Extortion Fail

There's an email making the rounds lately with the from line being your name and the subject a password from some time in the past. As this is something that is bound to grab people's attention, unless the've always used random password generators, consider this post a Public Service Announcement. Here's the message minus the password:

Scams and Extortion Won't Work When the Victims Don't Care

As far as email extortion attempts go, this one is pretty good. The perpetrator starts off with a password we'd likely recognise then cuts right to the chase. The demand here is pretty simple, send $4,000 USD1 in BitCoin within 24 hours or people I know will receive a video of me pleasuring myself to porn found on the Internet.

If I were 12, this would terrify me because I'd think my parents would ground me for being stupid online. As someone who has spent 20+ years on the Internet, being sent a video of someone fondling themselves — regardless of whether I know them or not — isn't going to make me think any less of them. If a video of me doing something like this was sent to everyone I knew, it might be embarrassing for a couple of days, but I doubt anything negative would happen as a result. I'm a faceless nobody and, ultimately, few people would care.

Whenever I see messages like this a couple of questions pop into my head. The first is "How many people will actually pay this price?" and the second is usually along the lines of "Why didn't they try just a little harder to make it more believable?"

There are a couple of problems that stood out when I received this message, and they could be easily addressed had the perpetrator put a little more thought into their extortion attempt.

1. Offer Some Pseudo-Evidence

Starting the email off with an out-dated password is all well and good for people who haven't updated their online credentials in 8+ years2, but the message tries to scare people by saying that a key logger has been installed on the system via a remote connection instigated via the browser, which made it possible to collect information from a device that I purportedly used while browsing pr0n. Just thinking that a key logger is on a system would be terrifying enough, given the number of servers and databases full of actually valuable, exploitable data I have access to. However, the person says that an image of me was captured from the webcam.

"Prove" it. Considering that most people who might actually have $4,000 USD available to convert to BitCoin and send are likely not pleasuring themselves at noon, what this means is that a tiny, fuzzy picture of someone in a dark room could be used as pseudo-evidence. Keep the picture tiny so that physical details are hard to make out, but ensure there's just enough of a face and a dark room visible to make it seem plausible. People using the web for pr0n will likely not have a webcam pointed at their genitals, so there's no need to get too specific.

2. Do What You Say

At the bottom of the message, the following sentence is seen: "I have a special pixel within this e-mail, and at this moment I know that you have read through this message."

There is no pixel in the message. There isn't even a Base64-encoded string in the body of the message that can be rendered into one. If you're going to say such a silly thing, then put a 1-pixel image file in the email even though most mail clients will strip it from the body and show the thing as an attachment. If there is going to be even a hint of a threat, see it through.

3. Don't Be Specific About Stupid Things

Finally, when wrapping up, don't be stupid and put an easily verified number in the message like "I definitely will send out your video recording to your 7 contacts". Seven? Seriously? For someone who claims to have access to my entire contact list, they clearly have no idea how many people I actually communicate with on a regular basis. Throw a big number in there that's harder to verify, like 181 or be vague about it like "I'll send the tape to everyone you've emailed this past week" or some such. The only content in this extortion attempt that should be correct and accurate is the BitCoin wallet ID. Everything else should be plausible, but not easily verifiable. When stoking fear you cannot trigger any sense of doubt in the victim's mind, otherwise you begin to slip on the offensive.

Better yet, get a bloody job

There are just so many things wrong with messages like this and I continue to wonder how people can look at themselves in the mirror every day if this is how they maintain their lifestyle. There are better ways to earn money online and most of the career opportunities available can result in a real sense of pride and self-worth. There is no reason that an individual or small team that is creative enough to come up with a scheme like this cannot instead create something of value that people would be willing to pay a respectable fee for.

Mind you, I am a naive idealist at the best of times.

  1. This might be a "bargain" as I received the same email yesterday demanding $5,000 USD

  2. I'm sure there are lots of people who have not updated their passwords ever, let alone in the last eight years.