The hacker knew every move the unsuspecting victim made. He controlled her computer webcam and microphone. He could see her in her bedroom, hear her conversations, knew every keystroke she made online. And he threatened to expose her secrets unless she bowed to his demands.
It may sound like the plot for a scary teen movie, but it actually happened, and there wasn’t just one victim—there were more than 200, and dozens of them were adolescent girls.
Unlike many computer intrusions, where a hacker uses malicious software to steal identities or financial information, this case was primarily about spying and extortion—or as our Los Angeles cyber squad more aptly termed it, “sextortion.”
The hacker, a 31-year-old California man who was arrested in June after a two-year investigation, used malicious code to infect and control the computers of his victims. Then he searched for explicit pictures from their computers, downloaded them, and used the images in an attempt to extort more pictures and videos from them.
“What’s so frightening about this case was how easily the victims’ computers were compromised,” said Special Agent Jeff Kirkpatrick, one of our Los Angeles cyber investigators who worked the case.
After the hacker infected one computer, he used a popular social networking site—and a technique called “spear phishing”—to spread the virus. “It was a social engineering attack,” said Special Agent Tanith Rogers, co-investigator on the case. “The victims were tricked. They had no idea what had happened until it was too late.”
In several instances, the hacker posed online as a young woman’s friend or sister and sent messages with attachments asking if the victim wanted to see a scary video. Because the messages appeared to be from a trusted source, the victims usually didn’t think twice about opening the attachment. When they did, the virus secretly installed itself, and the hacker had total control over their computers—including all files and folders, webcams, and microphones.
Using similar spear phishing methods—posing as a friend or a trusted source—the hacker spread the virus through the social network like wildfire. In all, there were 230 victims and more than 100 computers impacted.
“And this guy was no computer genius,” Agent Kirkpatrick said. “Anybody could do what he did just by watching an online video and following the directions.”
Victims—particularly teenage girls—were understandably devastated when they learned their privacy had been so completely violated. Many were afraid to tell their parents about the situation.
“He was smart,” Agent Rogers said of the hacker. “He used their fear to try to control them.”
For example, the hacker attached a pornographic picture of one victim in an e-mail and demanded sexually explicit video of her in return for not telling her parents about the pictures he had downloaded from her computer.
“If he hadn’t attempted to contact the victims,” Agent Rogers said, “he could have done this forever and gone undetected—the victims would never have known he was listening and watching. That,” she added, “is one of the most disturbing things about this case.”
Don’t Let It Happen to You
Here are a few precautions that can keep you from being victimized by a social engineering attack:
- Don’t take for granted that your computer’s anti-virus software is a guarantee against intrusions.
- Turn off your computer when you aren’t using it. (The majority of computers involved in the sextortion case were laptops; many of the victims chatted on social networks so much that they never turned off their machines.)
- Cover your webcam when not in use.
- Don’t open attachments without independently verifying that they were sent from someone you know.
- It’s okay to be suspicious. If you receive a message with an attachment from your mother at 3 a.m., maybe the message is not really from your mother. “Most people are too trusting when it comes to their computers,” Agent Kirkpatrick said.
- If your computer has been compromised and you are receiving extortion threats, don’t be afraid to talk to your parents or to call law enforcement.
|Have Information on the Case?
The hacker in the sextortion case used a variety of screen names and e-mail addresses, which are listed below. If you have information regarding the case—there may be other victims—please contact your http://www.fbi.gov/contact-us/field or https://tips.fbi.gov/.