Sextortion By Bot?
While The Daily Scam has reported on sextortion targeting Facebook users, and other dating scams many times, we believe this experience described below represents a unique method of extortion from a much more sophisticated source. In early December, 2017 we were contacted by Luke, a very savvy Internet user in his late 20’s who shared this story with us. As you’ll read in our analysis that follows, we believe this scam was perpetrated by sophisticated Internet criminals. Tell us if you agree or not!
Luke writes “I had a girl on POF reach out to me saying that she wanted to meet me. As soon as I replied to the message she sent me, she immediately sent a phone number in a message mentioning that she did not like or could not figure out how to use the site. She may have also complained about the kinds of messages she was receiving on the site. The phone number was a California number, 442-261-3237. This number is from one county over from the one I had been stationed in years ago with the Army, and I still had my phone number from that area, despite now living in Georgia. She said her name was Jess, and that she was visiting her sister in Santa Cruz before returning home to Hesperia. Her POF profile, which by this point had been deleted showed that she lived in Georgia. Her reasoning for being in Santa Cruz at the time and using a California number as opposed to a Georgia number was that her ex had destroyed her phone before she flew out to see her sister. I was out in an area with a lot of pine trees and had bad reception, but within a few minutes two pictures came in. One was a face shot of a girl in a pink hoodie with cleavage showing, and another was of a girl in what appeared to be the same shirt and sweatshirt, but with it wide open and pulled up. She was laying down on a bed with her breasts exposed, and did not appear to have any underwear on, but it was hard to tell with the resolution of the picture. I also remember she had lower abdominal/pelvic area star tattoos, one on each side. After that, she said she needed to stop using her sister’s phone because her sister needed to go see her boyfriend who lived an hour away. Her story was that her sister goes and spends the night with this man regularly, and that I should catch up with her on some website that she sent me a link for so that her sister could take her phone back. The link appeared to be for a service I did not use, and I was not about to download it. The quote she sent me was “my sister is hovering over me waiting for the phone back, so catch me on …” The rushing off of POF to text, the use of a California number in an area close to mine, the unexpected sending of nude pictures and then the immediate rush to get me to follow her to some odd website five minutes later were all major red flags. I’ve had people try to hit me with scams before, but this sounded like someone or something with the skill level of AIM bot scammers in chatrooms back in 2000.
Two weeks later, I saw another girl on POF state that she wanted to meet me. She was quite pretty, and claimed to be from Florence, SC. She also had in her profile that she was an Anglican, as I was. I sent her a message, and she responded, stating that she didn’t like POF and that I should text her at 442-261-3237. I thought the number looked familiar, and tried to pull my old text records online through my mobile provider’s website. Unfortunately, nothing with her number from the last time she had attempted to make contact came through on the record, so I was not able to be sure that it was the same number right away. I would have just checked in my phone, but I deleted the message chain from before, just in case the conversation happened to be with a minor. Normally I would have kept the conversation to warn anyone of the erratic behavior or any attempts at a scam or extortion. I texted her number from the same number I had used previously, just in case it was the same Jess, trying to pull something. Here’s how the conversation went:
Jess: i’m rly not sure how ppl use that… like so many weird guys haha, anyways im jess how’s it going? **Clearly, this was a red flag. I thought back to the conversation I had with her last time and hit her with a few questions. **
Me: Your pictures are different this time, Jess. You still in Santa Cruz? Georgia or South Carolina? What are you looking for?
Jess: Guess I’m just looking for someone to chill with… I’m not a hoe but just looking for some fun lol
Me: I think I know what you mean. How many times have you tried making a POF profile?
Jess: just fyi im just visitin my stepsis here in Santa Cruz until the 10th then back home to Hesperia **That was the exact same message she had sent the first time, which led me to believe this may be a bot. Naturally, I asked.**
Jess: soo just lookin for maybe a friend with benefits ha… nothin serious, promise!?
Me: Jess, are you a bot?
Jess: Bot? Well hmm I would like to think of myself as a female… No robot or whatever you thing here lol like seriously?… ** I thought back to the robots they have for robo-calls and cold calls nowadays because some of them have built-in responses for people who catch on and ask whether there is a robot on the line. It was still hard to tell at this point.**
Me: Are you on your phone or your sister’s phone? Does she have a boyfriend she needs to go see? Did your phone get destroyed before you left to California?
Jess: goin through a rly bad breakup backhome so that why im out here, so i can give my ex time to move out ** She had given a similar story before about going through a bad breakup, but the first time it was in a message responding to me about something rather than being one just out of the blue. I decided I would check and see whether she had any memory of it. **
Me: When was the last time you talked to me?
Jess: anyways, u dont have a girlfriend or anything like that right? i seem to find the shady guys in life haha ** She sent me this exact same message the first time she talked to me as well. Her next message was not a response to anything I had sent, but a pre-determined one in anticipation of a “no” from me. This proves bots are involved now, which adds another layer to the POF sext scam I read about on this site tonight.**
Jess: thats good! soo tell me tho, hows this going to work? i’ll be honest w u… i wanna have some no regrets fun boo
Me: Do you remember the answer I gave you last time?
Jess: greattt! this is actually my sis’s cell n shes been letting me use it. dumb ex took mine before i left since we shared a plan. ** Different reason for not having her phone and needing to use her sister’s. Last time, her ex destroyed or broke her phone, this time she had shared a plan with him and he took the phone from her. It was also a robot answer, so I made sure to mention that.**
Me: That was a robot answer.
Me: You said last time that your ex destroyed your phone. ** I decided to see whether the bot would send pictures of the same girl. Maybe that way, I could do a reverse image search through Tineye and find out who had her pictures or identity stolen to run a scam. I knew a girl who had her pictures pulled off of Facebook by a web crawler or something and re-used for camgirl websites and scams, so it wouldn’t have been the first time it happened.**
Me: Do you have a picture?
Jess: she just said that she needs it back cuz shes going to stay at her mans for a few nights like an hour away
Jess: a robot?? lol
Jess: do have my laptop so we could keep tlking n make some plans to chill@ didn’t know she needed to leave like RIGHT this sec
Jess: shes hovering over me waiting for this back! could you do me a really big favor boo?
Jess: on now waiting for u xlocaluser-DOT-me/xoxjess11 don’t keep txting this back she’s leaving right now [TDS DOES NOT RECOMMEND VISiTING THIS SITE DUE TO MALWARE RISKS!] **At this point, 2 pictures came through. One was of a girl who looked like the girl in the pictures of the short lived POF profile, but a little different from the first time I got messages from Jess. Maybe it was just the makeup, dyed hair and new nose ring (located on the right side of the nose. I think her eyes were the same greenish-brown color as the first girl’s. She has some cleavage visible, just as the first girl did. She was sucking on her index finger in the picture. The second picture was of the same girl in the same shirt as the first picture I described, but with the shirt pulled down so her bare breasts were exposed.**
Jess: just use ur phon e n msgme rly quick on xlocals. ill be by myself so ill showyou more of me! i pinky promise
Me: You look different.
Me: Are you a robot.
Me: Hi Jess
This could just be a scam to drag people to some camgirl sites, or to another dating website to increase its traffic using fake people. It could be something worse, I’m not sure. It sounds as though it’s incorporating different elements of various scams to pull something off, but I never followed her down her path enough to figure out what the endgame is once you make it to xlocals. In any case, watch out for Jess and 442-261-3237. The one piece of the puzzle I never nailed down was why a girl in Santa Cruz wanted to reach out to me to hang out. I could have gone to see her in South Carolina or Georgia as my location on my POF profile made clear. I haven’t lived in California for 8 years now, and that was long before I found out about POF. All I have is a phone number which is not connected to my POF account. I have no phone number listed for password recovery and I do not have the App. I’m not sure why she thought I was near Santa Cruz these days. I guess I’m a little impressed with how they started out but they totally blew it after about 10 minutes. Better luck next time, scammers.“
What’s going on?
TDS agrees with Luke that Jess’ responses are peculiar, especially since this is very likely the second time Jessica P has communicated with Luke in two weeks but doesn’t remember it or acknowledge it. If this is, in fact, a bot engaging Luke in conversation it elevates this scam to a much more sophisticated level. This kind of sophistication is more likely connected to organized crime from overseas, such as Internet criminals in Russia. We can never prove this but here are some of the bread crumbs we found to support this idea….
- Jessica P asked Luke to meet him on a website she identified as xlocaluser-DOT-me. On December 5 Google found absolutely nothing about this website. We conducted a WHOIS lookup of this domain and learned that it was very recently registered on November 14, 2017 by someone using WHOISGuard, a private proxy service in Panama. We frequently discover Russian/Eastern European Internet criminals using WHOISGuard to register their malicious domains. It was also registered through the Registrar NameCheap.com. NameCheap has been heavily used this fall by criminal gangs to register hundreds of malicious domains.
- Below is the web page waiting for Luke at the link Jessica P sent him. What is also interesting about this website is that when we visited the home page for the website xlocaluser-DOT-me, we were forwarded to another website xlocalflings-DOT-com and offered an invitation to chat with another 24-year old Jessica. (The first photo below is Luke’s Jessica. The second is the one we found when visiting the site.) The page also informed us that this second Jessica was located in our home town in Massachusetts. This implies that the site we visited uses geographical information in routers or cookies to place the bot close to the person who visits the site.
Both of these screenshots show a timer, use the term “Private chat voucher” and offer an “Accept Invite” button. This introduction to these “girls” is different than any other dating scam reported to TDS in the past. This website coding requires more sophisticated effort than previous scams.
3. We conducted an Internet search for Jessica’s phone number, as Luke did, and found that 442-261-3237 seems to be associated with Shoshone, California. Shoshone, California is a tiny town with a population of 31, last reported in the 2010 U.S. census. TDS looks up lots of phone numbers in our investigations. And so it caught our attention that Jessica’s phone number also showed up on the Russian website Wiki-numbers-DOT-ru. Wiki-numbers states “The main purpose of the section is to provide information on telephone codes of cities and countries of the world, as well as mobile operators around the world. Using the wiki-numbers service, you can easily determine from which country you were called. You can also determine in which country in the world a telephone number of a certain format can be used.” We don’t often find this to be the case
4. As Luke suggested, we ran a Google and TinEye image search and easily found the “Jessica P” photo on Tineye.com. This led us to a source of the photo sitting on the image site Imgur.com. With this image we also found several pornographic images of this same woman exposing herself in the manner described by Luke in the images sent by “Jessica P.” This means that, theoretically, anyone could have grabbed these images and sent them, pretending to be “Jessica P.”
The fact that a lot of effort, skill, and planning have been used to create the method to contact men strongly suggests that there is likely a criminal gang behind this effort. If this is true, they are are making this effort for financial profit and there are just a few choices…
- trick the man into exposing himself while recording it and then extort money from him
- entice the man to pay for “online sex” which will be offered after accepting the invitation
- trick the man into downloading and installing malware on his computer/smartphone by clicking “accept the invitation” to use the supposed site
We put our money on A. Online sextortion is proving to be lucrative and TDS is hearing more about it in 2017 than the previous three years combined. However, the only way we could know for certain is to step into that rabbit hole and click “Accept Invite” –which we’ll never do.
Tell us what you think! Email us at firstname.lastname@example.org