Sunday, September 11, 2016

Escalating from annoyance to crime

Nearly everyone with an email address gets spam. It’s often laughably stupid, but every once in awhile it’s not funny at all, not when it takes a dark turn. I recently received one that attempted extortion.

Over the years I’ve received a lot of emails that purported to be a business wanting me to click a link to log in to do something or other. While every once in awhile they’re pretending to be from a company I might theoretically do business with, they’re usually from US or European credit card companies or banks. Even the ones pretending to be from a company I might plausibly do business with are filled with poor spelling/grammar and, usually, sentence structure proving it originated in a country where English is not the first language. As if all of that wasn’t enough to make the scam obvious, they almost always get the name wrong, assuming my email address is my name, often leading to hilarious results.

Every once in awhile, though, I get an email from some scammer trying to scare me as the recipient. I wrote about one of those times in March of last year, when a scammer tired to convince me they were from some court somewhere, even though it was blatantly obvious they were nothing of the sort. So, because it was so transparently fraudulent, it, too, was kind of funny.

But recently I received an email that claimed to be from a hacker group claiming it had examined the security of my network and determined that it was vulnerable. It said that if I didn’t send them one bitcoin by the following day, they’d take the network down, and if that happened, it would take 20 bitcoins to get them to release it.

Now, I’ll be honest that while I know what bitcoins are, I had no idea what that was in real money. It turns out that today one bitcoin is “worth” $838 (about US$613). That means the second amount would be, theoretically, $17,060 (US$12,260).

It was, of course, a scam. The email referred to a network I don’t actually control, and those who do are constantly on the watch for real attacks from hacker criminals. Not only is network security not my responsibility, it’s not even something I could do anything about if I wanted to. I knew all that. I also know that the email I received wasn’t even sent to a real address, but a non-existent one that got to me because I have the “catch-all” email address for all incorrectly addressed email. So, just like the fake “court” email last year, this one was also fake.

Even so, I had a brief moment where I wondered if it was real. They count on that, of course, but also people panicking and doing as they say, which I’d never do. But after having had problems with one of my sites a couple weeks back that took me days to resolve, and with hacking by the Russian government in the news, I did pause for a moment.

Of course, I ignored the email, and, of course, nothing happened. And then, in order to blog about it, I looked at the email again and noticed some more problems with it.

The email used “techy” sounding words and phrases that to someone with no knowledge of computers, computer networks, the Internet, etc., might sound legitimate. But it was really just a word salad, using phrases that meant absolutely nothing, or using words to mean something other than what they really do—or both together.

Even the whole bitcoin shtick was to catch non-tech savvy people out (the email provided a tutorial of sorts, written badly by someone who doesn't have English as their first language, on how to use bitcoins complete with links I didn’t follow). It sounded all techy and stuff, and plausible for a criminal hacker gang, but if they’d tried to extort that much real money, any normal person would just delete it. There was a sort of dumb evil genius to their approach.

Run-of-the-mill spammers count on that tiny percentage of recipients who will click on an infected attachment, or who will follow a link to a site offering female companionship or prescription drugs or whatever. More serious criminals use faked emails from real companies to try to hoodwink people into willingly giving them account details so they can steal money. But this is the first email I’ve ever gotten that tried to extort money directly, which is, of course, a crime.

All spam is annoying, and if there really was a hell, it would be filled with spammers burning for all eternity. Well, that’s what people like to say. But how much worse would the hell be for the criminal spammers?

Spam will never go away. Neither will spammers who try to scare people into falling for their scam. Like everyone else, I sure wish there was a way to get rid of spammers/scammers forever. Instead, we'll just have to pretend that’s what we’re doing whenever we hit the key that says “delete”.

No comments: