Example phishing attempt - bogus try at grabbing $10,000 in BTC

; Date: Fri Jul 20 2018

Tags: Phishing »»»» Cyber Security »»»» Security

In the interest of exposing scammers let me share a phishing attempt I just recieved. The email includes a lot of technological-sounding phrases that are a threat to reveal compromising information. The supposed kompromat would be deleted if one sent some BTC to a named address, otherwise it'll be shared to all my friends.

What is Phishing? It's an attempt usually using e-mail to snag cash out of someone. Or, according to (en.wikipedia.org) Wikipedia,

Phishing is the fraudulent attempt to obtain sensitive information such as usernames, passwords, and credit card details (and money), often for malicious reasons, by disguising as a trustworthy entity in an electronic communication. The word is a neologism created as a homophone of fishing due to the similarity of using a bait in an attempt to catch a victim.

Phishing is typically carried out by email spoofing or instant messaging, and it often directs users to enter personal information at a fake website, the look and feel of which are identical to the legitimate site, the only difference being the URL of the website in concern.[6] Communications purporting to be from social web sites, auction sites, banks, online payment processors or IT administrators are often used to lure victims. Phishing emails may contain links to websites that distribute malware.

The idea then is that a Phisher is sending bogus messages that appear to be real, hoping that a few people will respond. Phishers will send out large quantities of these messages. With only a few responses one can still make a lot of money.

All bulk advertising - whether fraudulent like phishing or legitimate like your local grocery - is based on the same model. Only a few people will respond to an untargeted ad, but by sending out a large enough number of advertisements the advertiser makes enough sales to justify the effort. Or in the case of a Phisher, they get enough rubes to pay up to justify the effort.

Spearphishing is different in that it's targeted. In a Spearphishing attack, the message will be customized for the recipient and perhaps will have a higher response rate, meaning the target is more likely to respond to a targeted spearphishing attempt. For example the whole attack by Russian agents to steal e-mails from the Democratic National Committee was due to targeted spearphishing e-mails sent to specific DNC members.

The email below had this e-mail address in the From header: Hewitt Holcombe <kjushantalj@outlook.com>

It did show one of my e-mail addresses in the To header.

So... how do I know this is fake?

The email claims to have caught me visiting a pornographic website. However, I do not visit such websites. Therefore, this cannot have caught be doing what it says. Let's take a look at the claims.

It claims to have installed malware on the xxx vids website. Yes, there are known flaws in certain web browsers where malware on a website can infiltrate stuff into the browser. If you, like I do, use only modern web browsers you'll be fairly safe from this as the list of exploits is smaller than for the older browsers.

It goes on to suggest that your browser initiated working as a RDP with a keylogger which provided me with accessibility to your display and web camera. RDP means Remote Desktop, meaning the miscreant supposedly could make a video of what happened on the computer, plus a keylogger supposedly sent keystrokes, and then by accessing the web camera the miscreant has another video stream to capture.

All of that is somewhat possible - but here are a few gotchas the miscreant would have to get past:

  • Security policies generally require approval before granting access to the desktop, keyboard or webcam
  • Capturing video from desktop and webcam is compute intensive. Enough that the user of the computer would likely have noticed "hey, my computer is running slow"
  • Sending two video streams over the Internet would take a lot of bandwidth, which might be noticed ("hey, the internet is running slow")

The threat of capturing contacts from Messenger, Facebook and e-mail -- that's another piece of complexity. How would the miscreants software know whether to check a desktop e-mail client, or an open browser tab into GMAIL or another service? It's not impossible but has a measure of difficulty.

In other words this email throws out a bunch of technobabble that has some plausibility but to implement everything would require quite a degree of sophistication. That's a clue that this is bogus.

Another clue is that doing a web search using phrases from the e-mail results in lots of search hits for similar e-mails as an example of e-mail phishing scams.

As for the Bitcoin part. It's nice and helpful that the miscreant explains to the target how to buy Bitcoin, since so few people know how to buy Bitcoin.

Since Bitcoin transactions are semi-public it's possible to go to the blockchain.info website and search for transactions on any Bitcoin address. (www.blockchain.com) In this case there are no transactions on the given address, which probably means the scammer set up this Bitcoin address just for this phishing attempt.

Lets get straight to the purpose. You may not know me and you're most likely thinking why you are getting this email? Absolutely no one has paid me to check about you.

Well, I placed a malware on the xxx vids (pornographic material) website and there's more, you visited this website to have fun (you know what I mean). While you were watching video clips, your browser initiated working as a RDP with a keylogger which provided me with accessibility to your display and web camera. Just after that, my software gathered all your contacts from your Messenger, FB, as well as e-mailaccount. And then I created a video. 1st part shows the video you were viewing (you have a nice taste hahah), and next part shows the recording of your webcam, & its u.

You actually have a pair of possibilities. We should check out the choices in particulars:

Very first choice is to neglect this e mail. In this instance, I will send your very own video clip to almost all of your personal contacts and then just think regarding the shame you feel. Not to forget should you be in a loving relationship, exactly how it can affect?

Number 2 alternative would be to pay me $10,000. I will regard it as a donation. In this situation, I most certainly will straightaway delete your videotape. You will keep going your life like this never occurred and you are never going to hear back again from me.

You will make the payment by Bitcoin (if you don't know this, search for "how to buy bitcoin" in Google search engine).

BTC Address: 1MKpddcHyZ4hgkZ7Yjn887e7QymgKNTnkP
[CASE SENSITIVE copy and paste it]

If you are thinking about going to the authorities, very well, this email message cannot be traced back to me. I have covered my actions. I am just not trying to ask you for money very much, I just like to be paid for. I have a unique pixel within this e-mail, and right now I know that you have read through this email. You have one day to make the payment. If I do not receive the BitCoins, I will send out your video recording to all of your contacts including members of your family, coworkers, and so on. Nevertheless, if I receive the payment, I will destroy the recording right away. This is a nonnegotiable offer, therefore please don't waste my time & yours by responding to this e-mail. If you really want proof, reply Yes then I will certainly send out your video recording to your 8 contacts.

About the Author(s)

(davidherron.com) David Herron : David Herron is a writer and software engineer focusing on the wise use of technology. He is especially interested in clean energy technologies like solar power, wind power, and electric cars. David worked for nearly 30 years in Silicon Valley on software ranging from electronic mail systems, to video streaming, to the Java programming language, and has published several books on Node.js programming and electric vehicles.