I received the laziest ransom email of all time

Every now and then I check my email’s spam folder to see if something slipped through. Most of the time there’s little to see: lots of spam and the occasional newsletter I signed up for but immediately forgot about.

But today I found something that caught my eye immediately: the subject line was “Password” followed by a password I used to use years ago. Out of curiosity I opened and read the email. To be clear I don’t recommend opening unknown email unless you know what you’re doing.

Here’s the email as it appears with some minor redactions:

Subject: Password – [redacted password]
Sender: 196.181.140.173
To: [redacted password]
 

[redacted password] one of your pass word. Lets get directly to point. You don’t know me and you’re most likely wondering why you are getting this e mail? No-one has paid me to check about you.
 

In fact, I installed a software on the 18+ vids (porn material) web site and you know what, you visited this website to experience fun (you know what I mean). When you were viewing videos, your browser started operating as a Remote control Desktop with a key logger which provided me access to your display screen as well as web camera. Right after that, my software gathered your complete contacts from your Messenger, FB, as well as emailaccount. And then I created a double video. 1st part displays the video you were watching (you’ve got a good taste ; )), and 2nd part displays the recording of your cam, yeah it is u.
 

You do have 2 solutions. We will check out the possibilities in aspects:
 

1st choice is to ignore this message. Then, I most certainly will send out your video recording to every single one of your personal contacts and you can easily imagine about the awkwardness you experience. Not to forget in case you are in a committed relationship, exactly how it is going to affect?
 

Other option is to give me $991. I will call it a donation. Consequently, I most certainly will instantly discard your video footage. You can resume your way of life like this never occurred and you will never hear back again from me.
 

You’ll make the payment by Bitcoin (if you don’t know this, search “how to buy bitcoin” in Google).
 

BTC Address: [redacted Bitcoin address]
[CASE SENSITIVE, copy and paste it]
 

If you have been thinking about going to the law, good, this email cannot be traced back to me. I have taken care of my moves. I am not looking to ask you for money so much, I just like to be paid.
 

You have one day to make the payment. I have a special pixel within this mail, and right now I know that you have read this email message. If I do not receive the BitCoins, I will definitely send out your video to all of your contacts including friends and family, co-workers, and so on. Having said that, if I receive the payment, I’ll destroy the video immediately. If you really want proof, reply Yes! then I definitely will send your video to your 10 contacts. It is a nonnegotiable offer that being said don’t waste my time and yours by replying to this email.

So it’s a ransom attempt and Gmail flagged it as spam. Normally I’d think of spam as a Nigerian prince who wants to make me rich rather than extortion. At first glance this looks personal, but diving in there’s less to see here than meets the eye.

 
Breaking it down

Before I get into the technical details let’s go over this email line by line, shall we?

[redacted password] one of your pass word. Lets get directly to point. You don’t know me and you’re most likely wondering why you are getting this e mail? No-one has paid me to check about you.

Yeah, I’m not really wondering. That was my password on a few sites back in the day, including a major one that got hacked. Someone managed to get the email address and password I used on that site — admittedly over a decade later — and is now sending a spam message to everyone in that database.

Given that the password isn’t easily guessable and appears here in plain text, I’m pretty sure I know which database hack it came from.

In fact, I installed a software on the 18+ vids (porn material) web site and you know what, you visited this website to experience fun (you know what I mean). When you were viewing videos, your browser started operating as a Remote control Desktop with a key logger which provided me access to your display screen as well as web camera. Right after that, my software gathered your complete contacts from your Messenger, FB, as well as emailaccount. And then I created a double video. 1st part displays the video you were watching (you’ve got a good taste ; )), and 2nd part displays the recording of your cam, yeah it is u.

These are some pretty wild claims. Based on the email address and password I used a long time ago, this person installed some kind of hack on an unspecified porn video website that allowed them to control not only my computer, but also hack into my Facebook and email accounts. That sounds like something the NSA might be able to do — in a bad movie. The line “yeah it is u” is a little tricky to believe since so far they haven’t used even my first name in this message, how could they possibly identify me from a video?

Some other minor problems: I don’t tend to watch porn videos, or worse — use Facebook.

You do have 2 solutions. We will check out the possibilities in aspects:

The classic sales technique of limiting the options! Oooooh, I can’t wait to find out what the options are.

1st choice is to ignore this message. Then, I most certainly will send out your video recording to every single one of your personal contacts and you can easily imagine about the awkwardness you experience. Not to forget in case you are in a committed relationship, exactly how it is going to affect?

A couple tips:

  • If you’re going to make a threat it should be very specific. Name the target’s personal contacts, and brush up if they’re in a relationship or not in advance.
  • It’s hard to take a threat seriously with such poor grammar. Proofreading is important.

Other option is to give me $991. I will call it a donation. Consequently, I most certainly will instantly discard your video footage. You can resume your way of life like this never occurred and you will never hear back again from me.

A donation? Nice, so not only with this threat go away, but I can write this off on my taxes. And thanks for making it $991, what a bargain. If it were $1,000 I’d have second thoughts about making the payment.

You’ll make the payment by Bitcoin (if you don’t know this, search “how to buy bitcoin” in Google).
 

BTC Address: [redacted Bitcoin address]
[CASE SENSITIVE, copy and paste it]

Bitcoin? We all know that’s a huge pain to use, right? I have better things to do, maybe just send everyone the videos already.

If you have been thinking about going to the law, good, this email cannot be traced back to me. I have taken care of my moves. I am not looking to ask you for money so much, I just like to be paid.

“Hello, Internet Police? I’ve got a half-hearted ransom scam email to report.”

You have one day to make the payment. I have a special pixel within this mail, and right now I know that you have read this email message. If I do not receive the BitCoins, I will definitely send out your video to all of your contacts including friends and family, co-workers, and so on. Having said that, if I receive the payment, I’ll destroy the video immediately. If you really want proof, reply Yes! then I definitely will send your video to your 10 contacts. It is a nonnegotiable offer that being said don’t waste my time and yours by replying to this email.

Sounds like there’s a tracking pixel in the email (a surprisingly common trick/hack for read verification) and asking for proof of anything said here will have negative consequences.

Wonder who those 10 contacts are… can’t even name one of them?

 
Technical details

Gmail flagged this email as spam. It’s unclear why as Google’s spam filter is proprietary, but this email presumably set off some red flags. Namely there’s a lot of common text between this and other emails, the sender is a seemingly fake IP address, and it was sent over an insecure connection.

But it gets worse. The headers show the email allegedly came from the email server at mixedthings.net. This domains is known for sending spam according to a quick web search. Reports include similar ransom emails going through the same email server.

If there’s a theme here it’s laziness. The email was easily flagged as spam and contained so little personal information I doubt the sender even had a full database dump.

The saddest part though is the tracking pixel. The email was sent as base64 encoded text. Decoding base64 text is trivial — otherwise we wouldn’t be able to even read the email — but the resulting HTML text is the most telling aspect.

A tracking pixel is an image linked from an HTML email (traditionally a 1×1 pixel image, hence the name) containing a secret identifier linking the sender to the individual reading the email. This is used in advertising all the time to determine if someone opened an email. The HTML in this ransom request did not contain a tracking pixel; not even a fake one. Would a lazy scammer bother? Apparently not. Gmail’s web interface blocks all images from loading if an email is marked as spam so it’s a moot point here anyway.

Then again, why would a ransom request come through email at all?

Think about it — if someone really hacked your computer to demand a ransom, would they email you or lock you out of the computer until you paid? The later is called ransomware and it does happen from time to time. Some people unfortunately (though understandably) do pay the ransom to restore access to their computer.

This lazy email is not ransomware; just an empty threat.
 

Summary

As technology gets easier it also becomes easier to abuse. A few takeaways:

  • Email security is important. Even if you reuse other passwords the password to your email is the key to the kingdom. Email can remotely reset passwords to other websites.
  • Likewise, your computers/phones/devices should use a different password from your email. This is especially important if you use a cloud account (Google, Microsoft, Apple, etc.) to sign in to your devices.
  • On other websites your best bet is a password manager — and to only use that password manager on trusted devices. NEVER use your password manager on someone else’s computer.

Carl Sagan once said “Extraordinary claims require extraordinary evidence.” Isn’t a ransom claim extraordinary?

This scam is simply so lazy it’s embarrassing. That said unless people learn their lesson future ransom emails will only become more sophisticated.