You’ve probably heard of sextortion scams. It’s where a scammer sends the victim an email stating their computer has been hacked and they’ve been recorded while visiting porn sites. They then blackmail the recipients of their mails. A string of sextortionist phishing emails have been invading user inboxes for over six months now, alerting users that their porn site visits have been discovered, and now it's going to cost them.
Phishing Attacks Play on Fear
Most successful phishing attacks play on a common theme – urgency. Common themes include urgent matters such as
- Your computer is infected with malware
- You have an unpaid invoice that is past due
- The IRS needs you to confirm your personal information
Urgency also translates into fear. An email from the IRS obviously makes your heart skip a beat. Sextortion phishing is all about fear, the fear that maybe that one time you accessed a site or picture that you shouldn’t have, even if by accident, has been exposed. The concept is that a hacker emails you and informs you that he has taken control of your computer and collected screenshots of your inappropriate internet behavior He then threatens to inform all of your email and social media contacts unless you pay a bitcoin ransom.
The fear of some unknown malicious manipulator spreading damaging accusations to everyone you know, even if untrue, can be intimidating. The fear of having your reputation soiled probably exceeds the distress of financial loss, which is why this scam is a clever one.
Verbiage Alone is no Longer Enough
What makes these sextortion emails so convincing, and so dangerous, is the level of personalization involved. For instance, here is the opening dialog of an actual sextortion email received in January of 2019 (username has been protected)
“Hello!
I have very bad news for you.
12/10/2018 - on this day I hacked your OS and got full access to your account john.smith@gmail.com
So, you can change the password, yes... But my malware intercepts it every time.
How I made it:
In the software of the router, through which you went online, was a vulnerability.
I just hacked this router and placed my malicious code on it.
When you went online, my trojan was installed on the OS of your device.
After that, I made a full dump of your disk (I have all your address book, history of viewing sites, all files, phone numbers and addresses of all your contacts).”
The inclusion of the user’s email at the very beginning could lead the targeted victim to believe that this email was specifically written for them alone. Another prevalent approach being used is :
'Hello!
I'm a hacker who cracked your email and device a few months ago.
You entered a password on one of the sites you visited, and I intercepted it.
This is your password from [user's email] onmoment of hack: [user's password]
While so many phishing emails are created with the sole intention of stealing a user’s password through some type of trickery, this emails leads with the user’s password. Chances are, it’s an old password, hopefully, one that you don’t use any longer. Hackers now buy, sell and trade user login credentials on the dark web.
Many of the passwords used in these attacks were from a Linkedin breach years ago. Stolen passwords are a well-known way to get someone’s attention and add credibility to the scam. Users who normally wouldn’t spend more than a few seconds even considering the legitamacy of such an email, at least have some hesitation or uncertainty when they see one of their old passwords displayed.
Spoofing the Email Address of the Targeted Victim
Another tactic of this new extortion wave is the practice of spoofing the email address of the targeted victim. This spoofing attempt is to make the user believe that the hacker has gone to the trouble of breaking into their account, thus adding credibility to the story. Some emails have stated:
“Do not try to contact me or find me, it is impossible, since I sent you an email from your account.”
If you look at the sender address of the email, it will display your correct email address. On first look it may seem that the sender has hacked your account to send the email. However, in the case of these scams, the scammer has simply forged the header of the email so that your email address appears as the sender. This is a technique known as “spoofing’ and is not difficult to do.
Staying protected from phishing attempts using spoofed emails
Despite the fact that it’s relatively easy to protect against spoofed emails it’s still a common technique used by spammers and cyber-criminals.
Recommendations to combat email spoofing :
- Subscribe to a highly effective spam filter service and re-evaluate its effectiveness annually.
- Assign someone (if not an employee, hire an IT outsourcing firm) to monitor and administer the email system including the spam filtering service. This is not a trivial task as email functionality changes, new threats evolve constantly and email addresses are in frequent flux due to personnel changes.
- Educate employees about email spoofing and other techniques used by spammers and cyber-criminals.
- Train them on what to look for when scanning their inbox so they can quickly identify potential malicious emails.
- Provide them with a resource who can help them decide if they are not sure if an email is bogus.
Email is a necessary and extremely useful business communication tool. Unfortunately, because it's used so much it makes an easy target for cyber-criminals. For an average email user, it’s a difficult task at best to spot a malicious email among the hundreds or thousands that pour into their inbox. That is why it's so important for organizations to allocate the resources and funds to protect their personnel and their organization from all the threats that may arrive as an innocent looking message from a friend.
This latest series of attacks shows a new precarious trend in which attackers are now leveraging customized data elements to enhance the effectiveness of social engineering scams. Hackers now have the automated technology to collect, sort and use, hundreds of millions of compromised credentials in global attacks. Plenty of users have been convinced by this new attack strategy. According to Krebs on Security, one of these campaigns brought in $100,000 in payments its first two weeks. A sextortion campaign targeting the Netherlands brought in $50,000 in one week while another version of this attack garnered over $250,000 last year.
Cybercriminals have obviously upped their game, which means you have to up your defenses. Cybersecurity is a moving target, which means you need tools that have the sophistication to adapt and grow in order to keep you safe.