So, let me explain. As you may or may not be aware, we do a lot of work related to sextortion/webcam blackmail here. A lot of other people are also talking right now about the same subject, but there’s a lot of misinformation out there. Too many “experts” spouting off Chinese whispers versions of advice and getting some of the really important stuff wrong. I felt the time was right to put out what I feel is a “definitive” guide. It’s one based on over 6 years’ experience in dealing with these scams and over 25,000 forms containing scammer data. This one isn’t really for the victims of the scams though, but for everyone else. Some of the information will be similar to our steps, but again it’s for more of a general overview of the scam, how it works and so on. It’s still a work in progress right now, as I tend to write up what’s needed all in one go and then rewrite, add to, take away from, shuffle around and generally alter my work until it barely looks like the first draft anymore. I’m kind of 95% happy with it as it is right now, but there’s still no doubt going to be changes made to it over the next few weeks. If you want to check it out, go to https://www.scamsurvivors.com/sextortion/ and please let me know what you think.
Early this morning, I was checking my social media feeds and spotted this comment from Avast! on Facebook:
Earlier that day I’d picked up a copy of a newspaper that had an article on sextortion we’d worked with them on. The last quote from me in that was “Don’t let shame kill you”. Now I’m seeing this company publicly call victims of “all online scams” greedy. They also posted it on their Twitter feed, but this time the wording was slightly different:
Not “All online scams” this time, but rather “Online scams”. This shows someone took the time to edit the wording before posting it. Due to this, we’ve made the decision to no longer recommend Avast!” antivirus on our site and have removed the links to their download page from both our steps and the “read this first” thread. We’ve also removed their software from our own computers and switched to a different company. It’s a constant struggle fighting the “victims are stupid and greedy” myth, and posts like this only make it harder. Now we’re not denying that some people get caught up in scams due to their own greed, but many become sucked in due to naivety, desperation, even the desire to do good. Are charity scam victims greedy? Are “work from home” scam victims greedy? Are romance scam victims greedy? What about the victims of hitman scams? Grandparent scams? Phishing? “Tech support” scams? I could go on. Dismissing all scam victims as greedy is not only lazy reporting, but puts victims at risk. We at ScamSurvivors refuse to support anyone who makes such sweeping, harmful statements. We should all be better than that.
Almost every interview I do, I make a point of saying that scam victims aren’t stupid. Naive maybe, uninformed, possibly unaware, but not stupid. Today I see someone again refer to scam victims as stupid, and it pisses me off! What made this one worse is that it was an “industry insider”. We have a hard enough time as it is trying to shake perceptions that scam victims are greedy or stupid as it is, without having to fight people within our own ranks who feel it fine to throw this kind of crap around. I’ve met scam victims face to face on many occasions, and not one of them could be described as “stupid”. I’ve met people who ran their own companies, who were smart, well spoken and who had simply made an error of judgment. But yes, let’s go the lazy route and joke about “stupid victims” shall we?
Recently I had a conversation about phishing emails on Twitter. Today a perfect example of a phishing email to use for a tutorial popped into my inbox. Phishing emails are ones that try to fool you into clicking on a link a scammer has control of, while thinking you’re clicking on a completley different one (your bank for example). It could be to trick you into giving them information or to load a virus on your computer. Let’s pick the one I have apart to see the signs that it’s a scam. Firstly, if you receive an email with links, the safest thing to do is not click on it. If you get an email from your bank etc. and you’re worried, then go directly to the site itself rather than click on the link. However, some of us like digging deeper. Some of us even go as far as to get as many details as we can so we can attempt to get the fake site shut down. This is for the more curious of us.
The very fact I received it at an address specifically set up to collect scam emails tells me it’s fake. However, we’ll skip over that fact and look at the email itself. I’m using a PC to do this. Those using touch screens won’t be able to do all these steps, but can still do some. Here’s a screen grab of the email in question. If you click on it, you can see a larger version.
Even from this, it’s obvious to me it’s a scam. Take a look at the email address.
Why would “Diamond Bank Plc” send out an email from a completely different domain? The scammer could have faked the email address to make it appear as if it had come from the bank, but didn’t in this case. That site used in the email actually does exist, and has been around for a while. It’s likely the scammer has hacked into the site to use as a way to send out emails.
Let’s hover over the link. This is the single step you usually see as advice, but as you’ll see, there’s much more an inquisitive mind can do. Hovering shows up a completely different link.
Gee, that’s not the bank’s address now, is it? Scammers can alter the link to make it appear as if it’s genuine. Not in this case though. This is a nice, easy one to spot. The site is genuine and likely another one hacked by the scammer (or hacked by someone else and the details sold to the scammer).
What next? Well, let’s take a look at the bank’s logo. By right clicking on it and copying its address, we get this link.
https://ci4.googleusercontent.com/proxy/8iaLuXT6miPo0hQH8VyUz38= sz0XuF3lJ0TOfYnud9xblce1XitvZBJGik6UVx__Yz5I3t0dKj_T3e1DcuoJMEOLe9kmcJNUlaX= 78zsTdp7eKfizCuYDES3RYiKxqhA=3Ds0-d-e1-ft#http://www.diamondbank.com/wp-con= tent/themes/diamondbank/images/logo.png
The image link is from a Google search and not the actual site. Real emails would link directly to the actual image on their own server. Some scammers do that of course, so while it’s something to check, don’t take it as being genuine just because the image is from the right place. Everything we’re doing are pieces of a picture, one that’ll show the email to be a scam.
Now, here’s something cool regarding that image. When I took its location, stripped out all the Google stuff and put it into my browser, the way the word “content” is broken up throws up an error page. Want to see it?
See, I told you it was cool!
Edit – The link no longer gives the error page it used to, which was a scam warning.
We haven’t even looked at the headers yet. Let’s do that now to see what we can see. My catcher account is a Yahoo one, so I click “More” and “View raw message”. Other accounts may have “Show original”, “show headers” or something similar. What you should see at this point is a lot of text, most of which will look like garbage. We’re going to look at a few things here, and let’s start with the originating IP address. This can be another piece of that picture if we’re lucky. IP addresses in headers are a clue to the route the email took to get to you.
The IP address in this case is 22.214.171.124 so let’s look it up.
Let’s look around for another IP address to see what that gives us. Your location will be on the top, theirs on the bottom. Sure enough, we find one last IP address just below the one we showed earlier. You can ignore the one starting with 192. That just an internal number that identifies the computer to any other devices connected to the router.
Before we get to the other IP address, did you spot that site address, and did it ring a bell? It’s the same as the details from the previous IP address. We’ve now got three possibly compromised websites listed. OK, so back to the new IP address. Where does that lead us?
Now there’s a place we all recognise as a hot bed of scammer activity. Seems we’ve found the actual source of the email at last. We’re not in an episode of CSI though, so we can’t go any further than that on the IP address route. Time to move on to see what else we can find. How about those links? We’re going to look at the coding of the links.
For those with an understanding of HTML, there’s no need for me to explain. For those without, ignore all that stuff in the square brackets. The only things you need to look at are the links. The link you’ll be taken to if you click it is in the quotation marks, and the text you’ll see on the link to make it appear legitimate is next. That could say anything at all, but the scammer used a web address to make it appear on first glance that’s where you’ll go if you click it.
So, what did we get out of this phishing email? Hovering showed us it was an obvious fake, but more digging not only showed us where the scam was sent from, but gave us a list of three different compromised websites and let us see the code the scammer used. Hovering can work in detecting an obvious fake, digging deeper can show you so much more, but not clicking on any links you receive in emails or messages will 100% guarantee you, your data and your computer remain safe.