you knowing, it would likely trigger your security software. One of the emails claimed that “My malware updates its signature every 10 minutes, and there is nothing your antivirus can do about it.” There’s zero reason to believe this, of course.
A piece of malware obtained on a website wouldn’t give the owner access to your contacts, accounts, “and so on” (which is extremely vague). Assuming you were using an incognito window, you wouldn’t be logged into any accounts in your browser. If you don’t have contacts synced to your computer, there’s no way they would have this information. “Data” is not specific at all.
The logistics of a small-time scammer keeping video footage from hundreds or thousands of victims doesn’t make much sense either. This would take up a lot of storage space and be way more work than the person was willing to do.
A Countdown to Destruction
Both messages try to pressure you into paying up by letting you know that you have a limited time to decide:
You have 48 hours to pay. Since I already have access to your system, I now know that you have read this email, so your countdown has begun.
From the time you opened this mail you activated a timer. My setup will at this point monitor this particular bitcoin address for any inbound financial transactions. You possess 12 hrs (just 12!) to generate the transfer.
The message doesn’t include a read receipt, and even with access to your system, it’s highly unlikely that someone would know exactly when you opened an email. This “limited time” is simply a ploy to pressure you into paying quickly.
Not only that, but the second message reveals an interesting blunder. It says that it will monitor its Bitcoin wallet for “any inbound financial transactions.” Any suggests that you are the sole victim of the attack; if the attacker infected multiple people but only received one payment, how would they know who paid? Bitcoin is anonymous, so there’s nothing tying your payment to your email account.
No scammer would go through the trouble of creating custom malware like this only to infect one person.
The scammer thinks they have you cornered. You wouldn’t want videos like these to go out to all your loved ones, right?
i will deliver all of the pics and videos i possess of you “pleasing yourself” to each of your contacts, imagine the affect this is going to have on your social life!
They want you to worry about what your friends would think about receiving such a video so you pay to silence them. With one email asking for $985 and the other $670, this is an expensive payoff.
Yet you could receive this email even if you’ve never visited such sites, or if your computer doesn’t have a webcam/you have your webcam covered. The scammer is hoping that you fit the description they’ve created so they can scare you.
The second email was noticeably more aggressive than the first. It warned that if we didn’t pay, the malware would completely shut down our system:
On top of that your system will lock up in a specific timeframe and can never ever be used again . . . . When you do not make the transaction inside of this time-frame your device will lock up, even if you disconnect from the internet or change all your online passwords.
This is also ridiculous, of course. While malware like this is possible in theory, an amateur crook wouldn’t take the time to build such a complex program. They’re looking for a quick and simple payoff, which they would get if you sent them the Bitcoin they’re asking for.
All they had to do for this threat was devise a scary story, send an email, and provide their Bitcoin wallet address. This scam is nothing more than that.
How to Avoid Email Extortion Scams
As you can probably guess, we wrote this long after the “time limit” posed in these emails had passed. This proves that they’re completely false.
We’ve learned some good information from this analysis. Not only are emails easy to fake, but when you break down threats like this, you find that they’re incredibly vague. They don’t provide any proof that they have the compromising information, and they wave off pretty extreme malware infections as trivial.
The messages are also full of grammar mistakes, which shows that the senders didn’t care enough to proofread them and make them any more believable.
Of course, it’s possible that an attack like this could happen at some point in the future. We recommend reading further on how to protect yourself from email extortion scams.
Image Credit: EdZbarzhyvetsky/Depositphotos