Security & Privacy

"I am hacker NSO Group," New Email Scam Leverages Controversial Pegasus Malware

Posted on by

For many years, email scams have circulated suggesting that some remote hacker has installed software on your computer, and has been monitoring your activity, some of which may shame you. In exchange for not exposing you, they ask for payment; some of them say they have photos and videos of you – because the hacker has control of your computer’s camera – and that they will share these with your friends and family.

In one version of the scam, hackers pretended to be from the CIA, and say that there is a case against you for "Distribution and storage of pornographic electronic materials involving underage children."

There’s a new one making the rounds, and I received an email a few days ago. The subject line is innocuous; it could be real, or could be a common spam subject line:

Updates: Payment from your account (990-6696706-1853781)

The email says that:

Tհе U.S. íѕ оḟḟеᴦἰɴɡ սρ tο $10 ᴍἱllἱᴏᴨ ḟοг ìԁеɴtíḟуἱɴɡ уоս ἰɴ а ᴄуbегϲгíᴍìɴаl ɡᴦоսр οрегɑtìσᴨ, ìɴсlսďìᴨɡ $5 ᴍἱllἰσᴨ lеаԁἱᴨɡ tо tհе ɑгᴦеѕt οḟ аḟḟìlἰɑtеѕ.

Those strange characters in the excerpt above are not mistakes, they are homoglyphs, characters that are similar to standard, Latin alphabet characters, but that are not. Some of them are accented characters, others are Unicode characters used in non-Western languages. The purpose of these is to evade spam filters.

What stands out in this email is that the hacker, in order to present his bona fides, says he is part of the NSO Group, now well known because of the Pegasus spyware that has targeted politicians, wealthy people, activists, and journalists. We’ve talked about Pegasus extensively here, and Apple has recently launched a lawsuit against the NSO Group. Since this is in the press, seeing the name "NSO Group" could convince people that these emails are serious; they are not.

Most of these scam emails ask for reasonable sums of money; if you believe that it’s possible that someone has planted malware on your computer, and you have, perhaps, committed some acts that might not be legal, then you could be convinced to send someone a few thousand dollars; assuming you know how to make a transaction with Bitcoin, which is unlikely to be the case.

But this email asks for much more:

Yσս tгаɴѕḟеᴦ 50% (Fἰḟtу Pегᴄеᴨt) ᴏḟ уᴏսᴦ ḟᴦɑսԁ ἰllеɡаl ᴍᴏᴨеу tᴏ ᴍе (ἱɴ bítсᴏἱɴ еԛսἱνаlеɴt аᴄсσᴦԁíᴨɡ tο tһе ехсһɑᴨɡе ᴦаtе ɑt tһе ᴍοᴍеɴt ᴏḟ ḟսɴďѕ tгаɴѕḟеᴦ), аᴨď ᴏɴсе tһе tгɑᴨѕḟеᴦ ἰѕ геᴄеἱνеԁ, I ɯἱll ԁеlеtе ɑll tհíѕ ďаtɑ ᴦἱɡһt аɯɑу.

Naturally, I can trust the scammer:

I аlѕο рᴦοᴍἰѕе tо ďеаᴄtìνаtе аᴨԁ ԁеlеtе аll tһе հагᴍḟսl ѕσḟtшɑᴦе ḟгоᴍ уοսг ԁеѵἱϲеѕ. Tгսѕt ᴍе. I ᴋееρ ᴍу աᴏгď.

And I don’t have long before I am exposed:

Yоս һаνе lеѕѕ tһɑɴ 48 һσսгѕ ḟᴦᴏᴍ tհе ᴍσᴍеɴt уᴏս σρеᴨеԁ tһἱѕ еᴍаἱl (рᴦеϲíѕеlу tшᴏ ԁауѕ).

In every email like this, there is a Bitcoin wallet code; that’s the only way that money could be transferred. This is anonymous, but since Bitcoin transfers are all public, you can check to see if any money has been paid to this address. In this case, not one cent, or not one sliver of a Bitcoin, has been paid into this account.

Another thing you can do is check if a bitcoin address has been reported for abuse. The address in my email has had 18 reports, since November 28, all of them referencing this sort of scam. Interestingly, one only asked for $1,849, another one Bitcoin (about $51,000), and another $30,000. Some of the reports talk about sextortion (someone threatening to expose sexual activities), others ransomware, and others blackmail, which is the case in my email.

In any case, this is just another scam, but referencing the NSO Group is an interesting way to attempt to sound legitimate, given the notoriety of this group in recent times.

Don’t worry about these emails, they are all attempting to leverage fear. But do check the points we mention in this article about a similar email scam, and check out the video in the beginning of the article, which takes a deep dive into this type of scam.


How can I learn more?

Each week on the Intego Mac Podcast, Intego’s Mac security experts discuss the latest Apple news, security and privacy stories, and offer practical advice on getting the most out of your Apple devices. Be sure to follow the podcast to make sure you don’t miss any episodes.

You can also subscribe to our e-mail newsletter and keep an eye here on The Mac Security Blog for the latest Apple security and privacy news. And don’t forget to follow Intego on your favorite social media channels: Follow Intego on Twitter Follow Intego on Facebook Follow Intego on YouTube Follow Intego on Pinterest Follow Intego on LinkedIn Follow Intego on Instagram Follow the Intego Mac Podcast on Apple Podcasts

About Kirk McElhearn

Kirk McElhearn writes about Apple products and more on his blog Kirkville. He is co-host of the Intego Mac Podcast, as well as several other podcasts, and is a regular contributor to The Mac Security Blog, TidBITS, and several other websites and publications. Kirk has written more than two dozen books, including Take Control books about Apple's media apps, Scrivener, and LaunchBar. Follow him on Twitter at @mcelhearn. View all posts by Kirk McElhearn →