My Malware Recorded You!

UDATED BELOW 1/10/20: We’ve just heard from a TDS reader (9/1/18) who received the email below.  It is unlike anything we’ve seen before but we know for certain it is a scam and was likely sent to thousands of email addresses at random. The sender informs the recipient, whose phone number ends in “54” that he has tricked the phone owner into installing malware on the phone.  With that malware, the scammer says he has recorded “private videos” that he will publish if you don’t contact him and pay him money within 48 hours.  We know this is a scam because the TDS reader who sent this to us doesn’t have a phone number ending in 54.

Notice that the email came from an address based in Japan (.jp = 2-letter country code for Japan).  Yet, the recipient is asked to reply to an email address associated with the domain service456[.]club.  A WHOIS lookup of this domain shows that it was registered two days earlier (8/30/2018) through a private proxy service in Panama. Don’t believe this nonsense!  It is a bluff, similar to the sextortion bluff we described in our article “Sextortion by Email.”

======================================================================================

UPDATED 10/14/18: We were contacted on October 12 by a woman we will call “Andrea.”  Andrea received the following two emails ten minutes apart.  One of the things that bothered Andrea is that both emails were spoofed to appear as though they came from Andrea’s own email address.  That isn’t difficult for criminals to do.  Both emails are complete lies.  Andrea’s computer was not hacked and isn’t recording her.  Also, based on the subtle language clues, we suspect this email was created by scammers in Africa…

From: [REDACTED] Sent: 10/12/2018 5:43:01 PM
To: [REDACTED]
Subject: [EMAIL REDACKED] was hacked

Hello andrea@ My nickname in darknet is ephram28. I’ll begin by saying that I hacked this mailbox (please look on ‘from’ in your header) more than six months ago, through it I infected your operating system with a virus (trojan) created by me and have been monitoring you for a long time. Even if you changed the password after that – it does not matter, my virus intercepted all the caching data on your computer and automatically saved access for me. I have access to all your accounts, social networks, email, browsing history. Accordingly, I have the data of all your contacts, files from your computer, photos and videos. I was most struck by the intimate content sites that you occasionally visit. You have a very wild imagination, I tell you! During your pastime and entertainment there, I took screenshot through the camera of your device, synchronizing with what you are watching. Oh my god! You are so funny and excited! I think that you do not want all your contacts to get these files, right? If you are of the same opinion, then I think that $500 is quite a fair price to destroy the dirt I created. Send the above amount on my bitcoin wallet: 1MN7A7QqQaAVoxV4zdjdrnEHXmjhzc Q4Bq As soon as the above amount is received, I guarantee that the data will be deleted, I do not need it. Otherwise, these files and history of visiting sites will get all your contacts from your device. Also, I’ll send to everyone your contact access to your email and access logs, I have carefully saved it! Since reading this letter you have 48 hours! After your reading this message, I’ll receive an automatic notification that you have seen the letter. I hope I taught you a good lesson. Do not be so nonchalant, please visit only to proven resources, and don’t enter your passwords anywhere! Good luck!

FOLLOWED BY…

From: [REDACTED] Sent: 10/12/2018 5:53:55 PM
To: [REDACTED] Subject: [EMAIL REDACKED] was hacked
Hello andrea@ My nickname in darknet is earlie19. I’ll begin by saying that I hacked this mailbox (please look on ‘from’ in your header) more than six months ago, through it I infected your operating system with a virus (trojan) created by me and have been monitoring you for a long time. Even if you changed the password after that – it does not matter, my virus intercepted all the caching data on your computer and automatically saved access for me. I have access to all your accounts, social networks, email, browsing history. Accordingly, I have the data of all your contacts, files from your computer, photos and videos. I was most struck by the intimate content sites that you occasionally visit. You have a very wild imagination, I tell you! During your pastime and entertainment there, I took screenshot through the camera of your device, synchronizing with what you are watching. Oh my god! You are so funny and excited! I think that you do not want all your contacts to get these files, right? If you are of the same opinion, then I think that $500 is quite a fair price to destroy the dirt I created. Send the above amount on my bitcoin wallet: 1MN7A7QqQaAVoxV4zdjdrnEHXmjhzc Q4Bq As soon as the above amount is received, I guarantee that the data will be deleted, I do not need it. Otherwise, these files and history of visiting sites will get all your contacts from your device. Also, I’ll send to everyone your contact access to your email and access logs, I have carefully saved it! Since reading this letter you have 48 hours! After your reading this message, I’ll receive an automatic notification that you have seen the letter. I hope I taught you a good lesson. Do not be so nonchalant, please visit only to proven resources, and don’t enter your passwords anywhere! Good luck!

===========================================================================================

UPDATED 10/25/18: On October 24 we heard from two more people who received nearly identical scam emails like those above.  In the second email below, the scammer made the email appear to come FROM the email address he sent the email to.  Also, the criminal CORRECTLY identified the recipient’s password!  It was the very simple sequence “757575.”  How did the scammer do that?  It’s easy!  Many user’s passwords and email addresses have been hacked over the years from dozens of online services such as Yahoo and Adobe.  You can actually visit the website called HaveIBeenPwnd.com to see if your email address has been found on the Dark Web along with password information.  The scammer simply gathered up known passwords and email addresses from other hacks that are posted online and then sent these bogus emails!

Hello! My nickname in darknet is des53. I hacked this mailbox more than six months ago. Through it I infected your operating system with a virus (trojan) created by me and have been monitoring you for a long time. Even if you changed the password after that – it does not matter, my virus intercepted all the caching data on your computer and automatically saved access for me. I have access to all your accounts, social networks, email, browsing history. Accordingly, I have the data of all your contacts, files from your computer, photos and videos. I was most struck by the adult sites that you occasionally visit. You have a very wild imagination, I tell you! During your pastime and entertainment there, I took screenshot through the camera of your device, synchronizing with what you are watching. Oh my god! You were so funny and excited! I think that you do not want all your contacts to get these files, right? If you are of the same opinion, then I think that $880 is quite a fair price to destroy the dirt I created. Send the above amount to my Bitcoin wallet: 321DuawT7hhUvnUfEeawgDidQhCsCK8swD As soon as the above amount is received, I guarantee that the data will be deleted, I do not need it. Otherwise, these files and history of visiting sites will get all your contacts from your device. Also, I’ll send to everyone your contact access to your email and access logs, which I have carefully saved. Since reading this letter you have 48 hours! After your reading this message, I’ll receive an automatic notification that you have seen the letter. I hope I taught you a good lesson. Visit safe websites only, and don’t enter your passwords anywhere! Good luck!

AND ALSO:

From: [EMAIL REDACTED]
Subject: [EMAIL REDACTED] is hacked
Date: October 19, 2018 at 5:25:56 PM EDT
To: “757575” [EMAIL REDACTED]
Hello! My nickname in darknet is mead85. I hacked this mailbox more than six months ago, through it I infected your operating system with a virus (trojan) created by me and have been monitoring you for a long time. So, your password from steves@maltzsales.com is 757575 Even if you changed the password after that – it does not matter, my virus intercepted all the caching data on your computer and automatically saved access for me. I have access to all your accounts, social networks, email, browsing history. Accordingly, I have the data of all your contacts, files from your computer, photos and videos. I was most struck by the intimate content sites that you occasionally visit. You have a very wild imagination, I tell you! During your pastime and entertainment there, I took screenshot through the camera of your device, synchronizing with what you are watching. Oh my god! You are so funny and excited! I think that you do not want all your contacts to get these files, right? If you are of the same opinion, then I think that $858 is quite a fair price to destroy the dirt I created. Send the above amount on my BTC wallet (bitcoin): 1FHPbKHcSx9CaXJzDpLoXG733ipQ77 UNx9 As soon as the above amount is received, I guarantee that the data will be deleted, I do not need it. Otherwise, these files and history of visiting sites will get all your contacts from your device. Also, I’ll send to everyone your contact access to your email and access logs, I have carefully saved it! Since reading this letter you have 48 hours! After your reading this message, I’ll receive an automatic notification that you have seen the letter. I hope I taught you a good lesson. Do not be so nonchalant, please visit only to proven resources, and don’t enter your passwords anywhere! Good luck!

=================================================================================================

UPDATED 11/13/18 We’ve just seen a very new variation of this scam in which a criminal tries to convince you that he has installed recording software on your computer, capturing your visit to embarrassing websites.  It comes with a new twist…. A woman received the email below on November 13, 2018 and the criminal correctly identified one of her current passwords.  But it was an OLD password that she used for accounts she didn’t consider to be important.  (When websites and services get hacked, these passwords end up on the dark web.  It is easy for criminals to grab these passwords along with the email address associated with them.  Visit https://haveibeenpwned.com/ to see if one of your password accounts has been hacked.)  This email was sent from an email service in Russia:

From: Valaree Cote <guineverekvhgnoi@mail.ru>
Date: Tue, Nov 13, 2018 at 5:24 AM
Subject: [USERNAME] – [PASSWORD]
To: [EMAIL REDACTED]

He‌y the‌re‌ So‌ I a‌m a‌ ha‌cke‌r who‌ bro‌ke‌ yo‌u‌ re‌-ma‌i‌l a‌nd de‌vi‌ce‌ a‌ fe‌w we‌e‌ks ba‌ck. Yo‌u‌ type‌d i‌n yo‌u‌r pwd o‌n o‌ne‌ o‌f the‌ we‌b si‌te‌s yo‌u‌ vi‌si‌te‌d, a‌nd I i‌nte‌rce‌pte‌d thi‌s. Thi‌s i‌s yo‌u‌r pa‌sswo‌rd fro‌m [EMAIL REDACTED] o‌n ti‌me‌ o‌f ha‌ck: [PASSWORD REDACTED] Obvi‌o‌u‌sly yo‌u‌ ca‌n ca‌n cha‌nge‌ i‌t, o‌r pe‌rha‌ps a‌lre‌a‌dy cha‌nge‌d i‌t. The‌n a‌ga‌i‌n i‌t do‌e‌s no‌t re‌a‌lly ma‌ke‌ a‌ di‌ffe‌re‌nce‌, my o‌wn ma‌li‌ci‌o‌u‌s so‌ftwa‌re‌ mo‌di‌fi‌e‌d i‌t e‌ve‌ry ti‌me‌. Do‌ no‌t co‌nsi‌de‌r to ma‌ke co‌nta‌ct wi‌th me‌ pe‌rso‌na‌lly o‌r fi‌nd me‌. By me‌a‌ns o‌f yo‌u‌r o‌wn e‌ma‌i‌l a‌ddre‌ss, I u‌plo‌a‌de‌d ha‌rmfu‌l co‌mpu‌te‌r co‌de‌ to‌ yo‌u‌r Ope‌ra‌ti‌o‌n Syste‌m. I sa‌ve‌d yo‌u‌r e‌nti‌re‌ co‌nta‌cts a‌lo‌ng wi‌th fri‌e‌nds, fe‌llo‌w wo‌rke‌rs, re‌la‌ti‌ve‌s plu‌s a‌ co‌mpre‌he‌nsi‌ve‌ re‌co‌rd o‌f vi‌si‌ts to‌ the‌ Wo‌rld-wi‌de‌-we‌b re‌so‌u‌rce‌s. Addi‌ti‌o‌na‌lly I se‌t u‌p a‌ Vi‌ru‌s o‌n yo‌u‌r de‌vi‌ce‌. Yo‌u‌ wi‌ll no‌t be‌ my o‌nly vi‌cti‌m, I no‌rma‌lly lo‌ck pe‌rso‌na‌l co‌mpu‌te‌rs a‌nd a‌sk fo‌r the‌ ra‌nso‌m. Ne‌ve‌rthe‌le‌ss I wa‌s hi‌t by the‌ i‌nte‌rne‌t si‌te‌s o‌f i‌nti‌ma‌te‌ co‌nte‌nt ma‌te‌ri‌a‌l tha‌t yo‌u‌ u‌su‌a‌lly vi‌si‌t. I a‌m i‌n i‌mpa‌ct o‌f yo‌u‌r fa‌nta‌si‌e‌s! I ha‌ve‌ ne‌ve‌r e‌ve‌r no‌ti‌ce‌d a‌nythi‌ng li‌ke‌ thi‌s! So‌, whe‌n yo‌u‌ ha‌d fu‌n o‌n pi‌qu‌a‌nt we‌b-si‌te‌s (yo‌u‌ kno‌w wha‌t I me‌a‌n!) I ma‌de‌ scre‌e‌nsho‌t wi‌th u‌si‌ng my pro‌gra‌m thro‌u‌gh yo‌u‌r ca‌me‌ra‌ o‌f yo‌u‌rs de‌vi‌ce‌. Afte‌r tha‌t, I pu‌t to‌ge‌the‌r the‌m to‌ the‌ co‌nte‌nt o‌f the‌ cu‌rre‌ntly vi‌e‌we‌d we‌bsi‌te‌. No‌w the‌re wi‌ll ce‌rta‌i‌nly be la‌u‌ghte‌r whe‌n I se‌nd the‌se‌ pi‌ctu‌re‌s to‌ yo‌u‌r co‌nne‌cti‌o‌ns! Ye‌t I a‌m ce‌rta‌i‌n yo‌u‌ do‌n’t ne‌e‌d tha‌t. The‌re‌fo‌re‌, I e‌xpe‌ct to‌ ha‌ve‌ pa‌yme‌nt fro‌m yo‌u‌ i‌nte‌nde‌d fo‌r my si‌le‌nce‌. I co‌nsi‌de‌r $958 i‌s a‌n a‌ppro‌pri‌a‌te pri‌ce‌ re‌ga‌rdi‌ng thi‌s! Pa‌y wi‌th Bi‌tco‌i‌n. My BTC wa‌lle‌t a‌ddre‌ss i‌s 1DTudxvVgjLBe6v3v5JYFdM3a9bveXDwnu If yo‌u‌ do‌ no‌t u‌nde‌rsta‌nd ho‌w to‌ do‌ thi‌s – e‌nte‌r i‌n to‌ Go‌o‌gle‌ ‘ho‌w to‌ se‌nd mo‌ne‌y to the‌ bi‌tco‌i‌n wa‌lle‌t’. It i‌s si‌mple‌. Imme‌di‌a‌te‌ly a‌fte‌r re‌ce‌i‌vi‌ng the‌ spe‌ci‌fi‌e‌d a‌mo‌u‌nt, a‌ll yo‌u‌r de‌ta‌i‌l lwi‌ll be‌ pro‌mptly e‌li‌mi‌na‌te‌d a‌u‌to‌ma‌ti‌ca‌lly. My co‌mpu‌te‌r vi‌ru‌s wi‌ll a‌ddi‌ti‌o‌na‌lly re‌mo‌ve‌ i‌tse‌lf thro‌u‌gh yo‌u‌r o‌pe‌ra‌ti‌ng-syste‌m. My Tro‌ja‌n vi‌ru‌s po‌sse‌ss a‌u‌to‌ta‌le‌rt, so‌ I kno‌w whe‌n thi‌s e‌ ma‌i‌l i‌s re‌a‌d. I gi‌ve‌ yo‌u‌ two‌ da‌ys (Fo‌rty-e‌i‌ght hrs) fo‌r yo‌u‌ to‌ ma‌ke‌ a‌ pa‌yme‌nt. If thi‌s do‌e‌s no‌t o‌ccu‌r – a‌ll o‌f yo‌u‌r co‌nta‌cts wi‌ll ge‌t nu‌ts i‌ma‌ge‌s fro‌m yo‌u‌r da‌rk se‌cre‌t li‌fe‌ a‌nd yo‌u‌r de‌vi‌ce‌ wi‌ll be‌ blo‌cke‌d a‌s we‌ll a‌fte‌r two‌ da‌ys. Do‌ no‌t e‌nd u‌p be‌i‌ng fo‌o‌li‌sh! Po‌li‌ce‌ fo‌rce‌ o‌r fri‌e‌nds wo‌n’t su‌ppo‌rt yo‌u‌ fo‌r ce‌rta‌i‌n … PS I ca‌n pro‌vi‌de‌ yo‌u‌ wi‌th re‌co‌mme‌nda‌ti‌o‌n wi‌th re‌ga‌rd to‌ the‌ fu‌tu‌re‌. Do‌n’t ke‌y i‌n yo‌u‌r se‌cu‌ri‌ty pa‌sswo‌rds o‌n u‌nsa‌fe‌ we‌bsi‌te‌s. I e‌xpe‌ct fo‌r yo‌u‌r pru‌de‌nce‌. Go‌o‌dbye‌.

This email is a total scam!  There was never malware installed on the recipient’s computer.  What made this even more interesting is that the criminal who sent it tried to hide the contents from anti-spam servers by inserting random white letters in between every single word.  Look what we saw when we clicked and dragged through the text:

UPDATED 11/25/19:
We continue to receive these threats sent to us by extortionists telling us we had better pay them in Bitcoin or they will upload a video of us to the Internet.  But they are all scams and no such video exists.  Here are some recent samples…


UPDATED 12/21/19: A lawyer received the bogus email below and shared it with us a few days before Christmas.  Given the statement “BTW…nice car you have got there” and the fact that it was sent to a lawyer suggests that these extortionists are trolling websites of those they believe can pay their threats.  This threat did not contain any information to identify the lawyer to whom it was sent, except an email address.  Once again, it is an empty threat.  There is no malware recording the individual. Also, look carefully at the email and you’ll notice that many letters are unusual.  The sender has used accented and Cyrillic alphabet letters to help him get his email past anti-spam filters.

 

On January 10, 2020, a Professor at a University sent us the following email threat she received.  Like all the others on this page, it is an empty threat meant to scare you into paying this extortionist.  What threw the woman off, and why she contacted us, was because this email contained an old password of hers in the subject line. That’s what got her attention!  How could the extortionist know her password?  It’s easy, we told her.  Millions of passwords are posted on the dark web, along with names and email addresses.  The extortionsist simply took advantage of finding an email address and a compromised password.  If you want to see if any of your old passwords (or current!) are out on the dark web, visit Have I Been Pawned?

IMPORTANT NOTE:

According to Brian Krebs at the blog Krebs on Security, two men who were most responsible for originating this scam have been arrested in France on December 15, 2019.  Read and celebrate this outstanding win for the good guys on Brian’s blog here.