Almost two years ago, Black Mirror, a British science fiction television series, telecast Shut Up and Dance, the third episode of its third season. In the story, the protagonist Kenny, a teenager, is blackmailed into committing criminal acts by unknown online enemies who possess a video of him masturbating to porn on his computer. As the sinister plot unfolds, Kenny realises he is not the only victim of the blackmailers.
In India, going by complaints made with the cyber cells of police departments in several states, anonymous blackmailers operating in a similar fashion have targeted at least 13 people between January 1 and August 4. The complaints have come from states like Delhi, Maharashtra, Jharkhand, Madhya Pradesh, Uttar Pradesh and Uttarakhand. Senior police officials say these complaints are probably just the tip of the iceberg, as in most cases the victims prefer to approach discreet private cyber security consultants for help.
Initially, there was some scepticism even among security agencies that such threats could be part of an elaborate hoax designed to con people into thinking that they might have been filmed watching porn. But in at least one case examined by the police, the blackmailer had uploaded a video and the investigators suspected that the video was acquired by planting a malware in the victim’s computer.
According to the police, several complainants have urged them to intervene without filing a First Information Report as that would later materialise into a case, which has to be pursued in court. A senior police officer said this is because the victims – on account of embarrassment or shame – do not want their families to get even the slightest inkling of the online activity they believe they are being blackmailed about.
In an email to Scroll.in, a woman who identified herself as lesbian, said that she believed that such blackmailers were particularly targeting members of the vulnerable lesbian-gay-bisexual-transgender-transsexual-queer community.
Ransom demands
Of the 13 complaints known to have been made before the police so far, 12 have been filed by men. The complainants are aged between 18 and 45 years.
According to police officials who requested anonymity, in some instances, the complainants have said that their sexually explicit video chats had been recorded by blackmailers with the help of a malware – a program developed to disrupt, damage or help gain unauthorised access to someone’s computer system. A few complainants have said that their blackmailers had remotely activated their webcams and had recorded them masturbating. Other complaints say that the anonymous perpetrators scanned their computers looking for pornographic content – including videos that victims might have recorded of themselves having sex – and saved the files.
All victims have received emails in which a demand has been made for payment via bitcoins. The amounts range between $200 and $1,900. The stress on the cryptocurrency is to prevent security agencies from tracing the transactions, police officials said.
Targeting the vulnerable
A researcher in Delhi, who identifies as gay, received one such email on June 27. The sender disclosed the victim’s email password, which was correct, and asked him for $1,400 in bitcoins as payment for not releasing to his list of email contacts a video of him masturbating. The email, which Scroll.in has seen, says that the sender had hacked into the recipient’s computer via malware sent through a link on a porn website that the recipient had allegedly visited. The email says that once embedded within the computer, the malware helped the sender access the recipient’s webcam through which he was recorded in the act.
The researcher did not approach the police or respond to the email as he was confident that his computer’s security had not been compromised.
Others were perhaps not as confident.
According to the police complaints, one of the blackmail victims was engaged in an extramarital affair and also participated in sexually explicit chats on the internet with another woman. Another victim, a young corporate executive, had indulged in a sexually explicit chat with a woman from a conservative family and was worried that all hell would break loose if this got out. “In other cases, it was mostly fear of being judged in a closed society like ours,” the police official said.
‘Believable threat’
Vineet Kumar, founder of Cyber Peace Foundation, a grassroots level organisation which helps several security agencies in research and training related to cyber security, said that the email threat was quite believable. “The process which the hacker has elaborated on makes sense,” he said. “But there are ways to protect oneself which include reliance on good anti-virus and firewalls, maintaining utmost privacy on social media applications, going for genuine operating systems and regularly updating them and, most importantly, never clicking on any link sent through any dubious website or email.”
Referring to the fact that several such emails received by people worldwide have included the victim’s current or old email password, possibly in order to convince people that the threat was real, cyber security expert and journalist Brian Krebs said in a post on his website: “My guess is that the perpetrator has created some kind of script that draws directly from the usernames and passwords from a given data breach at a popular Web site that happened more than a decade ago, and that every victim who had their password compromised as part of that breach is getting this same email at the address used to sign up at that hacked Web site.”
Passwords can also be accessed via malware.
According to Kislay Chaudhary, another cyber security expert who is a consultant with several government agencies, once malware is planted, it is possible for the hacker to access anything, including passwords of which the malware creates a mirror image in the hacker’s computer. “It is a variation of the ransomware phenomenon in which the hacker, instead of encrypting the files of the target computer, blackmails the victim through other means,” said Chaudhary. “The style of operation is the same – mass plantation of malware links and then waiting for victims.”
Interpol, a network of police forces from 190 countries all over the world, categorises this kind of blackmail as “sextortion”. “Sextortion is defined as blackmail in which sexual information or images are used to extort sexual favours and/or money from the victim,” Interpol says on its website. “This online blackmail is often conducted by sophisticated organised criminal networks operating out of business-like locations similar to call centres.” The term can refer to conventional honey-trapping (for instance, where people are enticed to expose themselves online or offline and then blackmailed), as well as to extortion in connection with sexual information obtained through the installation of malware.
Vulnerable communities?
The woman who wrote to Scroll.in expressing concern that members of the LGBTQ community were being targeted by such hackers, said three of her friends had been victims of the scam. She added that she believed members of the LGBTQ community were particularly vulnerable to being scammed because “most LGBTQ individuals take to digital platforms to network and connect with similar-minded people” and because the law in India still defines intercourse between homosexual couples as an unnatural act which is punishable with imprisonment that can extend up to 10 years.
She did not respond to emails asking for further details.
The Delhi researcher explained how members of the LGBTQ community could be vulnerable to being blackmailed online. He said that some members participate in closed social networks online to meet other members of the community. Sometimes, people infiltrate such networks, using a fake profile. Though such fake profiles are usually caught out, there is always the possibility that someone with a fake profile could successfully enter the closed network and gain access to details about some members, which could then be used to blackmail them.
“However, I myself, have not noticed any trend of individuals belonging to the LGBTQ community being specifically targeted,” said the researcher.
Asked if individuals belonging to vulnerable groups were specifically being targeted by such hackers, a senior police official said it was difficult to say. “They [the complainants] simply request us to remove the [uploaded] content and not pursue a case, which can be done without digging into such sensitive private details,” one police officer said.
To negotiate or not to negotiate
Demands for ransom in cryptocurrency gained massive attention worldwide during the WannaCry ransomware attacks last year during which several companies and people were blocked from accessing their computer systems until they paid a ransom to the hacker.
The latest scheme to demand ransom apparently spread worldwide within two years of it first being reported, with each version taking on a more sophisticated form than the last.
Around the time when Shut Up and Dance premiered on Netflix in 2016, BBC had published an investigative report called the Skype Sex Scam. In this online scam, victims were enticed to befriend people they thought to be young women, via the internet. They were later entrapped into indulging in sexual acts in front of their webcams, and subsequently blackmailed with the footage. There was no malware involved here, and shame at being exposed was the key then, as now. The BBC documented several victims of this scam from across the globe and even traced its perpetrators, most of whom were unemployed men in Morocco.
By late 2017, emails similar to that received by the Delhi-based researcher had surfaced online. They seemed to follow a template. The common factors were: a reference to malware sent through porn websites that gave the hacker access to the victim’s computer, a threat that the hackers had recorded masturbation videos via webcam, and then a demand for ransom in bitcoin. The differences are: the ransom amount, the tone of the letter – which apparently turned sombre with time – and the bitcoin address.
By early this year, authorities in Western countries were advising victims not to negotiate with the perpetrators. Like in phishing – the fraudulent practice of sending emails purporting to be from reputable companies in order to induce individuals to reveal personal information, such as passwords – the perpetrators of sextortion could indeed be bluffing, it was suggested, and targeting several thousands of people in the hope that at least some will pay up.
But cyber crime consultant Kislay Chaudhary said he is privy to one instance in which the victim’s video was uploaded by the hacker for refusing to pay up. The video was later taken down, and was uploaded again only to be taken down again. “But these are all band-aid type solutions,” he said. There has to be more awareness about cyber hygiene and it is high time for the government to take it up.”