Open in app

Sign in

Write

Sign in

Don’t fall for the scam

Eric Wuehler
6 min readJan 12, 2019

I was cleaning out my spam folder, as one might do on occasion. I enjoy looking at the emails from the FBI, offering me lots of money if I will call a number with the +234 Country Code, or discovering long lost relatives who just need a little help and will pay me back. Honest!

This time scrolling through, I was immediately reminded why passwords are horrible little things… One email caught my eye — because the email subject line had a password I had used in it. For a split second, I thought there might be some old account that had actually been hacked. This seemed odd because it was an email I hadn’t used in years and was just forwarding it to another account.

The email was — as most scam emails are — an entertaining read. Let’s parse this one out:

Hello!

I have very bad news for you.

Bummer. I was hoping to find good news in my Spam Folder.

03/09/2018 — on this day I hacked your OS and got full access to your account eric@████████████.com
On this day your account eric@████████████.com.com has password: ███████████

Interesting. I haven’t used this account in years, so whatever. However, the password does look like one of the ones I would have used in my pre-1Password days. Hmmm… What old computer might I have lying around and connected to the internet that might possibly have this old account? Maybe the attacker will explain…

So, you can change the password, yes.. But my malware intercepts it every time.

Gotcha. Must be a Keyboard Logger. Oh, wait! They are going to tell me how they made it!

How I made it:
In the software of the router, through which you went online, was a vulnerability.
I just hacked this router and placed my malicious code on it.
When you went online, my trojan was installed on the OS of your device.

Hmmm… I have the eero routers and the eero plus security stuff. I haven’t heard of any vulnerabilities there. Well, maybe, I suppose. All software has vulnerabilities if you look hard enough.

After that, I made a full dump of your disk (I have all your address book, history of viewing sites, all files, phone numbers and addresses of all your contacts).

A full dump of my disk? I haven’t kept my contacts on my disk in years. Maybe they meant they got it when they pulled my browser history. I dunno.

A month ago, I wanted to lock your device and ask for a not big amount of btc to unlock.
But I looked at the sites that you regularly visit, and I was shocked by what I saw!!!
I’m talk you about sites for adults.

Ah. They were going to give me some Ransomware. Make me pay some Bitcoin to unlock it. Although I’m not sure why my viewing sites like NPR, Tom’s Hardware, CNBC, and Daring Fireball is all that shocking.

I want to say — you are a BIG pervert. Your fantasy is shifted far away from the normal course!

What? Oh. Those kind of sites. I guess I should be disappointed in the filtering software we use at home, it must not do as good a job keeping that stuff out of the house as I thought.

And I got an idea….
I made a screenshot of the adult sites ██████ ███ ████ ████ ██████ ██████ ████ █████ ████ █ █████ ██

After that, I made a screenshot of █████ ████ (using the camera of your device) and glued them together.
Turned out amazing! You are so spectacular!

(Editor’s Note: I think I’ll just censor a few of those, trying to keep this rated PG.)

So let me get this straight. The attacker spent time taking screenshots of adult sites while someone was viewing them? Sure seems like a lot of time sitting around waiting. Maybe the trojan had a notification feature? Maybe they got a text message, “The person you are scamming is now reading Daring Fireball!”

I’m know that you would not like to show these screenshots to your friends, relatives or colleagues.

Actually, I’d kinda like to see them. Be nice to know who is in my house, using my old account, and bypassing the security and filtering software.

I think $747 is a very, very small amount for my silence.
Besides, I have been spying on you for so long, having spent a lot of time!

Since March 9th, I guess. Or is it September 3rd? I should probably pay as an apology for how boring is must have been to spy on me for so long.

Pay ONLY in Bitcoins!

My BTC wallet: ████████████████████████████

What!? They don’t take Ethereum? Lame.

You do not know how to use bitcoins?
Enter a query in any search engine: “how to replenish btc wallet”.
It’s extremely easy

Easy? Looks kinda painful to me. I changed my mind. I’m not going to bother paying.

For this payment I give you two days (48 hours).
As soon as this letter is opened, the timer will work.

So… The email also has a timer in it. Probably JavaScript. What a horrible language.

After payment, my virus and dirty screenshots ███ ████ ████ ██████ will be self-destruct automatically.
If I do not receive from you the specified amount, then your device will be locked, and all your contacts will receive a screenshots ███ ████ ████ ██████

Wait. So the Trojan is also Ransomware? My device will be locked? And all my contacts will receive the screenshots? Maybe one of them will send it to me so I can see it too.

I hope you understand your situation.
- Do not try to find and destroy my virus! (All your data, files and screenshots is already uploaded to a remote server)

Got it. I understand my situation. I need to first find the computer before I can even attempt to destroy the Virus… or Trojan… or Ransomware… or KeyLogger… or JavaScript… or whatever it is I’m supposedly infected with.

- Do not try to contact me (you yourself will see that this is impossible, I sent you an email from your account)

Ah yes. The old “spoof the email sender” ploy. Very clever to send it from and to the same account. +1

- Various security services will not help you; formatting a disk or destroying a device will not help, since your data is already on a remote server.

P.S. You are not my single victim. so, I guarantee you that I will not disturb you again after payment!

Whew. Maybe somebody else was not as boring to spy on as I was. I was starting to feel a little sorry for the hacker.

This is the word of honor hacker

Honor Hacker. Well, in that case, I guess I’ll go figure out how to get me some bitcoins so I can pay. Maybe they are also part of the Honorverse.

I also ask you to regularly update your antiviruses in the future. This way you will no longer fall into a similar situation.

Antiviruses, plural? How many am I supposed to be running?

Do not hold evil! I just do my job.

That job has to be incredibly boring… Now if I can just find a place to set down the evil I am holding…

Good luck.

Thanks!

In all seriousness, though, the fact that they did have a “real” password of mine piqued my interest. First thing I did was took the account email that was associated with the “hacked password” and headed over to Have I Been Pwned and looked up the email address. Sure enough, there it was…

So that explained the “We have your password” part. #ThanksBitly

There were also about 100 of the same or similar emails — oddly enough, all with slightly different dollar values for the bitcoin I was supposed to pay and the Bitcoin Wallet addresses varied as well. I’m sad to report, the wallets had several thousand dollars in them, so the scam worked.

Oh, well.

Security
Scam
Email Scam
Phishing
Bitcoin

--

--

Eric Wuehler

Written by Eric Wuehler

17 Followers

Principal Engineer, Office of the CTO @McAfee. Co-host @MostlySecurity podcast. Tweets are my own. I have three teenagers. Bring it on.

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams