This post is going to warn you about a very aggressive email scam. I thought I’d seen it all, but I have recently gotten some pretty aggressive phishing emails that caught my attention. I want to make you aware of this scam so you don’t get taken by it. This aggressive email scam can give you a big jolt of fear, but hopefully I can prepare you for the day you get one of these.
Anatomy of The Scam
This scam begins when you get an email in your inbox from a random email address (usually Gmail). The subject line is your name. The text in the email is your name, phone number, and home address. This can be a little disconcerting from some random Gmail address. But there’s more: an attached PDF with your name on it.
Opening the PDF reveals a string of text. In short, the text states that your computer has been hacked. The PDF uses threatening language to tell you that your computer has been hacked. It claims that your webcam has been recording you as you watch porn. “I then developed videos and screenshots where on one side of the screen, there’s the videos you were playing, and on the other half, it’s you doing dirty things.”
The reader is then given an ultimatum: pay around $2,000 in Bitcoin – within 24 hours – or the videos will be sent to everyone in your email list. Then the pièce de résistance is a street view image of the victim’s house. The image of your house probably does create a strong, visceral effect. Below is the full text of the PDF in two screenshots.
Why it Works
I admit that this is probably a pretty effective tactic. The scam plays on several emotions. First, it creates a fear of embarrassment. Many people will go to great lengths to avoid being embarrassed but the social groups that they hold most important. Some people may suffer serious consequences if these threats are carried out, like losing a spouse or business contacts. The apparent knowledge the “attacker” has makes the threats seem credible. Fear is a high-arousal emotion, and people are more likely to act on high-arousal emotions. This is why political campaigns rely heavily on fear-based advertisements.
Next, the email creates a sense of urgency. The demand to pay within a day doesn’t give the victim much time to think it through. If he or she is thrown into a panic by the thought of their “adult viewing” habits being made public, the demand to come up with $2,000, find a Bitcoin ATM, and figure out how to make it all work can be overwhelming. This prevents the victim from stepping back and actually thinking about the email itself.
Finally, the street view image manipulates the fear emotion even more. This seems to bridge the gap from your online life to your real life, making the fear much more visceral. It can make it seem as if the bad guy has actually been to your house – an uncomfortable feeling to be sure.
What is Actually Happening
The information used in the emails I have received have had false information that I used when ordering products online. The false information gave me the first clue that this information wasn’t actually the result of a hack on my computer or phone. The second clue was the language of the email; all stuff the hacker supposedly saw is very generic; there are no specifics about my clothing, my house, or anything else.
The third clue that this aggressive email scam is generic rather than targeted was the street view image. In this case the street view image was a view of the wrong side of the street. It’s not like someone sent me a picture of my neighbor’s house; in this case it was simply an image of the pasture across the road.
What has happened is my (and probably your) data has been stolen from a website. At some point I have made an online purchase and given this specific combination of name, phone number, email address, and home address. My information from that website has been spilled in some form or fashion. Once the bad guy has your home address, they can pull up a street view image. This can be pasted onto a form letter, and your name and phone number plugged in. This can then be emailed out en masse in hopes of getting a gullible victim or two to pay the ransom.
What to Do About This Aggressive Email Scam
With all the threatening, urgent language it is understandable to be a little thrown off. At first I was a bit startled by this tactic. Outside of the information you give to websites when you make a purchase or register an account (name, email, home address, phone number), there are no specifics. This is an indicator that hundreds of other people are getting the exact same generic email. So what to do?
First, DO NOT open the PDF, especially on a Windows computer or Android phone. It can be difficult to not know what’s in the PDF, but it can do more harm than good. Though none of the ones I handled had embedded malware, this is always a strong possibility. Opening the PDF actually could lead to an infection. Second, DO NOT reply to the email. This can only open the potential to start a dialogue with the bad guy, which can lead to a pig-butchering attack†. Finally, DO NOT pay the ransom. Once that money is gone, it is probably gone.
If you have been taken by a scam like this, DO report it to the Internet Crime Complaint Center (IC³). Finally, DO use good security best practices: keep your OS and apps up to date, if you didn’t go looking for it don’t install it, and use a good anti-virus. Avoid clicking links, and try to limit the number of websites and services you trust with your information.
†Sincere thanks to my friend D. for turning me on to this podcast which turned me on to the phrase “pig butchering.” He also helped with some valuable analysis of this type of attack. Thanks!
