Don't Hack a Hacker

This morning I got done skiing and had to work from my home office. I sat down at my desk and got an e-mail that began with the following:

   Hello!
   My nickname in darknet is HckD4*.

The poor grammar indicates that the person does not speak English as his/her native language. Already I am preparing for a SPAM e-mail, however I am intrigued. It goes on:

   I hacked this mailbox more than six 
   months ago, through it I infected your 
   operating system with a virus (trojan) 
   created by me and have been monitoring 
   you for a long time.

Interesting. I wonder if HckD4* is as tired of all the SPAM I get or if he/she thinks I get a lot of important e-mails? The message goes on:

   If you don't belive me please check 
  'from address' in your header, you will 
   see that I sent you an email from your 
   mailbox.

Well that's not that hard to do. If you know anything about Simple Mail Transport Protocol or SMTP, then you know that is a fairly simple task. Any hacker with about an hour of experience can fake a message to look like it came from your own server. The trick is to look at the headers for the e-mail to see if that is actually the case. In my e-mail client, I selected the box to show all of the header information and see that the message came from a server named z3.hck7.pro, which is located in the country of Panama. Needless to say that is not even remotely close to where my e-mail server is located. My original hunch is correct and this is just a SPAM e-mail.

For your enjoyment and mine, the message continues:

   I have access to all your accounts, 
   social networks, email, browsing 
   history. Accordingly, I have the data 
   of all your contacts, files from your 
   computer, photos and videos.

Even if I believed this person, there is nothing of value there. I don't do a lot of social networking. I don't visit questionable or incriminating websites. All of my photos on my computer are tasteful and probably boring to most people besides me. So at this point, there is nothing compelling me to be to afraid. Now we get to the point of the message:

   I was most struck by the intimate 
   content sites that you occasionally 
   visit. You have a very wild imagination, 
   I tell you!

Wow! If I didn't know this was a fake before now, I do now. Sure I visit a lot of video game sites but that shouldn't be embarrassing. What else would make me embarrassed?

   During your pastime and entertainment 
   there, I took screenshot through the 
   camera of your device, synchronizing 
   with what you are watching. Oh my god! 
   You are so funny and excited!

Oh if this was real, he/she must have a picture of me picking my nose or something. That really isn't that embarrassing. Furthermore my e-mail computer doesn't have a camera connected. My laptop does, but it is from work and so locked down with security software, there is not a chance in the world that someone has hacked into it. Trust me, our IT department takes a lot of crap because we have so much anti-virus software. For once I am glad it is there. Oh, my laptop is also a Mac and there are significantly fewer virus programs written for the Mac.

Finally, the hacker tells me what he/she is really after:

   I think that you do not want all your 
   contacts to get these files, right? If 
   you are of the same opinion, then I 
   think that $1000 is quite a fair price 
   to destroy the dirt I created.

The message then goes on to give me a bitcoin wallet and where to send the money.

Messages like this really make me angry. I have been using computers for a long time and know how to verify if the message is real or not. What about other people that don't? Hopefully you don't fall for such an obvious fake. How can you tell if it is a fake message? Well think about legitimate e-mails from people like your credit card company. An extortion e-mail should include some of the following:

1. Your actual name - This e-mail did not contain my name at all. It had my e-mail but that is necessary to contact me in the first place. If the hacker had really been spying on me, he/she would at least know my real name.
2. Some other information about you - Credit card companies always tell you the message is from your account ending in 4 specific digits. If those digits don't match any of your credit cards, you know it is a fake, unless someone has opened a credit card in your name without you knowing about it (but that is a topic for another time). This e-mail had nothing like that.
3. Some sort of proof - If you are going to try and extort $1000 from me, you better have some sort of proof that I have done something worth hiding from all of my contacts. How hard is it to send an image with proof? If you have the images claimed in the e-mail, it isn't. If you don't, it is impossible.

The more I thought about this e-mail, the more I realized how fake it actually is. Let's assume I have spent some of my computer time doing something I want to hide from my wife or contacts. Is it actually worth $1000 to keep hidden? Most of the people I know that cruise the Internet for pornography don't try to hide it. They may not brag about it in mixed company, but they are also not ashamed of it. Sure some people will be embarrassed but it might start a conversation that needed to take place anyways.

Hopefully none of you fall for such a scam. If you would like another source talking about this same e-mail in more detail, here is a good article.