Cybercrime experts in the United Arab Emirates are warning residents not to fall foul of threats and demands from online fraudsters who are using increasingly elaborate schemes to blackmail their victims out of money.
In a recently circulated email sent to people in the UAE, blackmailers have told victims that they have accessed their work emails and personal data and will circulate humiliating information about them to family, friends, and colleagues if they don’t pay a ransom fee.
In one, the emailer wrote: “Unfortunately, I have some unpleasant news for you. Roughly several months ago I have managed to get complete access to all devices that you use to browse the internet.
“One week after that, I proceeded with installing a Trojan virus in the Operating Systems of all your devices, which are used by you to log in to your email.
“Thanks to that software I can get access to all controllers inside your devices (such as your video camera, microphone, keyboard etc.) and I could easily download all your data, photos, web browsing history and other information to my servers.”
The conman continued to say he had obtained “embarrassing” data which he would publicly share unless his victim paid thousands of dirhams via Bitcoin transfer, and warned against going to the authorities to report the email.
“Do not attempt to call the police as well as other security services,” the scammer wrote.
“Moreover, don’t even think of sharing it with your friends. If I get to know about it (based on my skills, that would be very easy, since I have all your systems under my control and constant monitoring) – your (information) will become public without delay.”
Experts in the UAE said such cyber exploitation crimes are not new – but are rising.
Brian Chappell, chief security strategist at cyber security company BeyondTrust, told Al Arabiya English: “This has been a common scam for a very long time now and it’s not resurfacing, it never went away.
“We do see shifts in the types of phishing attacks as the attackers look for the more lucrative options and that may make it seem like the attackers have forgotten about you. You can be fairly certain that your details will make it to the top of their list again at some point.
“Because the scams are carefully designed to press the right buttons and people, for all we might like to think of ourselves as above the animal kingdom, are still subject to the stimulus/response cycle and doubly so when under stress.”
He said there are many different scams – often which play on a need for urgent action.
“Spear phishing attacks (a cybercrime in which scammers try to lure sensitive information or data from you) will lean on the hierarchy in most organizations to try to get someone to act immediately by pretending to be their CEO or similar.
“They almost certainly have either email examples from your organization or similar organizations, they will have the phrasing of emails to the point it may be hard to distinguish from a real email sent, in a hurry, from a mobile phone, by your CEO.”
Chappel said there are basic security protocols to follow when receiving any sort of email that appears suspicious.
“Don’t click on anything until you have verified it’s a legitimate email. Even if you are expecting an email or it seems relevant, spelling mistakes, older logos, and poor formatting are commonly used to weed out the more aware recipients. It’s rarely an accident; the criminals at the end of the email are smart and don’t want to waste time on people who are likely to ask questions and waste their time.
“Also, ideally, don’t have your email set to automatically display images in the email as this can be used to verify your email address is a legitimate address that has a person on the end of it – that alone has value to the sender as they can sell your email address as verified live.
Sam Curry, chief security officer at Cybereason, said anyone who receives a suspicious email sent to their work account should immediately check with their IT or security department.
“There is normally a submission process to a team, to a sandbox or to a service. If you don’t have an IT team to contact, never open attachments in email from people you don’t know, don’t visit dubious websites, and if you receive an offer for a product or service via email that sounds too good to be true, it probably is.”
There are various tell-tales sigh of a phishing email, said Curry.
“They can vary enormously because, ultimately, a human being is actively crafting and adapting the mail to fool you. However, you should never click on a link. Period.
“Nothing should ask for your approval, for money, for information at all, unless it’s part of an established process. For instance, if you have a bill approval application that sends you reminders with a link on a regular basis, that’s ok but less than ideal. The best is to just notify you and let you go to the website manually. Painful? Slightly. Safer? Very much so.
Curry believes cyber crimes and online blackmail scams are rising.
“Overall, it’s hard to measure the rate, but all indications at the macro level are that they are rising, and the best of them are getting better,” he said.
“We are human beings: we want to help, want to do our duty, want to do the right thing, want to do our job. In fact, those are wonderful imperatives; but they are also exploitable. Even security experts get exploited. No one is immune, but we can all get better and make systems and process robust to minimize the chance and impact of email-based exploitation.”
Be cyber safe
Curry said in work settings employers should make sure their staff are trained to spot phishing emails.
“It might not seem obvious, but even seemingly harmless interaction and information can in fact cause harm, even if it’s just training the user to trust the source and style of interaction. Companies should aim for ‘zero click’ emails in their business processes, so they can say ‘never click’.”
Bahaa Hudairi, regional sales director for META at Lookout, a cloud security company, said this type of scam is both a growing problem and one that many are unprepared for.
“The potential harm to one’s reputation, job prospects, standing in the community and family relationships raise the stakes even higher. However, if you’ve fallen a victim to this, report it immediately to the concerned department at your organisation.
“If you’ve received this on a personal level, report it to the police and regulating authorities. Also flag this to your internet service provider so that they take steps to block the individual from contacting you further.
“Internet scams are increasingly becoming common. No one is safe. The desire to explore and visit new websites, opening emails from unknown sources, and downloading items that are not legitimate often make people fall prey to such scams.”
The UAE takes crimes committed on the internet very seriously. In 2012 Federal Decree no 5 was issued to specifically address cyber crime.
When it comes to issues where an individual is making a threat in return for money, Article 16 of Federal Decree no 5 of 2012 states that the extortioner “shall be punished by imprisonment for a period of two years at most and a fine not less than Dh250,000 and not in excess of Dh500,000, or either of these two penalties.”