{"id":466,"date":"2019-03-20T15:57:02","date_gmt":"2019-03-20T15:57:02","guid":{"rendered":"https:\/\/eset-blog.aist.fun\/i-didnt-see-what-you-did-redux\/"},"modified":"2019-11-28T13:48:29","modified_gmt":"2019-11-28T11:48:29","slug":"i-didnt-see-what-you-did-redux","status":"publish","type":"post","link":"https:\/\/blog.eset.ee\/et\/en\/2019\/03\/20\/i-didnt-see-what-you-did-redux\/","title":{"rendered":"I didn\u2019t see what you did, redux"},"content":{"rendered":"\n

For more than 30 years, I\u2019ve had the privilege of assisting people get rid of viruses and other malicious software.  In the course of doing so, I\u2019ve often been asked questions about computer security-related topics that are not product-specific.  Some are simple or easily answered; some are complex or require careful explanation and additional research.  In this column, I\u2019ll address questions I\u2019ve been asked, and that you may ask, that don\u2019t fall into the kind of categories answered in product manuals or KnowledgeBases.  Whether or not you are an ESET customer, feel free to ask and I\u2019ll give it my best shot to answer!<\/em><\/p>\n\n\n\n

In July 2018, ESET North America started getting queries from people (Fred, Bunny M., and others) who had received emails claiming that their computers had been hacked, and that the attacker had videos of them watching \u201cadult content.\u201d  These were examples of so-called \u201csextortion scams\u201d; we wrote about it in July 2018, in a post entitled I saw what you did\u2026or did I?<\/a><\/p>\n\n\n\n

Over the past few days, we\u2019ve started getting new reports of similar, but noticeably different, blackmail attempts; indeed, I\u2019ve received several in my own personal mailbox (Ha!  Nice try). So it\u2019s time to revisit this; thanks to Barry G., Tim R., and others for bringing these to our attention.<\/p>\n\n\n\n

When we wrote about this scam before, it was a case of \u201cteach you to recognize a particular phish, and you\u2019ll be safe from that specific attack\u201d; today and in a few follow-up posts, I\u2019ll try to teach you to recognize all <\/em>phishes, so you\u2019ll be safe from any similar attack.  [No, technically these aren\u2019t phishing attacks<\/a>, but they do <\/em>try to extract money from their intended victims, so: \u201cclose enough.\u201d Maybe we\u2019ll do a series on recognizing actual phishes in future posts.]<\/p>\n\n\n\n

Since the scammers are always rolling out new traps to try to ensnare their intended victims, this will be a process that needs regular updating; indeed, to cover all I want to discuss and not make it into War and Peace<\/em><\/a>, I\u2019m breaking this discussion up into more-easily digested sections. This may be an ongoing project for Vox<\/em>, so let\u2019s get started.<\/p>\n\n\n\n

First, let\u2019s look at blackmail in general \u2013 it\u2019s pretty much the same for cyberspace as it is in-person. Blackmail requires several elements: (a) something the intended victim would want to keep secret, (b) some kind of proof that the blackmailer has that \u201csomething\u201d, (c) a threat, and (d) a way provided by the blackmailer for the intended victim to \u201cavoid\u201d that threatened action \u2013 usually money, though there are other possibilities.<\/p>\n\n\n\n

With that in mind, here\u2019s an example of one of the recent sextortion emails:<\/p>\n\n\n\n

\"\"<\/a><\/figure>\n\n\n\n

Figure 1: New sextortion scam, March 2019<\/p>\n\n\n\n

The Secret<\/h2>\n\n\n\n

Here, the secret is that the intended victim is accused of viewing adult material that is, at best, embarrassing if revealed to family, co-workers, etc.  In our example above, we have:<\/p>\n\n\n\n

\"\"<\/a><\/figure>\n\n\n\n

Figure 2: The Secret<\/p>\n\n\n\n

So: is the secret real?  Well, if you never <\/em>have visited a porn site (on purpose, anyway), or someone who hasn\u2019t visited such a site more recently than, as the attacker states, \u201ca few months ago\u201d, then you KNOW the email is a scam, and hence you can ignore it.<\/p>\n\n\n\n

But what if you\u2019re someone who does view adult content, at least occasionally?  Then, according to \u2018Net statistics, \u201cWelcome to the club.\u201d  And what if, as reported in the Wall Street Journal\u2019s Twitter feed<\/a> in 2013, you are one of the \u201c40 million Americans [who] are regular visitors to porn sites \u2013 including 70% of 18- to 34-year-olds\u201d?  Then the threat is still <\/em>fairly empty.  Here\u2019s why: The mere fact that so many people view adult material, and that it is considered taboo in many circles, makes this secret one that the potential victim may well want to keep <\/em>secret, and hence it is an attractive target for the blackmailer: the attacker can make a claim that may not be based on fact in any way, but that sounds convincing, and many potential victims will have cause to believe the attacker\u2019s claims.  So the attacker can just \u201cspray and pray\u201d that some potential victims get hooked on the bait.  But to test whether this is the case here \u2013 that the attacker actually knows the secret \u2013 we need to dig more deeply.<\/p>\n\n\n\n

The \u201cproof\u201d<\/h2>\n\n\n\n

In our example, the supposed proof is threefold:<\/p>\n\n\n\n