The Scam
by Bruce • December 22, 2018 • LifeStuff • 0 Comments
I had an internal crisis this week that was a good wake-up call in a few areas.
I received a phishing email very early Thursday morning that claimed that a hacker had accessed my hard drive through a compromised email account, and that the intruder had planted malware on my computer that would share its contents with the world if I didn’t pay them a fee within 48 hours.
The fee/ransom was roughly $750 dollars, and the fee had to be paid to an anonymous but specific bitcoin wallet.
My immediate reaction upon reading the email was a volcanic explosion fear, which expressed itself following in mounting paranoia- which is the purpose of such blackmail/extortion emails.
I, a private and not remotely perfect person, didn’t really want my family or friends to know or see all of what was on my computer hard drive.
My follow-up response was to immediately spend some time looking up phrases and sentences of the letter on Google to try and decipher the real danger from it.
What made the email so instantly threatening was the sender’s claim that they had accessed my email account through a hack, and that they had taken control of my contact book within it, and of the one on my computer. They presented me with an old password that I had used with the email account at one time to “prove” they were in my stuff. And they claimed to have sent the email FROM my email account (the Reply To address in the email was my email address).
My reaction was probably fairly typical for most people receiving a version of this scam mail: you see an email to you and from you with a claimed hack, and you see the Reply To address is your own, and you see an old password that you have used on old personal accounts- a real password that came from your mind- and you emotional decide this violator has indeed infiltrated onto your computer, and into your private life. You feel helpless and powerless, invaded, and owned. And as a normal reaction, you feel scared.
Fortunately, patience and a little research helped me out. The scam I received was a common one, the internet finally told me. The “I’ll spill your secrets if you don’t pay me” effort is not new.
I learned my old password shared in the note was one that had been harvested long ago in an online site hack. So many online companies have been hacked over the years that old usernames and passwords many of us have used at some compromised company at one time or another have ended up in a database that scammers get ahold of. Those passwords are linked to our email address and if that email address is active and we get the email containing that old password, we think the hackers have gotten into our business. That is not necessarily the case, though. And seeing my email address in the email’s Sent field doesn’t mean the sender was in my account. Send and Reply To fields in an email can be easily manipulated to “spoof” the recipient’s email address, and seeing our email address in both the Sender and Recipient mail boxes makes us think the email was sent from our account. But having our email address in the Sent field doesn’t necessarily mean it was sent from our email account.
My immediate terror quieted, and I looked at the detailed email header which helped me to get the sender’s IP address and run it through a locator tool on the web, which let me know the email was sent from a computer in Nairobi.
The email claimed to have control of my computer and the files upon it, as well as control of my email account and its contact book, but its proof was an old email password (from probably 6 years ago or so), and a spoofed sender’s address. But the email was actually sent by a machine in Africa, using compromised account information from a known online hack from years ago as its source of knowledge on me. Logically, it seemed pretty clear the hacker had no access to my email account or my computer.
Still, I felt anxious. I am not a perfect person. And there are some things on my computer I would rather the world not have access to- from personal jottings to financial information, among others.
My internet searches then focused on the Subject line of the email- and it was from this that I learned that I was receiving a common blackmail email. Various security sites confirmed for me that no, my email account had not been hacked, and no, my computer had not been infiltrated.
An old password in the email did enough to give many people a big enough jolt that they believed the hoax and, if they had enough on their computer they were afraid others would see- most often porn or other compromising materials- that they felt would hurt their life or relationships, they were super vulnerable to pay the fee.
My research continued and affirmed this reality.
I finally did a search on the name of the bitcoin wallet listed in the email where ransom payments were supposed to be sent, and I came up with two particular web pages that helped me to understand the scope of this scam (and this particular scammer’s reach).
The first page was a page on Blockchain that showed transactions that had occurred related to the address of this particular bitcoin wallet.
The second page was on the site, Bitcoin Abuse Database which is a repository for collecting complaints against bitcoin wallets that are used for nefarious activities, like blackmail letters and ransomware settlements.
I called my brother and talked to him about the email later on the day I had received it, and it was good, because the note actually helped me to talk with him about some heart things, and about broken places in my life, and about love, and about seeing things correctly. The note in some ways gave me a wake-up call about my life and how I live it, and also about my need to be careful about simply securing accounts on my computer. I tend to be lazy with that stuff too often. Securing accounts, and securing my mind and heart. He reminded me that if for some reason the scam was legit and my dark secrets turned up on the internet for family and friends to see, he and my family would still love me. I love that about our family, he told me. Yes, me too, I responded.
I felt logically after my basic research that the emailed letter was a scam and ultimately full of lies, but emotionally, I remained anxious as the 48 hours passed.
I kept an eye on the two bitcoin wallet-related pages, which helped me to see what I needed to see.
48 hours later- 55 hours later- I had not received an email, text, or call from a family member or friend saying that my life secrets were sent to them through an email with a link to an archive on the dark web.
On the Bitcoin Abuse Database page, though, were 113 complaints lodged against this bitcoin wallet, with descriptions and reactions that ranged from the informative about the specific email content that was egregious and a statement of the extortion amount and the address of the wallet, to expressions of cool disgust at its sender and indifferent mockeries of their extortion attempt. Some ridiculed its sender for sending them the same note, asking ransoms be sent to the same address, four times within the 2 day span. Others shared they had been sent similar notes to this before trying to extort money that passed the deadline without pay and consequence. They dismissed this effort as unthreatening. Most were clearly unafraid and unaffected by this ruse to gain money through a threat.
This known email type is plain and simply a phishing scam.
I understand how the email creates fear in the uninformed, though, and could create results. I am an IT guy, and upon receiving it, I was caught unawares, bewildered, and terrified that its claims were real- until the internet helped debunk it for me. Awaiting the end of the 48-hour window, though, I was still anxious that one or some of the claims might be true, and that I would have to come up with a PR campaign to explain embarrassing aspects about my life (because, sure, I have some, like many of us. Not all of us, but many of us.).
The exposure threat of the scam was big enough for 8 other individuals though. By 11AM this morning, 8 people capitulated and paid the ransom fee demanded in the email they had received to the bitcoin wallet- netting the scammer 1.2485 bitcoins.
Or, about $4800 dollars.
Scammers sending this type of note depend on quantities sent, fears provoked, and potential shame evasion, to wring money out of the recipient base. Humans are humans. We will tend to pay a lot of money (or work or wealth) to avoid having our deepest and darkest secrets shown to the world.
Unless we know the threat is actually not real.
Even then, the threat can remain feeling real.
When talking to my brother on the phone about it Thursday, he made the good point that regardless of how the scam worked out, it provided a good wakeup call, and an opportunity for me to look at my life, and to consider how I am living it, and if there are areas within it I wouldn’t want others to know about it, an incentive to clean them up. And it also was a reminder that I just need to secure my online accounts. And just be more vigilant in relation to online data and accounts, and locking down my personal data on my home computer.
I tend to feel like if my life was laid open before others, yes, there are areas within it I would be acutely uncomfortable or embarrassed about what they might discover or see about the private me, but, walking through whatever shame might be there, it would be a corrective. God would still love me. My family would still love me. I am human, like every other person: flawed, self-interested, deviant. But also open to change and improvement.
Like, right now.