Pelland Blog

Beware the “Sextortion” Scam: A New Form of Cybercrime Making the Rounds

October 28th, 2018

Most people realize that the ultimate in cyberwarfare would be for one country to take down the power grid, telecommunications network, financial industry, or military and defense networks of a foe country. There is no doubt that the United States, Russia, China and other countries maintain this capability but wisely withhold use of this “nuclear option” in cyberwarfare, although there have been instances where the waters have clearly been tested. As has been recently demonstrated, cyberwarfare tends to take a much more subtle and individualized approach, exploiting weaknesses in things like social networks and ballot tabulations. The same sort of approach, where individuals are targeted, is generally practiced in cybercrime, the aggressive bully that is the awkward little stepbrother of cyberwarfare.

Cybercrime takes a variety of forms but generally targets either individuals or individual companies. Small businesses, where there is often only a subtle distinction between a business and its owners, can be particularly vulnerable. In most instances, the criminal activity exploits vulnerabilities in the security practices of the target. These vulnerabilities include the failure to apply software patches and updates, unsecure office practices, and the use of weak, old, and/or repetitive passwords. The results include the easy entry of computer viruses and malware that can turn a computer into a bot on a criminal network or install ransomware that will hold a computer and its files hostage. The same vulnerabilities lead to the proliferation of phishing attempts and other email and telephone scams where the senders or callers impersonate trusted companies in an attempt to obtain passwords, secure information like social security numbers, your credit card numbers, or remote access to your computer.

One of the latest trends in cybercrime exploits a combination of known hacks and personal fears and anxieties. As most of us know, there have been a number of major websites that have been hacked in recent years, some instances more widely publicized than others. The ultimate victims are the individuals whose personal data has been breached and compromised. The term “pwned” originated in early online gaming as a typographical error in the word “owned”. If you have been “pwned”, it means that your personal information is now “owned” by others. To see if your personal data has been “pwned”, visit the “Have I Been Pwned?” website and enter your email address. At the time of this writing, there are 296 websites that have been “pwned” with over 5 billion accounts compromised. Some of the websites that have been hacked include Adobe, Ancestry, Avast, Comcast, Dropbox, Exactis, Experian, Forbes, Kickstarter, LinkedIn, MySpace, River City Media, Snapchat, Ticketfly, tumblr, and Yahoo. This list includes websites that you have probably used, and in all likelihood, your personal information has almost certainly been hacked. In my own instance, my email address has been compromised in 10 of these major hacks, most recently the Exactis hack in June 2018. That recent hack disclosed credit status information, dates of birth, email addresses, income levels, marital statuses, names, phone numbers, physical addresses, and much more from 340 million personal data records.

Stolen passwords are then readily exchanged, sold, or even made freely available on a number of forums and so-called “pastes”, utilized by cybercriminals who are well aware of the human tendency to reuse usernames (many simply the users’ email addresses themselves) and passwords across a variety of websites. Security breaches like the Yahoo and Dropbox hacks go back to 2012. Although savvy Internet users will have changed their passwords on those sites long since then, if those same passwords were used on other websites, the vulnerability remains. More recent hacks will expose passwords that are currently in use, demonstrating a strong argument in favor of changing passwords on a regular basis.

With this combined background information in mind, you will understand how I felt both alarmed and violated when I received an email one evening back in July that made it past the Gmail spam filter. The subject line included a username and password combination that I frequently used 10 or 15 years ago, indicating that somebody had gained access to my personal information, even though it no longer represented valid credentials. The email had successfully caught my attention and, at first glance, seemed like there could be cause for concern. It went on to allege that a visit to pornographic websites led to the installation of remote access and keyboard logging software on my computer that gave the hacker complete access to my email and social media address lists, as well as my computer’s microphone and camera. Cutting to the chase, the sender was threatening to send a compiled split-screen video of the sites I had visited, along with my “interactions” with those sites, to my friends and family members as allegedly compiled from access to my computer. The only way to prevent this from happening was to pay $3,200.00 in Bitcoin (a cryptocurrency that is popular with online thieves) using a key that was provided.

The facts that I do not spend my time visiting pornographic websites, do not have either a camera or microphone installed on my computer, would immediately know if somebody had remote access to my computer, my passwords are highly secure, and Trend Micro Maximum Security software shows that my computer is free of any malware, spyware or viruses, still left me feeling personally violated. The following morning, I spoke with an agent at the Federal Bureau of Investigation’s Boston field office who told me that this extortion scam had been circulating quite widely throughout the month of July 2018. (In fact, I found a variation in my spam folder a couple days later, with this second thief only seeking $250.00 in Bitcoin.) The agent also told me that there were people who reported receiving variations that were sent through the mail. I also have friends and clients who told me that they have received the same sort of email during the same time period and as recently as last week. I went on to file an online complaint with the FBI’s Internet Crime Complaint Center, commonly referred to as the IC3. There is also a page on the Krebs on Security website that outlines the “Sextortion” scam and currently includes nearly 1,000 comments from people like me who have received the emails and are trying to warn others from falling victim.

The lessons to be learned are to:

  • Be aware that your personal information has been stolen, probably on multiple occasions.
  • Your personal information can be used in extortion attempts.
  • Minimize vulnerabilities on your computer and run up-to-date security software.
  • Never trust any email that sets a deadline or seeks payment in cryptocurrency.
  • Never make an extortion or ransom payment.
  • Notify legal authorities if you are a victim.

It is challenging enough running a small business these days. Nobody needs to waste time, worries, or money with the perpetrators of online scams, who are going to continue to evolve into using more creative and credible formats.

This post was written by Peter Pelland

Red Flag Emails

October 15th, 2018

An email that recently made the rounds among campground owners encouraged them to “renew” their advertising on the Go RV Park website. In instances that were called to my attention, Maryland campground owners were provided a link to a page where they could see their advertising located, along with a $49.00 renewal price. The email also stated that the website had “acquired the Maryland Campground and RV Park Directory Inc. and SW Publications Nationwide.” At first glance, $49.00 sounds like a good deal, and the fact that your park (and every other park whose data has been harvested) is already listed makes the “renewal” make sense.

Take a second glance before reaching for your wallet. The “Maryland Campground and RV Park Directory Inc.” does not exist to my knowledge, although it sounds both legitimate and oddly similar to the directory of the Maryland Association of Campgrounds. Then, “SW Publications Nationwide” is another company that appears to be both nonexistent but very similar to “Southeast Publications”, a well-recognized vendor within the campground industry. Many of us tend to miss the little details, and many people who read “SW Publications” mistakenly interpreted that as “Southeast Publications”. Finally, the GoRVPark.com website sounds confusingly similar to the GoRVing.com website that is a partnership of the RVIA, the RVDA, and National ARVC.

In addition to your own listing and compiled listings of every other campground, the website features banner ads for industry giants that include KOA, ELS, Good Sam, Bass Pro Shops, and Walt Disney World’s Fort Wilderness Campground. This certainly suggests legitimacy, but who says that any of those businesses paid for, authorized, or might even be aware of their ad space (at least until now)?

Back to the $49.00 “renewal” price, that would truly appear to be a bargain. The company’s website offers a $149.00 advertising fee and says that “This $149.00 yearly price is for a LIMITED time only. RV Parks, Campgrounds & RV Resorts who sign up NOW will NEVER be subject to the regular annual cost of $499.00 per year.” Interestingly enough, this exact wording appears on the earliest appearance of the website on the Internet Archive, when it was apparently launched in 2010. How can this possibly be a “LIMITED time” offer? To further suggest its authenticity, the website claims that “Go RV Park is the #1 Google ranked portal and intuitive network of websites for RV information.” Beyond the fact that this gobbledygook is total nonsense, a Google search for “RV information” shows the website totally missing in action, at least on the first 10 pages of search results.

Fortunately, the assessment that I provided to the Maryland Association of Campgrounds was shared with its membership as well as National ARVC, which issued a press release warning members to read their emails carefully before responding to this type of offer.

Another type of email that is not specific to the campground industry but seems to continually make the rounds are the ones that scare recipients into believing that their domain names are ready to expire and need to be renewed immediately. Only the fine print (which many people either skim or do not read) explains that the senders are not domain name registrars but are selling highly suspect “traffic generator software tools”, implying that failure to pay for the “search engine optimization service by the expiration date, may result in the cancellation of this search engine optimization domain name notification notice.” (Don’t think for a minute that anything you do will stop these email notices!) Along with a number of payment links and the recommendation to “Act immediately”, the recipient will typically misread the words “Failure to complete your SEO domain name registration search engine optimization service process may make it difficult for customers to find you on the web.” This statement means absolutely nothing, but many people think that their domain name registration is ready to expire, or that their listing on Google is ready to suddenly disappear, and pay the fee (typically $84.00 or $86.00) before they realize their mistake. Fortunately, most reputable email service providers (such as Gmail) send these solicitations into spam folders.

Another email scam is the one that sells compiled email lists. They usually state that the lists are “opt-in verified, 100% permission based and can be used for unlimited multi-channel marketing.” One that I recently received began with the words, “Greetings of the day! Would you be interested in acquiring an email list of ‘RV Owners List’ from USA? (sic)” Another that came in within the last 48 hours offered “100K Email Marketing only for $160 USD, regular price $360 USD” or “900+ Million World Wide Email List only for $75 USD, Regular Price is $450 USD (sic).” Unless you like receiving spam yourself, want to get your email account closed, want to have an email marketing account terminated, and want to be reviled by most recipients, do not even think of buying or using a compiled list. Again, most of these solicitations end up on spam folders themselves.

Confusion over email scams like these is quite valid, as evidenced by the dozens of emails that clients have forwarded to me, wondering whether or not the emails are legitimate. Scammers like these profit tremendously if only a small percentage of recipients fall for the bait, and knowledge like this is your best defense against becoming victimized.

This post was written by Peter Pelland