A fake ransom request

By now, most Internet users have heard about ransomware and ransom requests via Internet. For spammers who lack sufficient hacking skills, it is a simple matter to attempt a scam in which they pretend to have hacked your computer, and ask the payment of a ransom for not spreading private videos of you in "compromising" situations in front of your webcam. In the vast majority of cases, they have no video and have not hacked your Facebook account and computer, and they are only hoping that you are sufficiently anxious about the video being spread to your contact list that you might actually pay without analyzing the situation and the likelihood that what they say is true.

For example, this is a ransom request I received very recently:

Ransom request
Text of ransom request.

One first thing to note is that the text of the ransom request was sent as a JPG picture, probably to avoid the message being flagged as spam. My e-mail software (Thunderbird) did flag it as probable spam because the message contains only a picture, and no text.

Further points of interest:

  • The text contains a large amount of grammar, syntax and spelling errors, as well as poor general English form. It was obviously not written by a person with a significant education, let alone a formal training in writing. Judging from the wording, the writer is "most probably" not a native English speaker but a West African. The writer even tacked a question mark at the end of the last sentence, where it makes no sense. Easily observable technical details in the source code show that the ransom demand was sent from an Android device, which would not be my first choice for careful word processing.
  • At a superficial analysis, the e-mail does appear to come from one of my e-mail accounts. However, a quick examination of the logs on my e-mail server shows that no such message was sent from my account. The sender only spoofed my address, which is a rather simple thing to do and can be done by scripting and exploiting an insecure e-mail relay (so the same message can be automatically sent to a long list of addresses). This is a first indication that the message is in fact just a mass mailing, no different from spam.
  • The ransom request contains absolutely no proof that the sender is in possession of any private information on the destinatary (or any information at all, except the e-mail address - which in my case is publicly available). Probably hundreds of millions of persons in the world engage in solitary sex and/or visit porn sites (and neither of these activities is a crime), so it is easy for the sender to cast a wide net in the hope of netting a few easily embarrased persons. I do not visit porn sites except by mistake or by following misleading links, and normally I don't have a webcam connected to my computer, which makes the claims in the ransom demand even more unlikely.
  • A careful examination of the source code of the e-mail message shows that it does not contain any link to Facebook. It only contains the picture shown above, as an encoded binary file in the text. The claim that the sender is using "a Facebook pixel" to detect that the message has been read is therefore just an empty threat, and removes any remaining credibility from the ransom request. In any case, most e-mail clients can be configured to never automatically access web contents unless the user gives consent. Thunderbird is configured by default in this way, so it never automatically accesses Internet contents unless its configuration is manually changed.
  • The instructions to "copy and paste" [the Bitcoin wallet address] make no sense, since one cannot copy text to the clipboard from an image. This proves that the ransom demand was hurriedly written, without much attention to simple logic and common sense. This makes it difficult or impossible for inexperienced users, who are the most likely to be fooled by this ransom demand, to follow the instructions and make the payment before having time to think twice.
  • One detail worth mentioning is the "co-workers" in the last sentence. Most people have co-workers, but I have none. I am retired. One more detail that shows this is not a true ransom request, but just a variety of Nigerian letter/spam.

One thing that may help to identify the would-be scammers or bind them to other ransom demands is their Bitcoin wallet address. I can easily tell, for example, that at the time of writing the Bitcoin wallet of the spammers has not received any transactions, so their goal has failed (at least with this wallet):

Ransom request
Transactions on the spammers' Bitcoin wallet.

I am pasting below the ransom request OCR-converted to text, including the address, so that it can be stored by Google Search and other web crawlers and made available in public web searches. This might be useful to others who have received ransom demands with a similar text and/or the same Bitcoin wallet address:

This account has been infected! Modify your password immediately!

You probably do not heard about me and you may be most probably wondering why you're reading this email, right?

I'mhackerwho crackedyour email boxand all devicesseveral months ago.

It will be a time wasting to attempt to talk to me or alternatively seek for me, it is hopeless, since I directed you this message from YOUR account that I've hacked.

I developed malware soft to the adult vids (porn) site and guess you have spent time on this website to have a good time (think you understand what I want to say).

While you have been keeping an eye on video clips, your browser started out operating as a RDP (Remote Control) with a key logger that granted me authority to access your desktop and netvork camera.

Then, my software programgatheredall info.

You entered passcodes on the sites you visited, I caught them.

Surely, you'll be able to change them, or possibly already changed them.

But it really doesn't matter, my program renews information every time.

And what I have done?

I compiled a reserve copy of your system. Of all files and contacts.

I formed a dual-screen videofile. The 1 part presents the film you had been watching (you have a very good preferences, wow ... ), the 2nd screen displays the recording from your own webcam. What actually should you do?

So, in my view, 1000 USD is basically a reasonable amount of money for our very little riddle. You will make your payment by bitcoins (if you do not know this, search "how to buy bitcoin" in any search engine).

My bitcoin wallet address:

1FKD6ujjGrh2vY4nPaxyUJTRpAKq7qpDjH

(It is cAsE sensitive, so copy and paste it).

Warning:

You have only 2 days to send the payment. (I built in an exclusive pixel to this letter, and right now I know that you've read this email).

To tracethe reading of a letterand the activitywithin it, I usea Facebook pixel. Thanks to them. (That whichis appliedfor the authorities may also helpus.)

If I fail to get bitcoins, I will certainly transfer your videofile to all your contacts, such as family members, co-workers, and many more?

Needless to say, I simply ignored the ransom request except for sending a polite heads-up e-mail to an e-mail service which, based on the e-mail headers, might have been hijacked to send the ransom demand. Years have passed since the "deadline" of the scammers, and nothing further has happened.

PS - After a few weeks, I received another e-mail, sent through a different insecure e-mail relay to another of my e-mail addresses. This one was identical to the first, except for minor spelling changes and a different Bitcoin wallet address (which also received no money so far).

Thanks to the original wallet address listed above having been reported to bitcoinabuse.com by multiple users, as well as the second e-mail I received, we can tell that the would-be extortionist is generating a new JPG (from a slightly different text) for each batch of e-mails, but the bitcoin wallet within each batch of e-mails remains the same. Since the programmer has been lazy and the bitcoin wallet address is re-used in multiple e-mails instead of being unique for each e-mail, we can tell that no one has fallen for this particular batch of e-mails and paid the ransom.

This also proves that the would-be extortionists, within the same batch of e-mails, do not have any way to find out who paid the ransom and who did not. Therefore, evenif the spammers did have a "compromising" video of a person, they would have no way to detect whether this particular person has paid the ransom or not. In reality, they have no interest in knowing who actually paid, and only hope that a fool or two will fall for the scam.

Updated Yet another example

Here is a very similar fake ransom request. This example was delivered to me by bouncing an e-mail with spoofed "From" address on an e-mail server in Russia (and an identical copy on a server in China within minutes from the first, which tells us this is a mass mailing using the same address list). The actual e-mail was sent to a non-existent e-mail address (so that it would bounce back to my spoofed address) through the networks of a S. Korean and an Indian provider, respectively. My e-mail address is publicly available, so anyone is welcome to attempt spamming it.

Come on guys, your message is way too wordy and long-winded. The more you say, the more obvious it becomes that this is a collection of empty threat. Just say whatever you want to say in a single paragraph or two, save your time, and get it done with. Even better, get a real job that pays real money, instead of wasting your lives trying to make money from old and tired mass-mailing tricks that have been known for decades.

An obvious giveaway: the text "I could effortlessly log in to your email account as well (f0970115@kawkazrg.ru)". The message bounced on a Chinese server says "(gfjkb@swust.edu.cn)" in the same place. These guys are too clumsy to realize that these are not my e-mail addresses, but the addresses they used to bounce their e-mail on shoddily configured e-mail servers. If they cannot even get a simple script right, what is the likelihood that they have been able to hack into someone's computer and to plant sophisticated tracking software?

Hello!

Unfortunately, I have some unpleasant news for you.
Roughly several months ago I have managed to get a complete access to all devices that you use to browse internet.
Afterwards, I have proceeded with monitoring all internet activities of yours.

You can check out the sequence of events summarize below:
Previously I have bought from hackers a special access to various email accounts (currently, it is rather a straightforward thing that can be done online). Clearly, I could effortlessly log in to your email account as well (f0970115@kawkazrg.ru).

One week after that, I proceeded with installing a Trojan virus in Operating Systems of all your devices, which are used by you to login to your email. Actually, that was rather a simple thing to do (because you have opened a few links from your inbox emails previously). Genius is in simplicity. ( ~_^)

Thanks to that software I can get access to all controllers inside your devices (such as your video camera, microphone, keyboard etc.). I could easily download all your data, photos, web browsing history and other information to my servers. I can access all your social networks accounts, messengers, emails, including chat history as well as contacts list. This virus of mine unceasingly keeps refreshing its signatures (since it is controlled by a driver), and as result stays unnoticed by antivirus software.

Hereby, I believe by this time it is already clear for you why I was never detected until I sent this letter...

While compiling all the information related to you, I have also found out that you are a true fan and frequent visitor of adult websites. You truly enjoy browsing through porn websites, while watching arousing videos and experiencing an unimaginable satisfaction. To be honest, I could not resist but to record some of your kinky solo sessions and compiled them in several videos, which demonstrate you masturbating and cumming in the end.

If you still don't trust me, all it takes me is several mouse clicks to distribute all those videos with your colleagues, friends and even relatives. In addition, I can upload them online for entire public to access. I truly believe, you absolutely don't want such things to occur, bearing in mind the kinky stuff exposed in those videos that you usually watch, (you definitely understand what I am trying to say) it will result in a complete disaster for you.

We can still resolve it in the following manner:
You perform a transfer of $1590 USD to me (a bitcoin equivalent based on the exchange rate during the funds transfer), so after I receive the transfer, I will straight away remove all those lecherous videos without hesitation.
Then we can pretend like it has never happened before. In addition, I assure that all the harmful software will be deactivated and removed from all devices of yours. Don't worry, I am a man of my word.

It is really a good deal with a considerably low the price, bearing in mind that I was monitoring your profile as well as traffic over an extended period.
If you still unaware about the purchase and transfer process of bitcoins - all you can do is find the necessary information online.

My bitcoin wallet is as follows: 1MW4maqRuqi62YiRNMaBiHT65WJJMEAvQw

You are left with 48 hours and the countdown starts right after you open this email (2 days to be specific).

Don't forget to keep in mind and abstain from doing the following:
- Do not attempt to reply my email (this email was generated in your inbox together with the return address).
- Do not attempt to call police as well as other security services. Moreover, don't even think of sharing it with your friends. If I get to know about it (based on my skills, that would be very easy, since that I have all your systems under my control and constant monitoring) - your dirty video will become public without delay.
- Don't attempt searching for me - it is completely useless. Cryptocurrency transactions always remain anonymous.
- Don't attempt reinstalling the OS of your devices or even getting rid of them. It is meaningless too, because all your private videos are already been available on remote servers.

Things you should be concerned about:
- That I will not receive the funds transfer you make.
Relax, I will be able to track it immediately, after you complete the funds transfer, because I unceasingly monitor all activities that you do (trojan virus of mine can control remotely all processes, same as TeamViewer).
- That I will still distribute your videos after you have sent the money to me.
Believe me, it is pointless for me to proceed with troubling you after that. Besides that, if that really was my intention, it would happen long time ago!

It all will be settled on fair conditions and terms!

One last advice from me... Moving forward make sure you don't get involved in such type of incidents again!
My suggestion - make sure you change all your passwords as often as possible.

And these guys' newly created Bitcoin wallet, unsurprisingly empty as of May 3, 2022. I will update this page if the balance on this Bitcoin wallet changes.

Updated As of May 6, 2022, it seems that three people have fallen for the fake ransom demand (the exact amounts in USD vary a little, because the exact Bitcoin exchange rate keeps changing). A little more money has also come in, which means that the wallet owners are using it for multiple purposes. Every new transaction on the same wallet makes it a little easier to catch them, because the date, time and amount of each transaction makes it easier to find the one Bitcoin wallet that contains the exact combination of all the transactions with these exact times and amounts. The more transactions, the more unique is their combination. It is like when the police discovers a very small part of a fingerprints (it tells very little, and could have been made by lots of different leople), and then a larger and larger piece of the same fingerprint, until the whole fingerprint database contains only one possible match for the find.

Don't make a complete fool of yourself. Don't do like these three people. They have wasted their money for absolutely no reason. Nothing at all would have happened to them, if they had simply gone on with their lives and not paid. The would-be hackers never were in possession of any "compromising" information, they were just hoping to catch a few fools ready to believe anything they were told.

As of May 7, 2022, this Bitcoin wallet has been reported 135 times on bitcoinabuse.com, so the whole scheme is indeed a mass mailing. This is exactly what these would-be hackers need to do since, like many others, they lack the skills and resources necessary to do some real hacking.

Note - An earlier variant of this scam uses easily available databases of hacked social media passwords to try and convince the destinatary that the hacking pretense is real. See for example information on krebsonsecurity.com. Don't fall for this variant of the extortion. Also in this case, the e-mail contains no convincing evidence that the spammers are in possession of any "compromising" videos, and the simple possession of an old password is no such evidence.