I got an interesting email at work this morning:
Hi.
I do not presume to judge you, but in some of few cases, we have touchpoint since now. I do not think that caress oneself is very amiss, but when all your relatives, colleagues and friend see it - its obviously bad.
So, what am I implying? You surfed the website with porn, which I've adjusted with the deleterious soft. After you chose video, virus started working and your device became acting as dedicated desktop at once. Naturally, all cams and screen started recording instantly and then my virus collected all contacts from your device.
I text you on this e-mail address, because I got it from your device, and I make no doubt you for sure check this work e-mail.
The most interesting point that I edited video, on one side it shows your screen record, on second your cams record. Its very amusingly. But it was sophisticated.
As a conclusion - if you want me to delete all this compromising evidence, here is my BTC (cryptocurrency) account. If you do not know how you can google or youtube for help - its very easy. I suggest that 290 usd will solve our problem and I will destroy our touchpoint. You have thirty hours after opening this letter (I put tracking pixel in it, ill know when you open it). If you wont pay me, ill share the compromising with all contacts I've collected from you.
Finally, you can ask police for help, but, obviously, they will not find me for 1 day, so think twice, you can lose your honor. Sorry for misprints, I am foreign.
Well, my first response was obviously panic. I was reminded of an episode of Black Mirror - Season 3, episode 3: Shut Up and Dance, where a teenage kid is recorded masturbating, and blackmailed into doing things, seemingly for the entertainment of some unknown hacker - like trying to get to a location 15 miles away in 45 minutes. If you haven't seen it yet, don't read the Wikipedia page - go and watch it, it's great!
I slowed my breath to calm myself, and started thinking over the email. For starters, the only computer I use to access work related stuff has no camera. The only computer we have that does have a camera isn't used for work. So there's no way the two can be linked. Plus, if I really think about the stuff that I watch, it isn't even that risque, so I'd be a bit embarrassed if someone else watched me watching it, but it's not the end of the world. Not worth giving in to the terrorists!!!!
I read over the email again, and after reading it a couple more times, I started laughing at how bad it actually is. It sounds like something someone would write after watching too many episodes of Mr Robot. I mentioned it to A, and he forwarded a couple he had received, too. I noticed that they were charging him less money than they were going to charge me, but his email said that he would have the chance to "become a star among friends". Damn, why did he get such a nice scammer?
I showed it to some of the other developers on my team, and the part they found the funniest was the "tracking pixel". While it is possible to do something like that - you insert a tiny image into the email hosted at a URL that is unique for each person you send it to, and when your web server receives a request for that image, you can track the time the request was received and that's likely when it was opened. It doesn't work that well, because a lot of mail providers will have images from unknown senders disabled by default. Anyway, I checked the source of the email, and it was text only, no img tags or HTML of any kind, so the tracking pixel was a lie.
The other things that emails like this prey on are the sense of urgency. Most people won't have used Bitcoins before, so their first thought might be, "How can I get Bitcoins?", as they will feel under pressure to make this go away quickly, rather than focusing on whether it's a real threat. They also keep pointing out that it'll be shameful for your friends and family to see this stuff so that it's on the forefront of your mind.
Another thing that seems to be quite common for these kinds of email scams - the name of the person never seems to match the email address. So the sender might be called Jonathan Brown, but the email address will be samantha@scammers.com.
As for how the scammer got my work email address, it seems that a bunch of people were hit, so they probably scoured a site like LinkedIn, and tried firstname.lastname@companyname.com, which is probably bound to hit a large number of targets. They only need a few fish to bite for them to have made money, and as far as crimes go, it's fairly low-risk (assuming they're from another country and / or have managed to mask their origin properly).
What kind of things can you do to protect yourself?
- Don't run suspicious software.
- If you do have a laptop, or whatever it is that you use to watch seedy things, make sure your webcam is covered / unplugged.
- Keep your software up-to-date. Companies will usually patch security vulnerabilities when they become known, so keeping your stuff up-to-date makes the potential attack space smaller.
- https://www.scamwatch.gov.au is a good resource.
No comments:
Post a Comment