Skip to main content

Spam, Scam and Outright Blackmail: Inbox Thieves and How to Spot Them


As we know, there are ~235 billion emails sent per day, a number that keeps growing year-on-year. A staggering 48% of that traffic is spam of one description or another, a figure that has actually come down 21% in the past 4 years alone. Despite varying scams and spam being prevalent and well-known, still people fall for them and shell out hundreds of thousands of pounds to cyber criminals each year. Today, I’m going to take a look at an interesting blackmail spam email I received and break down how to identify this as something obviously a scam, and why it is also a phishing expedition as opposed to real blackmail. I’ve taken out my email details, but the rest is exactly how I got it:

A Fun Blackmail Scam attempt

The first to check, with every email you get not just the ones you suspect of being dodgy, is the sender name and email address. Now even a neo-luddite can spot that something is fishy here: 986@501.416 is clearly not a real email address. If you aren’t sure, copy and paste the address into your search engine of choice and see what comes up. This might not always work, as there is such a thing as address spoofing, but that tends to be on the rare side, usually kept for specific criminal campaigns. It is always good to make sure that email is legitimate, so if you are still unsure, ask someone who will know.

Normally at this point, I’ve binned the offending message and moved on, but for now, I’ll continue with the deconstruction.  Have you noticed the subject line? Even a wary person might glance twice at this email in a panic at seeing that. Now, the subject here is actually a big giveaway that this is pure rubbish: what law enforcement agency in the world would go and warn a suspect that they know the suspect has been watching child porn? Let’s be real here, if they suspected anything of the sort, they’d be through the door with a warrant and clamping you with hand-irons ready to throw you in clink and forget you exist. So clearly, this is a scam, and will almost certainly involve blackmail.

Moving on to the contents, and it’s the usual type of thing: Hey you, we caught you do X and have proof, so pay up. The first paragraph is almost enough to convince you that your computer at least, was used like it claims. The second paragraph that reveals the email’s intended audience: only in the USA would they be worried about the FBI, as they have no power or authority anywhere else. Then the illusion is truly broken with the mention of a “special tracking pixel”. I’ve been involved with computer technology my entire life and can quite clearly state that this is technobabble: it is nonsense created to scare and intimidate. This is the setup for the next part of the email: hand over your cash.

This last section of the email is actually rather interesting: it specifies some rather vague instructions on paying 0.1BTC (Bitcoins). Now, anyone who has gone to this much effort to go mass-mailing blackmailing usually wants to ensure that for the minority who will fall for this sort of scam will pay up and would provide clearer instructions on how to do so. Even ransomware designers give better instructions that “Google it”.  It seems very rushed and a more than a little slap-dash, as if this is a first effort, or this is as much English as they know. But as I have pointed out, this is a wide net cast to pickup what it can indiscriminately, so full detail and accuracy doesn’t really matter. What the scammers are really counting on is fear and panic, not accurate technological descriptions.

To recap:
1.       Check the name and email address
2.       Is the subject line too worrying?
3.       Lots of technobabble that is meaningless?
4.       Location-specific information that is irrelevant to you?
5.       Asks for money?

If any of these list-items sound familiar, delete the email safe in the knowledge you’ve avoided a scam.

Labels:

Comments

Post a Comment

Popular posts from this blog

The Alphabet Soup: A Quick Guide to Post-Nominals

This week, I’ll walk you through the ever-growing list of post-nominal letters you can add to your name through qualifications and certifications. Being a student myself, I’ll start with exploring the academic route, then go through the more popular, and best recognised, vendor and standards organisations’ certifications, highlighting their worth for your CV and career development. It’s not a comprehensive list, by any stretch of the imagination, and is geared towards a more general CyberSec professional, rather than focusing on any one aspect of the industry. I’ll try and shy away from too much debate by running away very quickly to avoid the one about CEH vs. OSCP, and leave it to you instead. *Disclaimer* I am a university student, and haven’t actually done any of the following certifications, at least not to completion. I have explored each in a reasonable amount of depth to see their benefits and worth and consulted with holders of a few to gain their insider opinions. I a...
Post a Comment
Read more

The Ancient and Venerable Art of Google-fu

Other titles considered for this post: How Not To Piss Off Entire Forums and Facebook Groups; Avoiding the Banhammer; Stop Being Lazy and Look it Up Yourselves. Before you can embark on a career in, well, anything even vaguely IT related (or do practically anything), you must master one crucial skill: information searching. In the days of yore, and even rumoured to still exist despite budget cuts, there were in of cult of specialists in this area, who guarded their domains jealously: the librarians. These knowledge-fanatics could divine what you were looking for from the ridiculously poor and mumbled explanation you gave them, then translated that into a secretive code which led you to a shelf in a library, and then to the book you were after. Just like magic. These days, while librarians are still a vitally important part of cataloguing knowledge, we also have another, less mystical, tool at our fingertips: the Search Engine. Unfortunately, very few people have bothered to le...
Post a Comment
Read more

Weaponised Likes

Yes, this is the inevitable blog about Cambridge Analytica, Strategic Communications Laboratories and Facebook, because this is a cyber security blog and this counts as compromised security. First things first, the old admonition: if you are getting something for free, you are the product. Maybe it’s not that old, but it definitely applies. Facebook offers a lot, and offers it, ostensibly, for free. Now you could say that advertising revenue pays for it, and to some degree you would be correct, but one thing the former Harvard female ranking website has plenty of is information: data. And data, particularly the specific kinds you feed the Zuckerbergian Machine every 30 seconds, is worth more than its weight in gold. Machine Learning and AI companies need as much as possible to teach their silicon brains, and advertising departments and companies love knowing how to manipulate you into buying things help you choose their products. Here’s where Cambridge Analytica, and their parent ...
Post a Comment
Read more