Surge in blackmailing?
What’s happening with blackmails? For those who don't know the word, it is a piece of mail sent to a victim to ask money in return for not revealing compromising information about him/her. For a few days, we noticed a peak of such malicious emails. One of our readers reported one during the weekend, Johannes Ullrich received also one. A campaign targeted people in The Netherlands.
Blackmails are not new. For years, bad people tried to extort money by using different techniques. For months, we are facing ransomware attacks which encrypt data to prevent the victim to access his/her files but there exist other techniques for a while. In 2012, I wrote a blog post[1] about the social impact of ransomware. At this time, Belgium was under fire with plenty of fake pages pretending to be from the Police services:
In this case, it was quite easy to get rid of such page (a simple system restore was enough). I remembered a friend of mine, non-techie, that was ready to pay the ransom to not disclose some personal stuff to his wife!
Today, blackmail apparently remains a nice way to get money from the victim, even more with the cryptocurrencies that are harder to track. Most of the blackmail samples propose to the victim to pay via a BTC wallet. For the security guys, this is even better because we can track to wallet usage and detect is the campaign is ongoing and if victims paid.
Here is a first example:
Hey . Have you ever heard anything information related to the RAT malware 68967? Great job, you have today became a satisfied owner of my own, personal version of this software. I've been able to locate several interesting stuff on your personal computer and I have also been able get in to all ur units, which includes a cellphone. Yet these are definitely all are very little things as opposed to the next. I made this virus to record a mike, a cam, as well as the graphic on the screen, and you know I have created numerous interesting movies. I do believe a few movies will certainly be interesting for you personally :D The best part is that my application recorded is a moment you go to one of the pornographic sites. I even haveinvested two hours of my time to combine two video clips, one which is an image on the screen and another one of the actual web cam. It was quite amusing! Ok, lets get right to the point. I recommend you pay out 350 usd to my wallet - 1Q7xmTttjGgACeuY6ThtBQ9YXEeSzcWgdM I solely utilize BTC. If you will have trouble payingjust use any search box. After obtaining the funds. We will both just forget about this unpleasant moment and erase all the info I have gathered from your devices. You have three days. If I do not receive my cash, I am going to deliver all of the details to the contact information I located on your equipment! Possibly I'll do it with your accounts. It will be very amusing if your loved people obtain a footage of this type. I offer a small amount of time simply because my wallets frequently get locked and you will need to deliver just before that. Yes, you are not the only person receiving an email of this sort, I have infected a 9972 individuals and more than 1131 of them ended up with fascinating things. You actually can call up authorities, think its worthless, the worst stuff they are able to perform is block my wallet. So do not do stupid things. If perhaps I will not receive my cash for any reason, including the failure to send them to a blocked account wallet, ur status will be destroyed. Therefore hurry up! I take care of my anonymousness and use the short-lived e-mail to deliver messages, additionally I am on-line from my working laptopand i only with fake Wi fi from numerous organizations besides i use Double-VPN. Thus, getting in touch with me and responding to to this notice makes no sense.
The wallet 1Q7xmTttjGgACeuY6ThtBQ9YXEeSzcWgdM[2] is empty.
Here is a second one: Hello! Do not pay attention on my English, Im from Iran.We uploaded our malware onto your system.Now I thiefted all private data from your device. In addition I received some more evidence.The most entertaining evidence that I have- its a videotape with your masturbation.I set deleterious soft on a porn web site and then you loaded it. As soon as you decided with the video and clicked on a play button, my malicious software instantly adjusted on your device. After downloading, your front-camera shoot the record with you masturbating, furthermore software captured exactly the video you selected. In next few days my deleterious soft grabbed all your social and work contacts. If you need to erase the records- transfer me 295 euro in Bitcoins. I provide you my Btc wallet address - 1FKLcCQTyznP9n1FkiZpxWZx8idxv43icT You have 30 h. to go since now. When I receive transaction I will erase the evidence in perpetuity. Differently I will send the tape to all your contacts.
The wallet 1FKLcCQTyznP9n1FkiZpxWZx8idxv43icT[3] is also empty.
Another example:
Whats poppin During all your life u was notified to surf web catiously, but you didnt. Whats the problem?- You will ask me. The whole point is that I adjusted the malicious soft on a web-site with videos for adults (site with p?rn content) (u know whats up). Object was watching video for adults and device tarted functioning as dedicated desktop with keylogger function. Furthermore all cams and screen at the 1st onset started recording. Then my virus collected all your contacts from messengers, e-mails and social networks. So what do we have now? I made the split screen vid (1st part-screen rec.(u have a nice interests lmao), second- camera rec.) and all ur contacts. I think its not good news. Consequently in my opinion two hunned ninety usd is enough for this smallwee error. My btc(cryptocurrency) wallet - [xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx] Ask internet how to buy it. It is not very hard. Just write "how to get btc" I give u 1 day after opening this message(I adjusted a special pixel in it, Ill know when you read it). If you dont send me the necessary amount Ill send video with you to all your contacts Upon I receive btc- the ?ompromising will be deleted.If u charge me to send evidence, reply + and Ill share video that I made with three contacts Ive collected from u. Can go to cops, but they will not have time to find me , im Ukranian, so ull be a star among friends.
Finally, here is a valid wallet[4], it belongs to the campaign launched in The Netherlands:
There is no need to translate it, the context is the same: Your computer has been compromized while you were visiting a pornographic website. But, this time, we can see that (at least for this morning) somebody paid. The requested ransom is 500€ (approximatively 0.068BTC):
In most of the scenarios, the attacker pretends that he caught you via your camera in your private space or while you were browser a pornographic website. How to react when you received a blackmail? The main advice is to NOT pay the ransom. If the mail was received in a business context, contact your local helpdesk or security team. If it is in a private context, just delete the mail. If you have a local CSIRT available, you may also report the blackmail to them.
[1] https://blog.rootshell.be/2012/12/23/the-social-impact-of-malware-infections/
[2] https://blockchain.info/address/1Q7xmTttjGgACeuY6ThtBQ9YXEeSzcWgdM
[3] https://blockchain.info/address/1FKLcCQTyznP9n1FkiZpxWZx8idxv43icT
[4] https://blockchain.info/address/1KAEuaT2MX67LabV4hsQ83SNp8zn67riSt
Xavier Mertens (@xme)
ISC Handler - Freelance Security Consultant
PGP Key
Reverse-Engineering Malware: Malware Analysis Tools and Techniques | Amsterdam | Jan 20th - Jan 25th 2025 |
Comments