Most Innovative Company, South Africa, 2016, African Business Awards
Best Forensic Investigation Company, Africa, 2016, African Corporate Excellence Awards
Best in Security, Forensics & Investigations – 2016 – International Business Awards
webcam extortion

Case Study: Webcam Extortion

Background

Approach

Our client, a middle-aged, married man, had struck up an online friendship with a young woman in her twenties. They met on a popular internet dating website that advertises “100% Secure Membership” and “Verified Profiles”. Our client was approached by this woman and after some small talk and a little flirting, he agreed to meet her in a private chat room. They seemed to hit it off from the start. She shared similar interests, was in the same line of work, was also married, and like our client, she had never tried this before.

Grooming

The relationship grew more intense with every online encounter, but remained (for the most part) non-sexually oriented. About a month into their virtual romance, the woman suggested that they chat via Skype, which they then did. At the time, our client thought little of the fact that this woman’s webcam video didn’t seem to sync with her conversation. She had mentioned the same thing about his webcam footage numerous times, and he assumed it was a technical issue. He did notice that she looked slightly different on Skype (compared to her profile picture) but never brought it up because he figured that her profile photo was probably taken a few years ago. Our client accepted this because he, too, had uploaded the most flattering picture he could find and that was at least 10 years old.

Compromise

After a handful of video chats over Skype, the two were, for all intents and purposes, having virtual sex. Our client was asked to perform a sexual act on himself, and he obliged. When he asked for reciprocation, warning bells went off. The woman disconnected almost immediately and never responded to any of his messages. He planned to create a new profile and contact her on the original dating site, but he wouldn’t need to because she made contact first. When he saw who the message was from he was relieved. But that relief soon turned to panic when he read what was written.

Shakedown

The woman had sent a few included snapshots of our client’s sexually-explicit video along with a demand for money (R5,000.00 which is around $360) and the threat of “serious repercussions” if that payment was not forthcoming. Our client was told that if payment was not made within 48 hours, those images and hundreds more like it would be sent to his wife and posted online. His wife’s email address and mobile number were included in that message, as was a complete list of all his Facebook friends.

Pay-Off

Our client is reasonably well-off, and could afford to pay the amount demanded. He realized that there was little he could do to prevent further demands down the line, but reckoned that if he didn’t make the payment, things would be worse for him. He absolutely could not allow images of himself engaged in sexual activity to be sent to his wife, friends, family and colleagues. Our client made the necessary payment in three transactions, using fund transfer services from Western Union, Shoprite and Spar. He send the required pin numbers and passwords by SMS to the number supplied and then waited. Hours and then days went by without even an acknowledgement of the payments. After a few weeks our client believed that the ordeal was over.

Escalation

A month to the day after receiving the first demand he received another. This time, though, it was sent to his work email and was first read by his secretary. Thankfully, the images that were pasted into the body of the email by the sender had been stripped by our client’s email software and were attached to the email instead. His secretary didn’t open the attachments because having read the first few lines of the email, she knew exactly what was attached. Our client’s secretary brought the email to his attention and suggested that he contact the police. The amount demanded was now R20,000.00 (about $1440) and as before he was given 48 hours to show proof of payment. Realizing that these demands were most likely going to continue – he decided to get help. He called his lawyer, who advised him to tell his wife the truth before opening a police case, and suggested that he should hire a private investigator too. His secretary got in touch with us and arranged a meeting.

Our Approach

extortion plan
Our Brainstormed Plan of Action

Assessment

In all previous cyber-extortion cases we’ve worked, our client had engaged our services shortly after receiving a demand or threat, and in some cases before any attempted extortion took place. This was the first case we’d been involved in where the client had already met one demand for payment and was now being pressured to make a second, larger, payment. With the matter having progressed to such an advanced stage in the extortion, many vital windows of opportunity to target the perpetrators by means of their communications were gone. By the time we were contacted, all online accounts linked to the woman in question had been closed. The Skype account, two email addresses and one cell phone number were still in existence, but not answered. There wasn’t much to go on, and roughly 36 hours left until the second deadline.

Limitations

The time constraint created by the impending deadline meant that if we couldn’t get the deadline extended, we’d need to launch multiple efforts simultaneously, with very little planning or preparation, and with no simulation or dry runs. Our client had mentioned that during the period between the first demand and the first deadline, he had received a number of SMS messages from the blackmailer giving him specific instructions for payment. He had also sent a handful of messages back to clarify the instructions and then to confirm payment and provide the information the blackmailers would need to collect the funds on their end. This time, though, no SMS messages or further emails had been received. We advised our client to initiate contact and ask for more time. We proceeded with our efforts as planned, obviously hoping for an extension of the deadline, but assuming that it would not be possible.

Methods & Methodology

Although we’d love to share exactly what our strategy was, we cannot provide any specific details of our methods or methodology. The last thing we want to do is explain to criminals how they’re getting caught – We’d much rather show them by actually catching them. We know you’re not a cyber crook, but the next person to read this article may well be someone who’s searching the Internet for just that sort of information. We’re quite happy to share this information with law enforcement, other investigators and anyone involved in the fight against cyber crime.

Actors

There are many moving parts to this type of extortion and each needs to be identified, investigated and acted upon. First, there are the Actors. Although there is usually a fair amount of acting involved in luring a person into a bogus relationship, we’re not referring to actors as in movie stars or stage performers. Actors refer to all people and roles involved in the extortion. Some actors will be warm-blooded human beings and others may be virtual persona’s like the woman that our client fell victim to. We began with a few assumptions as to how many actual people were involved and what their roles might be, but at the end of our investigation we were able to identify the following actors (We’ve used the nicknames that we gave these actors during our investigation as they have not yet been been tried in Court and are therefore presumed innocent)

ActorRoleApproach
avatar-womanDelilahVirtual persona created to lure and manipulate the victim
  • Chat and message logs
  • Online profiles
  • Reverse image search
  • Reverse video search
  • Reverse entity searches
  • IP addresses
  • Linguistic, tone and style analysis
avatar-man1DougPerson playing the role of Delilah on the dating website. Situated in Benoni, Gauteng.
  • Digital fingerprinting
  • IP addresses
  • Chat and message logs
  • Linguistic, tone and style analysis
avatar-man2BobPerson playing the role of Delilah on Skype. Situated in Shah Alam, Malaysia.
  • Digital fingerprinting
  • IP addresses
  • Chat and message logs
  • Linguistic, tone and style analysis
avatar-man3StuartPerson coordinating the first payment via cellphone. Situated in Pietermaritzburg, KZN.
  • Cellphone reverse lookup
  • Geolocation data
  • Telephone toll records
  • Cell site analysis
  • Voicemail analysis
  • Voiceprinting
avatar-man4KevinPerson who collected part of the first payment from Western Union. Situated in City Bowl, Cape Town.
  • CCTV footage (Western Union)
  • CCTV footage (CCID)
  • CCTV Footage (SANRAL)
  • Fingerprints
avatar-man5DavePerson who collected payments made via Shoprite and Spar money transfers. Situated in Polokwane, Limpopo.
  • CCTV footage (Spar)
  • CCTV footage (Shoprite)
  • CCTV Footage (ITS/CBD)
  • Fingerprints
avatar-man6ClivePerson who drove Dave to Spar and Shoprite. Situated in Polokwane, Limpopo.
  • CCTV Footage (ITS/CBD)
  • Vehicle Licensing

Interactions

Interactions covers all dealings between the actors involved and our client. This includes all SMS messages, online chats, Skype sessions, emails, social media and other communications. When investigating interactions, particularly electronic communications, we focus many things, including:

  • The communication method or platform itself – to exploit any vulnerabilities that can enable the identification, location or monitoring of the target
  • The content of that communication – in other words, the literal message
  • The meaning of that communication – here we employ linguistic, statement and grammatical analysis to make certain judgements about the author and the likely meaning of the message
  • The frequency and volume of communications – to identify patterns, identify actors and make other determinations useful to understanding the dynamics of the target group.
  • Meta data – this is data about the data itself. It may include geotagging or other information useful to contextualizing communication data and identifying the origin of a message
    • PlatformInteractionsApproach
      skype-xxlSkype
      • 44 conversations
      • 489 messages out
      • 496 messages in
        • Skype chat logs
        • Skype video footage
        • Skype ID reverse lookup
        • IP Addresses
        facebook-icon-300x300Facebook
        • 2 conversations
        • 4 messages out
        • 4 messages in
          • Facebook chat logs
          • Facebook Hidden Data Search
          • Facebook ID reverse lookup
          • IP Addresses
          emailEmail
          • 7 email messages
          • 4 messages out
          • 3 messages in
            • Email header analysis
            • Email address reverse lookup
            • IP Addresses
            • Tracking beacons
            viberViber
            • 1 conversation
            • 2 messages out
            • 2 messages in
              • Viber hidden data search
              • Viber ID reverse lookup
              • Viber chat logs
                smsSMS
                • 14 SMS messages
                • 9 messages out
                • 5 messages in
                  • SMS chat logs
                  • Cellphone reverse lookup
                  • Geolocation data
                  • Telephone toll records
                  • Cell site analysis
                    datingFlirting
                    • 79 conversations
                    • 543 messages out
                    • 602 messages in
                      • Chat logs
                      • Profile entity searches
                      • IP addresses
                      • Linguistic, tone and style analysis

                      Transactions

                      The transactions form a vital part of the evidence that would be used to prosecute the offenders. We utilized our local knowledge to choose payment methods that would give us the greatest chance of controlling the situation, gathering evidence and interdicting the person sent to collect payment. We relied heavily on the cooperation of the various payment transfer companies without whom we could not have succeeded in our mission.

                      MethodTransactionApproach
                      shoprite-logoShoprite Transfer1 payment R3,000.00
                      • Fingerprints
                      • Transaction data
                      • CCTV footage
                      • Identifiers provided by payee
                      spar-logo-svgSpar Transfer1 payment R1,000.00
                      • Fingerprints
                      • Transaction data
                      • CCTV footage
                      • Identifiers provided by payee
                      wu_sec_cmyk-wu-logoWestern Union1 payment R1,000.00
                      • Fingerprints
                      • Transaction data
                      • CCTV footage
                      • Identifiers provided by payee

                      Outcome

                      Focus 1: Extending Deadline

                      Since our client had never actually spoken to his blackmailers we were able to use an experienced hostage negotiator to engage directly with them to negotiate the terms of payment. Our objectives were

                      1. to have the negotiation take as long as possible – giving us more time to establish where the blackmailers were located and to learn as much as possible about them.
                      2. to have the deadline extended as much as possible – giving us more time to investigate what had already transpired as well allowing us to better plan and prepare for our next moves.
                      3. to have the amount paid in as many installments as possible – giving us more opportunities to gather evidence about the person collecting the payments and identify patterns in behaviour that could be exploited to predict their next moves.

                      The negotiation was a major win. Short of the negotiator talking the blackmailers into abandoning the extortion, we couldn’t have hoped for a better outcome to negotiations:

                      1. The amount demanded was reduced from R20,000.00 to R12,000.00.
                      2. The deadline was extended from 48 hours to 6 weeks (1008 hours) [in fact, the original deadline had already passed by the time agreement was reached]
                      3. The R12,000.00 would be paid in 12 installments (2 per week, on a Tuesday morning 10am and Thursday afternoon 2pm – these times were chosen for a reason which we’ll deal with later)
                      4. The negotiations were stretched across 72 hours and yielded vital information, including the approximate location of two of the blackmailers and an additional cellphone number that could be linked to other criminal activity.

                      Focus 2: Damage Limitation

                      We obviously cannot guarantee our client that the blackmailers will be caught or that they won’t decide to publish the embarrassing footage of him anyway. We advised our client to Hope for the best, but plan for the worst. He needed to tell his wife, and he needed to take steps to minimize the damage to his reputation and relationships in the event that the blackmailers release the footage in question. This wasn’t an easy task for our client, but he understood that it had to be done. Once his wife had been told, we took steps to reduce his online footprint. All social media accounts and online profiles were backed up or downloaded and then closed. We did the same with his wife’s account, but not before she bravely contacted their family, friends and other online contacts to notify them of this situation.

                      They were advised that a friend of theirs had been blackmailed by someone and in the process, photos of their friend had been sent to them. At the time they were unaware of the situation and didn’t realize that in opening the photos on their computer that they’d inadvertently infected their computer with spyware. Our client’s wife explained that the spyware had been running on their computer for months without them knowing, and that whoever was behind this had discovered some very private footage that the couple had made for one another while they were apart. The person was now demanding that they pay a ransom to prevent the footage from being spread to their friends and family. Our client’s wife was hoping to prevent any one of their friends from making the same mistake and having to go through this ordeal too. They were asked to delete any attachments or files sent to them by an unknown sender.

                      To further dissuade anyone from viewing the video or images, should they be released, we sourced and forwarded articles daily that highlighted the risks involved in opening media files (e.g. the deployment of malware and ransomware that is embedded in videos and photos) the threats of identity theft and other cyber crime, and anything else that would make a person think twice before opening an attachment. We would be standing by immediately if such a release was ever to materialize, and would have the offending imagery removed from any feeds or publicly accessible pages relatively quickly. No release occurred and no damage was done to our client’s reputation in the eyes of his family and friends. Our client’s wife, though upset and feeling betrayed, was instrumental in selling the deception and has been supportive of our client.

                      Focus 3: Criminal Investigation

                      We accompanied our client and his attorney to the police station to open a criminal case. At first the police were reluctant to open a case, but after discussions with the Detective Branch commander they agreed to open a docket and investigate. We then made contact with the investigating officer assigned to the case and arranged a meeting so that we could provide him with all the information we had in our possession and to discuss a working arrangement that would serve the interests of justice.

                      Many of our investigators were once police detectives, and as such, they are intimately familiar with applicable law, standing orders and operating procedures. They also understand the conditions, frustrations and challenges faced by police detectives on a daily basis. This enables us to assist police detectives without any unnecessary duplication of work, and without compromising the integrity of the State’s investigation.

                      The investigating officer in this case was inexperienced but not out of his depth. What he lacked in experience he more than made up for with smarts and dedication, but because the case involved suspects in various jurisdictions who were most likely involved in other crimes, the investigation was first transferred to a specialized unit dealing with eCrime at regional level and then national level. Our contact with police investigators was confined to email and telephone and our role limited to intelligence gathering and reporting.

                      Focus 4: Covert Action

                      Dirty tricks are where we excel. These activities involve the use of deception, psychological manipulation, social engineering, information warfare, infiltration and other covert operations designed to influence the actions or attitude of our adversary or the outcome of a situation. As previously mentioned, we’d really love to tell you all about our tactics, methods and sources, but we can’t. I’m sure at some stage, these things will become public knowledge and we’ll write about them, but for now it would be foolish. What we can say is that our dirty tricks enabled us:

                      1. to successfully deploy rudimentary tracking software to the blackmailer’s email account – enabling us to obtain their external/public IP addresses, which in turn allowed police to identify and locate two suspects.
                      2. to force the blackmailers to change their method of operation and send the same person to the same location a second time on the same day where he was arrested.
                      3. to target the blackmailer’s voicemail account and gain access to their saved voicemail messages which provided valuable information regarding the identities and contact numbers of others involved in or victims of extortion.