色情诈骗邮件已经成功勒索近100万美元

慌乱的消息打破了午夜的宁静。奥伦·法尔科维茨收到了一位客户的请求，这位客户的朋友持有一家即将上市的硅谷公司的股份，却收到了可怕的邮件。

客户写道：“对方声称，他观看色情影片的视频已经被他们用摄像头拍下来了。”

作为反欺诈公司Area 1的老板，法尔科维茨的建议很有效：“这是假消息。让他删掉（邮件），去睡觉吧。”

危机解除了。不过另外几千人却不幸成为了这个邮件骗局的受害者。对方要求他们支付比特币，否则就把网络摄像头拍摄到的隐私照片和色情视频的截图发给受害者的所有联系人。

不幸的是，这种勒索方案成为了犯罪获利的最新榜样。Area 1的调查显示，骗子发送了数百万封邮件，共计得到94.9万美元。平均每笔成功的勒索可以得到593.56美元，按照文章撰写当日的汇率，即0.073比特币。

Area 1的数据来自于对比特币区块链的检查，其中永久记录了所有的交易情况，包括那些与骗子绑定的数字钱包地址相关的交易。

色情威胁是这些罪犯邮件敲诈的三大类型之一。其他手段还包括威胁摧毁受害者电脑中的数据，或在受害者的工作场所实施暴力行为。

这种骗局已经流行了一段时间。正如我的同事罗伯特·哈克特在去年8月解释的那样，由于骗子会附上受害者曾经用过的真实密码，这样的威胁具有相当的效力：

（你应该）看看邮件提供的密码对应的账户能否在Have I Been Pwned找到。这个可以搜索的数据库能够确定那些网络漏洞引发的数据泄露里是否包含你的信息。如果可以搜到使用那个密码的账户，就说明勒索者可能利用这些废弃数据得到了所有那些信息。换个直白的说法：骗子没有监视你的键盘输入、屏幕和网络摄像头。他只是虚张声势，恐吓那些惊疑不定的受害者，让他们支付加密货币。

某专家认为，目前的色情邮件欺诈与摩洛哥的一家营销公司有关，它之所以成功，是因为勒索者善于规避微软（Microsoft）和谷歌（Google）的垃圾邮件过滤系统。Area 1的报告显示，他们逃避检测的一个途径是在邮件中暗藏不可见的莎士比亚或简·奥斯汀的语句。过滤系统会认为邮件中主要是“优美的文字”，从而让它们免于被屏蔽，顺利进入收件箱。

尽管如此，他们利用的与其算是技术漏洞，不如说是人性的弱点。法尔科维茨认为，总有人会上当，部分原因在于人类有着好奇的天性。

他表示：“给员工培训起不到什么效果。‘账号被盗’这样的短语太容易引发他们的情绪化反应。”

他补充道，最好的办法是通过反钓鱼技术从源头上阻止不良邮件的传播。

这是解决问题的途径之一，不过却并非最经济实惠的选择。你还可以购买摄像头保护套，在亚马逊上，这种可滑动的小配件六只装只要7.99美元，作为对比，也就是0.00098比特币。（财富中文网）

译者：严匡正

It was after midnight when Oren Falkowitz received the frantic text messages. It was a plea from a client to help a friend who owns shares in a Silicon Valley company set to go public—and who had received a very frightening email.

“They said they have videos of him looking at porn through his webcam,” the client wrote, adding the senders had targeted his friend in a crafty blackmail scheme.

Falkowitz, who runs an anti-phishing company called Area 1, had some useful advice: “It’s fake. Tell him to delete [the email] and go to sleep.”

Crisis resolved. Unfortunately, thousands of others have fallen prey to the same email scam, which instructs the victims to send Bitcoin or else see intimate photos from their webcam—and screenshots of the porn they watched—sent to all of their contacts.

Unfortunately the blackmail scheme has become the latest example that crime sometimes pays. According to an investigation by Area 1, the scammers have sent millions of emails and earned $949,000 from the racket. The average payout is $593.56, or 0.073 Bitcoin, at today’s rate.

Area 1 came up with the figure by examining the Bitcoin blockchain, which contains a permanent record of all transactions, including those associated with a digital wallet address tied to the crooks.

The porn threats are one of three variations of email blackmail used by these criminals. The others rely on threats to destroy data on the victim’s computer, or to carry out a form of physical violence at the victim’s workplace.

The scam has also been going on for a while. As my colleague Robert Hackett explained last August, it has proved effective at frightening people because the scammers will include a real computer password the victim has used in the past:

[you should] check to see whether any accounts tied to that password appear in Have I Been Pwned, a searchable database that identifies what personal information of yours may have leaked as a result of various online breaches. If any accounts that once used that password pop up, then the extortionist likely scraped all of the information from one of these data dumps. Translation: The crook has not been monitoring your every keyboard touch, screenshot, and webcam image. Rather, the delinquent is bluffing—frightening unsuspecting victims into forking over cryptocurrency.

The current porn email scam, which one expert suggests is tied to a Moroccan marketing company, has also been successful because the blackmailers are good at evading spam filters set up by Microsoft and Google. According to Area 1’s report, one tactic they use to avoid detection is to paste lines from Shakespeare or Jane Austen in invisible text in the email—a signal to the filters that there is mostly “good language” in the email, helping it land in recipients’ in-boxes, rather than being blocked.

Still, it’s not so much a technical loophole they’re exploiting, as it’s human failings they’re taking advantage of. Falkowitz argues that people will always fall prey to phishing, in part because humans are naturally curious.

“Training employees doesn’t work,” he says. “They’re too subject to emotional responses in response to phrases like ‘account compromised.'”

Instead, anti-phishing technology designed to stop bad emails from getting through in the first place is the best solution, he adds.

That’s one way to solve this problem, but it may not be the most economical approach. You can also invest in a webcam cover—the sliding stickers currently come in a six-pack from Amazon for $7.99, or just 0.00098 Bitcoin, for comparison’s sake.