Cisco Router Sextortion Scam
Here is a sample of a ransom email I received, like ones that have been reported to be by others. This one has been called the Cisco Router Sextortion Scam. This one seems to have better grammar then past ones. The details don’t make any sense. The only thing in the email that would cause someone to be alarmed is the password. The password they gave me was a throw away password I use for stuff I don’t care about, so one of those sites must have been compromised. This is why it is important to have a different email for all of your accounts. It makes it easy to see what site or app was compromised. Also sign up for multi-factor authentication to prevent hackers from gaining access to your critical accounts.
The email that sent the scam looks to be spoofed. The hackers use bitcoin for payments and bitcoin uses a public ledger which can give us some information. I looked up the Bitcoin wallet to find it is listed as Scam Alert. Take a look at the transaction history and I found that some people are actually paying the hacker. Looks like some are getting off for much less than the asking price. One person paid 0.00195013 BTC which is about $10 US and one person paid 0.15 BTC which is about $775 US. I feel bad for the guy who paid the full price ransom.
It lists the last transaction IP that goes back to DataWeb Global Group B.V. that seems to be a cloud service provider in the Netherlands, however their website was in Russian. No doubt a site they host is hacked and a launching point for this hacker.
I like that the hacker had some good advice about keeping your antivirus up-to-date. I am surprised he didn’t try to send us a link to download malware pretending to be antivirus!
I would like to thank our scammer for sending me an example. ;-)
Here it is:
Sent: Saturday, April 27, 2019 2:25 AM
Subject: Important information about your account: firstname.lastname@example.org
This is important information for you!
Some months ago I hacked your OS and got full access to your account email@example.com
On day of hack your account firstname.lastname@example.org has password: wombat
So, you can change the password, yes.. Or already changed... But my malware intercepts it every time.
How I made it:
In the software of the router, through which you went online, was a vulnerability. I used it...
If you interested you can read about it: CVE-2019-1663 - a vulnerability in the web-based management interface of the Cisco routers.
I just hacked this router and placed my malicious code on it.
When you went online, my trojan was installed on the OS of your device.
After that, I made a full backup of your disk (I have all your address book, history of viewing sites, all files, phone numbers and addresses of all your contacts).
A month ago, I wanted to lock your device and ask for a not big amount of btc to unlock.
But I looked at the sites that you regularly visit, and I was shocked by what I saw!!!
I'm talk you about sites for adults.
I want to say - you are a BIG pervert. Your fantasy is shifted far away from the normal course!
And I got an idea....
I made a screenshot of the adult sites where you have fun (do you understand what it is about, huh?).
After that, I made a screenshot of your joys (using the camera of your device) and glued them together.
Turned out amazing! You are so spectacular!
I'm know that you would not like to show these screenshots to your friends, relatives or colleagues.
I think $765 is a very, very small amount for my silence.
Besides, I have been spying on you for so long, having spent a lot of time!
Pay ONLY in Bitcoins!
My BTC wallet: 1LH6PhEPTpz5CV4BuWFhW21b6DAiHzFPMC
You do not know how to use bitcoins?
Enter a query in any search engine: "how to replenish btc wallet".
It's extremely easy
For this payment I give you two days (48 hours).
As soon as this letter is opened, the timer will work.
After payment, my virus and dirty screenshots with your enjoys will be self-destruct automatically.
If I do not receive from you the specified amount, then your device will be locked, and all your contacts
will receive a screenshots with your "enjoys".
I hope you understand your situation.
- Do not try to find and destroy my virus! (All your data, files and screenshots is already uploaded to a remote server)
- Do not try to contact me (you yourself will see that this is impossible, the sender address is automatically generated)
- Various security services will not help you; formatting a disk or destroying a device will not help, since your data is already on a remote server.
P.S. You are not my single victim. so, I guarantee you that I will not disturb you again after payment!
This is the word of honor hacker
I also ask you to regularly update your antiviruses in the future. This way you will no longer fall into a similar situation.
Do not hold evil! I just good do my job.