A new extortion fraud attempts to profit from the recent Pegasus iOS spyware attacks to threaten victims to pay a blackmail demand.
Last month, Amnesty International and the non-profit project Forbidden Stories disclosed that the Pegasus spyware was installed on completely updated iPhones via a zero-day zero-click iMessage vulnerability.
A zero-click vulnerability is a flaw that can be exploited on a device without requiring the user's interaction. For instance, a zero-click hack would be a vulnerability that could be exploited just by visiting a website or getting a message.
Governments are believed to have employed this spyware to eavesdrop on politicians, journalists, human rights activists, and corporate leaders worldwide.
This week, a threat actor began contacting users, informing them that their iPhone had been compromised with a zero-click vulnerability that allowed the Pegasus spyware software to be installed.
According to the fraudster, Pegasus has tracked the recipient's actions and captured recordings of them at "the most private moments" of their lives. According to the email, the threat actor will disseminate the recordings to the recipient's family, friends, and business partners if a 0.035 bitcoin (roughly $1,600) payment is not made.
The full text of the email stated:
"Hi there
Hello,
I'm going to share important information with you.
Have you heard about Pegasus?
You have become a collateral victim. It's very important that you read the information below.
Your phone was penetrated with a “zero-click” attack, meaning you didn't even need to click on a malicious link for your phone to be infected.
Pegasus is a malware that infects iPhones and Android devices and enables operators of the tool to extract messages, photos, and emails,
record calls and secretly activate cameras or microphones and read the contents of encrypted messaging apps such as WhatsApp, Facebook, Telegram, and Signal.
Basically, it can spy on every aspect of your life. That's precisely what it did.
I am a blackhat hacker and do this for a living. Unfortunately, you are my victim. Please read on.
As you understand, I have used the malware capabilities to spy on you and harvested datas of your private life.
My only goal is to make money and I have perfect leverage for this.
As you can imagine in your worst dream, I have videos of you exposed during the most private moments of your life when you are not expecting it.
I personally have no interest in them, but there are public websites that have perverts loving that content.
As I said, I only do this to make money and not trying to destroy your life. But if necessary, I will publish the videos. If this is not enough for you, I will make sure your contacts, friends, business associates and everybody you know sees those videos as well.
Here is the deal. I will delete the files after I receive 0.035 Bitcoin (about 1600 US Dollars).
You need to send that amount here bc1q7g8ny0p95pkuag0gay2lyl3m0emk65v5ug9uy7
I will also clear your device from malware, and you keep living your life.
Otherwise, shit will happen.
The fee is non-negotiable, to be transferred within 2 business days.
Obviously do not try to ask for any help from anybody unless you want your privacy to be violated.
I will monitor your every move until I get paid. If you keep your end of the agreement, you won't hear from me ever again.
Take care."
Apparently, the bitcoin address indicated in the sample email seen by BleepingComputer has not received any payments. However, other bitcoin addresses might be utilized in this fraud. One may believe that no one would fall for this swindle, yet similar methods in the past have fetched over $50,000 in a week.