Blackmail Spam: Preying on Fear
Every e-mail user has received spam at some point. It sometimes includes blackmail or extortion e-mails demanding payment in bitcoins. But that is all one big scam, relying partly on excessive gullibility or the fear that the attacker truly is in possession of personal secrets and is willing to publicly disclose them. The lab experts at AV-TEST explain how blackmail e-mails are structured, what the attackers count on and the best way for you to react.
Most spam e-mails can be blocked quite effectively. Protection software or special tools have been filtering spam mails for years using sophisticated techniques and analyses. In this way, mass e-mails can be identified based on the dispatch server or e-mail addresses. Filtering is aided by identical subject lines in e-mails. If spam e-mail is carrying dangerous links, infected images or attachments, there are technical means to effectively sort them out. Various sources, such as Statista, Cisco or other security providers register a worldwide daily volume of some 300 billion e-mails. Up to 85 percent of them are spam e-mails, which are filtered out per detection techniques, machine learning or AI!
Worldwide: 300 billion e-mails per day!
If spam e-mails have multiple senders, varying subject lines and only text content, however, it is quite difficult to filter them out. Cybercriminals know this, and using this knowledge, they have developed two special types of blackmail e-mails. The user always receives a highly personalized spam e-mail message. In a nutshell, the two e-mail versions sound something like this:
1. "I have all your passwords and access to all your data, as I have totally hacked your system. Either you pay, or I'll steal your identity and your life, and publicly disclose your secrets."
2. "I hacked your webcam and filmed you while you were watching nude photos and pornos. Either you pay, or I'll embarrass you in front of your family, your friends and your employer."
The assertion contained in the first e-mail version is often underscored with matching login details, including an e-mail address and password. In many cases, the users know the stated password. This has two reasons. Either it involves a password used extremely often, such as "12345". Or the specified account data, along with the password, originate from major hacks of databases that were sold or disclosed in the Darknet, such as from MongoDBs, or collections like "Collection#1", which is now up to No. 5. The first collection set already contained 773 million unique e-mail addresses and 21 million passwords. Cyber attackers exploit all this data for their spam e-mails. In exchange for not attacking you, the blackmailer demands a sum in bitcoins, which you are supposed to transfer to a digital wallet; which naturally no one should ever do!
The classic hacker e-mail is intended to deceive users
Google checks passwords stored in the account
Checking passwords stored in Google
"I filmed you watching pornos!"
The second form of e-mail often used relies on the "blame & shame" effect. The sender of the spam e-mail asserts that the recipient was filmed with the help of their own webcam while watching adult content, such as pornos, over the Internet. In the e-mail, the blackmailer or extortioner demands a sum of money in bitcoins in order for them to refrain from sending this film or snapshot to the person's family, acquaintances, friends or employer. The model is the same here as well: a sum of bitcoins is demanded, which the user is supposed to transfer to the specified digital wallet. In exchange, the film or pictures would be permanently deleted.
In both of the above-mentioned e-mail attacks, the attacker naturally also writes that all countermeasures are useless. It is often asserted, for example, that malware prevents passwords from being changed, or that the attacker has already secured compromising film material or embarrassing images in another location.
Blackmail e-mails: It's all one big scam – don't ever pay!
Our tip: do not become unnerved by e-mails like these. Their content and the exploited personal data originate from stolen databases or are matching purely by coincidence. So you should never pay the demanded amount in bitcoins! Everyone has their little secrets and preferences, which for many people includes visiting porn websites. The attackers have nothing they can use against you! They count on the gullibility of users, and they try to exploit the sense of shame. It's important to know: every amount paid in bitcoins only finances further attacks against you and other users.
Unfortunately, there are frequent instances in which scared users do pay the ransom. The relevant bitcoin accounts can also be monitored, as the account key is in fact contained in the e-mail. The lab at AV-TEST did just that with an account, and registered that roughly EUR 750,000 flowed in. As the blackmail e-mail demanded some 800 to 1,000 Euros, this means that nearly 1,000 e-mail recipients paid. For this purpose, the lab tracked some 90,000 e-mails. Thus, while the payment rate was clearly below 0.1 percent, the sum of money received is still very high.
If you frequently receive spam e-mails, you ought to consider a strategy for managing your further e-mail use and your passwords. It is in fact quite simple. First, you ought to check to what extent your e-mail address and your passwords have been compromised. Online services and test tools will help you in this regard.
Check: Who already knows your e-mail address and your passwords?
But criminals are not the only ones who have access to the many hacked databases and publicly disclosed sign-in and log-in details. Many organizations and websites have collected the data volumes, and they provide websites where you can check all your e-mail addresses. Here is a small overview of websites that are recommended.
Anyone who is using a Google account and is logged into a browser can store account details and passwords there. All these sign-in details can then be manually or automatically checked with the help of the browser. In Chrome (or also in Firefox and Edge), this is performed via "Settings”, “Safety check" and under "Check passwords”, for example. There you can find all account details with the notice "Compromised passwords". If you use login details that have already been breached on a website, Chrome will report this immediately and request the user to check all other login details.
SpyCloud also allows you to enter e-mail addresses to see whether they turn up in the databases containing hacked passwords. The process is somewhat more complex, however: after entry of the e-mail address and the check, there is an initial overview of the status. Afterwards, the user may request the receipt of a verification e-mail and is able to subsequently set up an account. There the user is then provided with all the details of the check.
The German Hasso Plattner Institute also offers a security check for e-mail addresses. Data protection regulations (GDPR), however, do not allow for immediate analysis on the screen. That is why the institute sends an e-mail to the verified address with a very detailed analysis.
The website "have i been pwned" has a vast collection of databases with leaked data from the Internet and the Darknet. After running a query of an e-mail address, the website displays as a result all the databases in which the e-mail address shows up, where the respective database originates and which data is recorded there.
Checking passwords using online services
Password check at Spycloud.com
Are your login details already known out there in the world?
AV-Atlas has precise knowledge of the current spam situation
Remedying the situation: change and save passwords
With the right strategy, you can also continue to use a breached e-mail address and must no longer be afraid of anyone's knowing or guessing your passwords. Think about whether you might be able to achieve greater security with one or two additional e-mail addresses. One e-mail address could be used for non-essential websites and prize competitions, the second for more serious web services or forums, and the main e-mail address for all business matters, purchases and orders. Whereas the non-essential e-mail address would have a simple password, you can use somewhat more complex passwords for the others. During registrations, the standard browsers, such as Chrome, Firefox or Edge, can be helpful. Because they not only store login details, but also offer secure passwords created by a password generator.
Use additional tools and online services for passwords
If you do not trust the encrypted storage of the browsers, you can also use other password managers. You can find several of them as an additional feature in your security software, provided you are using a premium version, such as Kaspersky Internet Security Total or Norton 360. F-Secure offers its tool KEY for use free of charge on one PC. But there are several other online services that administer passwords as well. Most of them are even free of charge for private use in the basic version. These include Avira Password Manager, McAfee True Key or LastPass, for example.
If you want to have total control over your passwords, then it is recommended to also use the familiar Windows tool KeePass. This allows you to manage a password database on your PC and individually decide how strongly you would like to encrypt it.
You can obtain strategies for finding the best passwords, along with additional tips on password tools and further safeguarding measures, such as 2-factor authentication, in our article "Secure Passwords – It's a Snap!".
AV-Atlas indicates the current threats
The free platform, AV-Atlas, shows you where spam e-mails and other attacks are currently being distributed.
Under the address AV-Atlas.org, you can find out everything about the topic of current threats, spam, dangerous URLs or malware and PUAs (potentially unwanted applications). The lab at AV-TEST collects dangerous data, e-mails or web addresses around the clock, 365 days a year, and analyzes them. On AV-Atlas, the most dangerous spam e-mails and all information concerning them can be found very quickly and with a user-friendly layout: Which country is currently sending the most spam, which file formats are attached to the e-mails, which subject line is used, and how dangerous the e-mails are – merely annoying advertising, for example, or blackmail spam. Also interesting to note: the current trend in spam.
But AV-Atlas has much more to offer than evaluation of spam. For instance, there are analyses on the latest cyberattacks with malware or PUAs. The overview designates the attack versions and file types, indicating their distribution.
Quite a new feature is the overview of how IoT devices are attacked, e.g. intelligent speakers, app-controlled lamps or thermostats for the home. A word cloud illustrates the passwords used during the attack. In case you recognize several of them, you should quickly refrain from using them and replace them with secure versions.