Fake French Police Sextortion Scam

Sucuri Security
Oct 28, 2019 · 5 min read

There has been a noted increase in the number of sextortion scams during 2019. These scam campaigns are commonly distributed through email, but any method of digital communication can be used to deliver the blackmail threat to the victim.

Blackmail Attempts for Bitcoin Payments

The majority of these sextortion scam emails follow a similar template, disclosed earlier this year in a post by MalwareBytes. This email template has been translated into various languages, however some of the templates use different methods to lure victims into believing the scammer.

These emails usually involve the scammer claiming to have recorded the victim through a webcam over a certain period of months. Claims may also include having viewed browser history with adult content.

While it is indeed possible for someone to be involved in this level of intrusive spying, these email campaigns are merely a bluff sent out by the millions. If even a small fraction of victims respond and submit the extortion Bitcoin payment to scammers, the campaign would prove to be lucrative.

Scam Variants Blocked by Spam Filters

September 2019 saw reports in Ireland of another variant of this email template, which included an accusation that victims had viewed illegal, underage content.

While the scam email threatened to release nonexistent evidence to law enforcement, it lacked authenticity. Fortunately, spam filters are doing a good job at blocking these scam emails from ever arriving to the victim’s inbox.

Disabled Browser Functions & Other Website Features

A new sextortion scam was recently reported to us which takes an entirely different approach to the trends that we’ve seen in the past year.

First, it is not solely reliant on emails. The scam campaign leverages websites to include features like fake purchase payment phishing forms and browser interactivity to add the illusion of authenticity.

In fact, this scam tries to trick victims into believing it is the website for the French national police.

JavaScript Details

When a victim loads the scam website, the browser’s full screen mode is triggered on two different conditions: if a click event is fired, or after a specified wait time is reached.

From the full screen mode, it then disables various browser function hotkeys with the aid of Javascript functions.

You may have encountered websites that disable functions like right clicking on a website-usually in an attempt to prevent site visitors from saving images or other content. Similar functions can also be used to prevent visitors from performing specific browser tasks like using the Ctrl + U hotkey for viewing the page’s source, however it’s just a deterrence as you can just obtain the source using a variety of other methods.

The functions used in this campaign try to prevent users from navigating away from the scam page.

Credit Card Stealer

The credit card payment form used in this scam campaign doesn’t actually charge victims’ cards for the requested extortion fee. Instead, it steals credit card information by using a mail.php file for exfiltrating the stolen information to an email address controlled by the scammer.

Deceptive Design Elements

Analyzing the HTML and CSS from this campaign revealed why the scammers tried so hard to keep the browser in full screen mode.

When the browser enters full screen mode, it causes the browser to maximize the current open tab and so a victim can’t see their Windows taskbar or the “X” button to close the browser window.

This phishing page’s design does a pretty good job of replicating a Windows 10 user’s desktop, complete with an open Google Chrome window.

Deceptive design elements and full screen notification in green outlines

It may not be perfect, but this is a pretty good way to trick someone into thinking they are being blocked from the Internet-when in reality, they are just loading a cleverly crafted scam website.

The actual extortion threat text found on the website is where this scheme takes a disturbing turn. Here is the content translated from the original French messaging found on the scam page:

Your computer is blocked.

Your device is blocked due to downloading and distributing illegal content (child pornography, rape and zoophilia) which is forbidden by the law of France.

You must pay a fine of 500€ with a Visa and Mastercard credit card.

Your device will unlock automatically after payment of a fine. Warning! If not, your file will be transferred to the judicial police for the institution of criminal proceedings against you because of the commission of one of the crimes.

You have 6 hours to pay the fine.

Conclusion

Websites that replicate both the victim’s desktop environment and the French National Police definitely add to the suspicion that someone is monitoring you or is able to access your computer.

The part that puzzles me is, why would scammers go overboard and accuse the person of something so horrific as underage content? I hope that it’s because they believe that a certain number of victims will just pay the money to avoid accusations or any official court summons. This seems unlikely since at some level paying the fee would be viewed by many as a sign of guilt.

A worse (and more sickening) possibility is that these scammers honestly believe there are enough people out there viewing this illegal content that would make great potential blackmail victims.

Unfortunately, recent law enforcement actions have shown that people from all over the world are still regularly paying to view this type of illegal content, as evidenced in a recent dark net bust resulting in 337 arrests.

Overall, these extortion scams seem overly aggressive. Scammers would probably cast a wider net by accusing victims of more common criminal offenses, like downloading copyrighted/DMCA content.

Originally published at https://blog.sucuri.net on October 28, 2019.

The Startup

Get smarter at building your thing. Join The Startup’s +724K followers.

Sucuri Security

Written by

Learn about website security, emerging vulnerabilities, and web malware infections from our team of website security researchers.

The Startup

Get smarter at building your thing. Follow to join The Startup’s +8 million monthly readers & +724K followers.

Sucuri Security

Written by

Learn about website security, emerging vulnerabilities, and web malware infections from our team of website security researchers.

The Startup

Get smarter at building your thing. Follow to join The Startup’s +8 million monthly readers & +724K followers.

Medium is an open platform where 170 million readers come to find insightful and dynamic thinking. Here, expert and undiscovered voices alike dive into the heart of any topic and bring new ideas to the surface. Learn more

Follow the writers, publications, and topics that matter to you, and you’ll see them on your homepage and in your inbox. Explore

If you have a story to tell, knowledge to share, or a perspective to offer — welcome home. It’s easy and free to post your thinking on any topic. Write on Medium

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store