A fake ransom request

By now, most Internet users have heard about ransomware and ransom requests via Internet. For spammers who lack sufficient hacking skills, it is a simple matter to attempt a scam in which they pretend to have hacked your computer, and ask the payment of a ransom for not spreading private videos of you in "compromising" situations in front of your webcam. In the vast majority of cases, they have no video and have not hacked your Facebook account and computer, and they are only hoping that you are sufficiently anxious about the video being spread to your contact list that you might actually pay without analyzing the situation and the likelihood that what they say is true.

For example, this is a ransom request I received very recently:

Ransom request
Text of ransom request.

One first thing to note is that the text of the ransom request was sent as a JPG picture, probably to avoid the message being flagged as spam. My e-mail software (Thunderbird) did flag it as probable spam because the message contains only a picture, and no text.

Further points of interest:

  • The text contains a large amount of grammar, syntax and spelling errors, as well as poor general English form. It was obviously not written by a person with a significant education, let alone a formal training in writing. Judging from the wording, the writer is "most probably" not a native English speaker but a West African. The writer even tacked a question mark at the end of the last sentence, where it makes no sense. Easily observable technical details in the source code show that the ransom demand was sent from an Android device, which would not be my first choice for careful word processing.
  • At a superficial analysis, the e-mail does appear to come from one of my e-mail accounts. However, a quick examination of the logs on my e-mail server shows that no such message was sent from my account. The sender only spoofed my address, which is a rather simple thing to do and can be done by scripting and exploiting an insecure e-mail relay (so the same message can be automatically sent to a long list of addresses). This is a first indication that the message is in fact just a mass mailing, no different from spam.
  • The ransom request contains absolutely no proof that the sender is in possession of any private information on the destinatary (or any information at all, except the e-mail address - which in my case is publicly available). Probably hundreds of millions of persons in the world engage in solitary sex and/or visit porn sites (and neither of these activities is a crime), so it is easy for the sender to cast a wide net in the hope of netting a few easily embarrased persons. I do not visit porn sites except by mistake or by following misleading links, and normally I don't have a webcam connected to my computer, which makes the claims in the ransom demand even more unlikely.
  • A careful examination of the source code of the e-mail message shows that it does not contain any link to Facebook. It only contains the picture shown above, as an encoded binary file in the text. The claim that the sender is using "a Facebook pixel" to detect that the message has been read is therefore just an empty threat, and removes any remaining credibility from the ransom request. In any case, most e-mail clients can be configured to never automatically access web contents unless the user gives consent. Thunderbird is configured by default in this way, so it never automatically accesses Internet contents unless its configuration is manually changed.
  • The instructions to "copy and paste" [the Bitcoin wallet address] make no sense, since one cannot copy text to the clipboard from an image. This proves that the ransom demand was hurriedly written, without much attention to simple logic and common sense. This makes it difficult or impossible for inexperienced users, who are the most likely to be fooled by this ransom demand, to follow the instructions and make the payment before having time to think twice.
  • One detail worth mentioning is the "co-workers" in the last sentence. Most people have co-workers, but I have none. I am retired. One more detail that shows this is not a true ransom request, but just a variety of Nigerian letter/spam.

One thing that may help to identify the would-be scammers or bind them to other ransom demands is their Bitcoin wallet address. I can easily tell, for example, that at the time of writing the Bitcoin wallet of the spammers has not received any transactions, so their goal has failed (at least with this wallet):

Ransom request
Transactions on the spammers' Bitcoin wallet.

I am pasting below the ransom request OCR-converted to text, including the address, so that it can be stored by Google Search and other web crawlers and made available in public web searches. This might be useful to others who have received ransom demands with a similar text and/or the same Bitcoin wallet address:

This account has been infected! Modify your password immediately!
You probably do not heard about me and you may be most probably wondering why you're reading this email, right?
I'mhackerwho crackedyour email boxand all devicesseveral months ago.
It will be a time wasting to attempt to talk to me or alternatively seek for me, it is hopeless, since I directed you this message from YOUR account that I've hacked.
I developed malware soft to the adult vids (porn) site and guess you have spent time on this website to have a good time (think you understand what I want to say).
While you have been keeping an eye on video clips, your browser started out operating as a RDP (Remote Control) with a key logger that granted me authority to access your desktop and netvork camera.
Then, my software programgatheredall info.
You entered passcodes on the sites you visited, I caught them.
Surely, you'll be able to change them, or possibly already changed them.
But it really doesn't matter, my program renews information every time.
And what I have done?
I compiled a reserve copy of your system. Of all files and contacts.
I formed a dual-screen videofile. The 1 part presents the film you had been watching (you have a very good preferences, wow ... ), the 2nd screen displays the recording from your own webcam. What actually should you do?
So, in my view, 1000 USD is basically a reasonable amount of money for our very little riddle. You will make your payment by bitcoins (if you do not know this, search "how to buy bitcoin" in any search engine).
My bitcoin wallet address:
(It is cAsE sensitive, so copy and paste it).
You have only 2 days to send the payment. (I built in an exclusive pixel to this letter, and right now I know that you've read this email).
To tracethe reading of a letterand the activitywithin it, I usea Facebook pixel. Thanks to them. (That whichis appliedfor the authorities may also helpus.)
If I fail to get bitcoins, I will certainly transfer your videofile to all your contacts, such as family members, co-workers, and many more?

Needless to say, I simply ignored the ransom request except for sending a polite heads-up e-mail to an e-mail service which, based on the e-mail headers, might have been hijacked to send the ransom demand. It is now well past the "deadline" of the scammers, and nothing further has happened.

PS - After a few weeks, I received another e-mail, sent through a different insecure e-mail relay to another of my e-mail addresses. This one was identical to the first, except for minor spelling changes and a different Bitcoin wallet address (which also received no money so far).

Thanks to the original wallet address listed above having been reported to bitcoinabuse.com by multiple users, as well as the second e-mail I received, we can tell that the would-be extortionist is generating a new JPG (from a slightly different text) for each batch of e-mails, but the bitcoin wallet within each batch of e-mails remains the same. Since the programmer has been lazy and the bitcoin wallet address is re-used in multiple e-mails instead of being unique for each e-mail, we can tell that no one has fallen for this particular batch of e-mails and paid the ransom.

This also proves that the would-be extortionists, within the same batch of e-mails, do not have any way to find out who paid the ransom and who did not. Therefore, even assuming that the spammers do have a "compromising" video of a person, they have no way to detect whether this particular person has paid the ransom or not. In reality, they have no interest in knowing who actually paid, and only hope that a fool or two will fall for the scam.

Note - An earlier variant of this scam uses easily available databases of hacked social media passwords to try and convince the destinatary that the hacking pretense is real. Don't fall for this variant of the extortion. Also in this case, the e-mail contains no convincing evidence that the spammers are in possession of any "compromising" videos, and the simple possession of a password is no such evidence.

Distribution of page hits (whole site) during the last month.
Provided by clustrmaps.com

This site is ad-free. If you see any ads here, they are added by your ISP, or by spyware on your computer, or you are visiting this site through frames of another site.