For many businesses, email is the front door for communicating with potential and existing customers. This was brought home to me again this morning when I phoned a tree-removal company to ask them to prune some branches that are causing annoyance for our neighbor. After describing the problem, the lady on the other end of the phone asked for some personal information including my email address. After the call, she sent me an email confirming the time and date when the arborist would come over to examine the problem and give us a quote on the work. Her email also included some promotional literature (PDFs) describing the different services their company offers and also some tips on how to take care of trees.
“Email is wonderful,” I thought to myself afterward. “No more long phone calls or noisy fax modems, and I don’t have to wait several days for a postal letter to arrive.” Then I logged onto my laptop and checked my inbox and found this:
As you may have noticed, I sent you an email from your account. This means that I have full access to your account.
I’ve been watching you for a few months now. The fact is that you were infected with malware through an adult site that you visited.
If you are not familiar with this, I will explain. Trojan Virus gives me full access and control over a computer or other device. This means that I can see everything on your screen, turn on the camera and microphone, but you do not know about it. I also have access to all your contacts and all your correspondence.
Why your antivirus did not detect malware? Answer: My malware uses the driver, I update its signatures every 4 hours so that your antivirus is silent.
I made a video showing how you satisfy yourself in the left half of the screen, and in the right half you see the video that you watched. With one click of the mouse, I can send this video to all your emails and contacts on social networks. I can also post access to all your e-mail correspondence and messengers that you use.
If you want to prevent this, transfer the amount of $625 to my bitcoin address (if you do not know how to do this, write to Google: “Buy Bitcoin”). My bitcoin address (BTC Wallet) is: 1DASN5fH1E1PCoxU9qMEF7QDjnXcA2b3Km
After receiving the payment, I will delete the video and you will never hear me again.
I give you 48 hours to pay. I have a notice reading this letter, and the timer will work when you see this letter.
Filing a complaint somewhere does not make sense because this email cannot be tracked like my bitcoin address. I do not make any mistakes.
If I find that you have shared this message with someone else, the video will be immediately distributed.
Empty threat, but still…
I knew it was an empty threat but my heart skipped a beat anyway. A quick examination of the email’s message headers followed by a DNS lookup of the sending host using nslookup showed that the DNS name of the sending host wasn’t registered. And then by using the tool IPAddress.com, I was able to determine that the sending host was a mobile phone of someone in Lahore, Pakistan.
After deleting the email, I checked with several of my colleagues in the IT profession to see if any of them had received any similar extortion emails. One of them by the name of Ian replied that he had recently received the same email. “Almost word for word,” he said. “It was actually in my junk mail, not the inbox. I usually give my junk mail a cursory look, to check for things that may get there when they shouldn’t. This only caught my eye because they referenced an old mail password that had gotten hacked years ago, like eight to 10 years. And that password had long been changed and not used again. That was the only reason I even gave it a second look.”
How to identify spear-phishing emails
I asked Ian what he did himself to identify spear-phishing emails like this. “First, I verify the ‘from’ email address,” he said. “If it is a friend, I make sure it is the right address. If it purports to be from a company I deal with, I make sure the domains are correct. Next, I look for proper grammar in the email. It is pretty easy to tell when a non-English-speaking person wrote the message. Simple typos, verbs in the wrong tense, etc. Lastly, I check the URLs they are trying to send me to. But this is getting more difficult as Microsoft has added a URL checker service to Outlook. Now you get this, which is more difficult to verify:
“My first check (email address is correct) led me to an interesting one,” Ian continued. “There is an even more interesting spear-phishing attack going on right now. The attackers are going after contacts from accounts that they already captured. My mother’s account was compromised. I got an email from her, and the address was correct, so I looked a little deeper. They sent me an email saying it was a link to OneDrive, with an attached PDF that I assume was infected. The link goes to a site specialeventcruises.com and tries to get you to enter your credentials on a fake web page.
“The more interesting thing is they are monitoring the accounts and replying to emails. I verified my mother was not on the computer at the time, then I opened my mother’s email to watch it. I sent her some emails that morning. My ‘mother’ replied to them, trying to tell me that the site was fine. So, I asked for my sister’s name, they got that right — must be checking social media. However, they got my older brother’s name wrong. Oops, I don’t have one! All while I was on the phone with my parents, who were not on the PC. The funny part is that my mother had been complaining to me that she would be in Outlook and see an email appear in her inbox, and then disappear. I could not figure out what was going on, until this.”
Ian finished off by warning me to be careful and never to open such spear-phishing emails. I replied by telling him to say hi to his “mother” the next time he talks to him in Pakistan.
Featured image: Shutterstock