Case Study: A Hacked Website Turns Into An Email Extortion Scam
7 min readThis post is to show you what a real email extortion attempt scam is about. In Episode 408 of my Security In Five podcast I talk about how you shouldn’t completely ignore your email spam folders. That epsiode came out of an experience I had after I reviewed my spam folder and realized one of the websites I used to use had been severely compromised. The hackers used data solten from this website and turned it into an email extortion scam attempt.
How this works is simple. The hacker’s use data from the hack like real names and most important the actual password from the website. The goal is to put fear into the email recipient to beleiving it’s true and they pay the hackers to not relesase personal images and information. Of course it’s all junk and fake.
Here’s the email I recieved, the password and Bitcoin address of the hacker I redacted but the rest is 100% as it was (spelling and grammar mistakes included).
I am aware xxxxxxx one of your pass. Lets get right to point. There is no one who has paid me to check you. You may not know me and you are most likely wondering why you are getting this mail?
Let me tell you, i actually placed a software on the X streaming (pornographic material) website and do you know what, you visited this website to have fun (you know what i mean). While you were watching videos, your web browser initiated functioning as a Remote control Desktop that has a key logger which provided me with accessibility to your display and also web camera. Right after that, my software collected your complete contacts from your Messenger, Facebook, and email . and then i made a double-screen video. 1st part displays the video you were watching (you have a fine taste lol . . .), and second part shows the recording of your web camera, and its you.
You have not one but two alternatives. We will take a look at these types of solutions in details:
Very first choice is to skip this e mail. Consequently, i am going to send your very own video recording to every bit of your personal contacts and also think about concerning the embarrassment you will definitely get. and definitely if you are in an affair, exactly how it will eventually affect?
in the second place option will be to give me USD 897. Lets refer to it as a donation. Then, i most certainly will quickly remove your video footage. You could keep your daily routine like this never occurred and you never will hear back again from me.
You’ll make the payment through Bitcoin (if you do not know this, search ‘how to buy bitcoin’ in Google).
BTC address to send to: xxxxxxx
[CaSe sensitive copy and paste it]if you are curious about going to the law enforcement, anyway, this email can not be traced back to me. I have covered my steps. i am just not looking to charge you so much, i prefer to be compensated. You have two days to make the payment. i have a unique pixel within this email, and now i know that you have read this e mail. if i do not receive the BitCoins, i definitely will send your video to all of your contacts including family members, coworkers, etc. Nonetheless, if i do get paid, i will erase the recording right away. if you want to have proof, reply Yes! & i will certainly send out your video recording to your 14 friends. it is a non-negotiable offer, and so don’t waste mine time & yours by replying to this mail.
When I first saw this I knew exactly what site this was for because I could look up the password in my vault. The website I had an account on but haven’t used in years. Turns out the website was still live but the company or team behind it must have abandonded it. I tried to email the company and all emails got bounced back. So they were hacked and either through terrible password storage practices by the company or lack luster security controls the hackers were able to get the passwords.
SIDE NOTE – Because I use a different password for each website account I have the damage is limited to this site only. This is 100% why you NEVER use the same password on different websites.
The hackers collected the passwords which were connected to the email address of the account and sent out an automated message like the above. In fact, the email above is the 4th version of this extortion attempt from the same hack. The requested amounts were different and the Bitcoin wallets were different but the same attempt. Also there is no technical way they were able to collect the data they claimed through the methods that they stated. Also to get read reciepts on a text only email is to do it through the email client. There is no ‘magic pixel’ to see if you read the email or not unless you click and download all images. Even so, the tracking to uniquely put that in place out weighs the payout. Another junk statement that most will believe.
Unfortunately things like this work on people. They freak out an pay up. In reality there’s nothing behind it except the hackers obtained the password list on the DarkWeb. I assume this email is not from the people that hacked the website but purchased the list somewhere as did others. The other thing is this must have been avaialble around Chirstmas time because the emails all came in around the same 3-4 day window.
I get spam just like you and I post about them to being awareness to the attempts of the bad people of the world trying to rip you off.
Remember:
- Don’t use the same password on multiple sites.
- Enable multi-factor authentication everywhere it’s offered.
- Audit your accounts and delete the ones you never use and if you can’t delete the account, strip out identifying data.
- Use a Password Vault.
- 99.9% of the email you get claiming anything that demands money is bogus.
- If you are unsure – Ask, Verify, Hesitate and don’t panic.
End of line.
Binary Blogger has spent 20 years in the Information Security space currently providing security solutions and evangelism to clients. From early web application programming, system administration, senior management to enterprise consulting I provide practical security analysis and solutions to help companies and individuals figure out HOW to be secure every day.
Subscribe
Facebook Page
Follow Me On Twitter
contactme@binaryblogger.com