SE Labs

Special Edition
Computer security testing comment and analysis from SE Labs

Email ransom attack without the malware

Do You Do Any of These Embarrassing Things?

Email ransom attack

Email ransom attacks are easy and common. It’s like ransomware, but without the clever coding. Not every hacking attack has to be sophisticated. Sometimes hackers simply demand money, with the threat of making life worse if you don’t pay.

Your Device Was Hacked

The following is an example of a non-targeted, completely opportunistic email ransom attack that threatens to expose embarrassing personal details. A ransom of $1,650 will ensure the details stay private.

We monitor the threat landscape to ensure that our testing is realistic and accurate. The following email ransom attack arrived in our monitoring system today.

It contains some classic social engineering techniques. See our highlighted comments.

Email ransom attack example

Annual Report 2020

“SUBJECT: Do You Do Any of These Embarrassing Things?

I am sorry to inform you but your device was hacked. [Sorry?]

That’s what happened. I have used a Zero Click vulnerability with a special code to hack your device through a website. [Such attacks have been in the headlines recently, so this sounds slightly credible.]

A complicated software that requires precise skills that I posess. [Precise spelling is not one such skill]

This exploit works in a chain with a specially crafted unique code and such type of an attack goes undetected.

You only had to visit a website to be infected, and unfortunately for you it’s that simple for me.

You were not targeted, but just became one of the many unlucky people who got hacked through that webpage. [It is interesting that the attacks states the attack is NOT targeted.]

All of this happened in August. So I’ve had enough time to collect the information.

I think you already know what is going to happen next.

For a couple of month my software was quietly collecting information about your habits, websites you visit, websearches, texts you send.

There is more to it, but I have listed just a few reasons for you to understand how serious this is.

To be clear, my software controlled your camera and microphone as well.

It was just about right timing to get you privacy violated. I have made a few pornhub worthy videos with you as a lead actor. [The threats strongly hint that the victim has been filmed engaged in some form of sexual activity, either alone or in company.]

I’ve been waiting enough and have decided that it’s time to put an end to this. [Attacker creates a sense of urgency #1]

Here is my offer. Let’s name this a “consulting fee” I need to get, so I can delete the media content I have been collecting. [Strangely ‘mafia-style- language… Euphemisms about fees vs. extortion. It would be a shame if someone found those videos…]

Your privacy stays untouched, if I get the payment. [Does it, though? What’s to stop the attacker from releasing the data anyway?]

Otherwise, I will leak the most damaging content to your contacts and post it to a public website for perverts to view. [Beware the perverts!]

You and I understand how damaging this will be to you, it’s not that much money to keep your privacy.

I don’t care about you personally, that’s why you can be sure that all files I have and software on your device will be deleted immediately after I receive the transfer. [But if you pay once, maybe you’ll pay again? And again? Until you don’t, in which case they are richer and might release the videos anyway, for fun.]

I only care about getting paid.

My modest consulting fee is 1650 US Dollars to be transferred in Bitcoin. Exchange rate at the time of the transfer. [This IS a comparatively modest demand, when large companies are facing much bigger ‘consulting fees’.]

You need to send that amount to this wallet: 1EqsnpSgTN8iaeFJmJi4wEbyomQ8tTGQma

The fee is non negotiable, to be transferred within 2 business days. [Attacker creates a sense of urgency #2]

Obviously do not try to ask for help from the law enforcement unless you want your privacy to be violated. [Standard ‘don’t talk to the police’ script.]

I will monitor your every move until I get paid. If you keep your end of the agreement, you wont hear from me ever again.

Take care and have a good day.” [Thanks! You too!]

Find out more

Our latest reports, for enterprise, small business and home users are now available for free. Please download them and follow us on Twitter and/or LinkedIn to receive news, comment, updates and future reports.

Sign up to our monthly business and personal security newsletters.

See all blog posts relating to test results.

About

SE Labs Ltd is a private, independently-owned and run testing company that assesses security products and services. The main laboratory is located in Wimbledon, South London. It has excellent local and international travel connections. The lab is open for prearranged client visits.

Contact

SE Labs Ltd
Hill Place House
55A High Street
Wimbledon
SW19 5BA

020 3875 5000

info@selabs.uk

Press