Cybercriminals are nothing if not creative and opportunistic. Major world events have been used as a premise for spam and phishing attempts countless times in the past. International money scams use premises from multi-million-dollar inheritances to stranded travelers to defraud more gullible and less security-conscious internet users. Mix in some personal information and (fake) blackmail, and you have one of the most recent major phishing campaigns and the subject of this month's Threat Spotlight.
Sextortion Scam – Attackers use passwords stolen in past data breaches to trick users into paying Bitcoin to avoid having a compromising video, which attacker claim to have recorded on the victim’s computer, shared with all their contacts.In this Threat Spotlight, @Barracuda examines sextortion scams where attackers use passwords stolen in a past #databreach to trick users into paying to avoid having a compromising video released Click To Tweet
For English-speaking users at least, the email will come in with the subject likely consisting of just one word. Not just any word, however, but something all too familiar: one of your passwords. Some emails may also contain the phrase “Your password is” preceding the password, but either way the aim is to immediately put the user on alert that they may have been hacked. The poorly-worded email goes on to claim that the user's computer has been infected with a Remote Access Trojan (which the email calls a “Remote Desktop”) from a pornography website and that videos of the user watching explicit videos have been recorded. The email also claims that the user’s contacts from email and social networking have been gathered and that unless a sum of money is paid (in Bitcoin, of course), the video of the user watching porn will be sent to those contacts. We also saw examples of the attackers emailing the same address multiple times to up the scare tactics, an approach they are likely taking with most if not all of their intended victims.
The good news is there's no video or a list of contacts to send it to. The attacker does have a legitimate password, but this was obtained most likely from the AntiPublic Combo List—a list of more than 500 million leaked passwords revealed through a number of breaches, which was made available back in 2016—rather than from malware on the user's computer. While Remote Access Trojans (RATs) are all too common these days, in this particular case the user’s computer luckily has not been infected by one. Whether or not the user has visited any pornographic websites is something only they know, but given that these emails are largely targeting business emails it's unlikely they're doing so on their work computer. For obvious reasons, we didn't send out a survey asking as much, but it seems safe to assume, and thus the other claims in the email must also be false.
Scope of the Sextortion Scam
This campaign started in July but is still ongoing. Barracuda Labs examined more than 1,000 examples of this threat over just a few days, and we found approximately 24,000 emails since September that use the same set of sender emails as the observed samples, which is a better indicator of the volume of this attack. The samples we examined were from customers manually reporting them, so it’s likely there are many times more that weren’t reported to us.
The attack has even been popping up in different languages such as Spanish and German, although without the password being explicitly stated or perhaps even known to the attacker. (It seems campaigns in other languages use spam lists rather than the password list that the English version uses.) In our sample set, the countries we saw targeted were Australia, Belgium, Canada, China, Czech Republic, Spain, Guatemala, Hungary, Ireland, Iceland, Japan, Sri Lanka, Netherlands, United Kingdom, and the United States.
Out of roughly 1,000 Bitcoin wallets belonging to the attacker, only four transfers were made. But with blackmail amounts at anywhere from $1,000 to $7,000, it's easy to see why this campaign is popular, especially given that the overhead is so low. The cybercriminals simply need to send emails to addresses on publicly available lists. It's also possible the attack was more effective early on before articles confirming it was just a scam started to surface.With blackmail amounts at anywhere from $1,000 to $7,000, it's easy to see why the #sextortion scam is popular with cyber criminals, especially given that the overhead is so low.Click To Tweet
A Potential Victim’s Perspective
One woman we spoke to has received a variant of the sextortion scam email three times since the beginning of October. Each email she received came about a week apart, and the threats changed each time, claiming something slightly different. The first email followed the standard text about having video of her visiting a pornographic website, using a very old password in the subject line along with the words that her e-mail address was hacked. The second email used a second even older password, and it attempted to undermine reasons the first email might have been ignored, saying that even if she had changed passwords it wouldn’t matter because they’d been controlling the computer for years. It also made less specific claims about what had been recorded, just that had hijacked the camera and got video of weird things happening in her office. All three emails came from a spoofed version of her own email address and got caught in spam.
After she received the first email, she contacted her ISP, and they couldn’t find any malicious activity. So, based on the age of the password and knowing that she follows best practices for password management, she simply updated the passwords on all her apps and accounts and ignored the email. After she received the second threat, she did some online research and discovered what was really going on.
“Even though I know it’s a scam, it’s still unsettling,” she says. “It’s very realistic.”
Tactics of an Effective Campaign
Regardless of the actual effectiveness of the campaign, the sextortion scam employs several tactics that should make for an effective campaign. Providing something that is intended to be secret (i.e. the user's password) not only causes worry or fear, but it also may cause them to assume that claims to know other information intended to be secret (i.e. their “internet browsing habits”) are also legitimate. The contradiction that porn is both widely popular yet taboo in many areas certainly increases the potential of success for this campaign as well. Lastly, the explanation of the (fake) attack on the user takes advantage of popular attacks, thus ensuring that a web search will bring up a large number of recent results for other (real) malware attacks.
Where the attack falls short, however, is mainly in the poor grammar (which is a common sign of any phishing-based scam), the age of the password list being used (since it's possible the password provided is no longer in use), and relying on a gamble that the user has, in fact, been to a porn site recently.Don't react to a #sextortion email out of fear. Always pay close attention to the details and do not assume that a breached password or spoofed email means that you are currently compromised. #emailsec #phishing #cybercrimeClick To Tweet
How to Protect Yourself
Real-Time Spear Phishing and Cyber Fraud Defense — Barracuda Sentinel is the only solution in the market that can automatically prevent email account takeover. It combines three powerful layers: an artificial intelligence engine that stops spear phishing attacks in real time, including emails that originate from within the company; domain fraud visibility using DMARC authentication to guard against domain spoofing and brand hijacking; and fraud simulation training for high-risk individuals.
User Training and Awareness — Employees should be regularly trained and tested to increase their security awareness of various targeted attacks. Simulated attack training is by far the most effective form of training. Barracuda PhishLine provides comprehensive, SCORM-compliant user training and testing as well as phishing simulation for emails, voicemail, and SMS along with other helpful tools to train users to identify cyberattacks.
Other best practices:
- Periodically check email addresses and passwords for their involvement in breaches and then change passwords when this happens. Sites like haveibeenpwned.com make this easy to check.
- Create complex passwords that are long, not predictable, and contain mixed case, numbers, and special characters are important steps to remaining secure. Based on the samples we were able to analyze, many of the leaked passwords were less than optimal as well.
- Use a password manager that will help you generate and keep track of complex passwords. Some even include alerts when they detect that one of your passwords may have been breached so you can change your password right away.
- Schedule regular IT security checks. It’s a good habit to regularly check your password complexity, that your backups are working, and that your systems are up to date. Put time on your calendar so you remember to do it.
- Ensure browsers and operating systems are up-to-date will help prevent exploits from infecting computers as will caution when opening email attachments and links. While the attacker here didn't actually infect any users with malware, RATs are widespread, and users should take steps, such as keeping browsers and operating systems up to date, to prevent infection by these and other malware.
- Stay informed. You can read our other recent Threat Spotlights to learn more about other email-borne threats and how to avoid them.
- Get a camera cover or disable your computer’s camera. Even though this is a scam and there is no video, if a threat like this makes you nervous, you may want to consider taking steps like this to protect your privacy.
- Don’t react out of fear. Doing web searches for key phrases in suspect emails may help to verify that a scam is taking place or at least increase awareness of the attack. Always pay close attention to the details and do not assume that a breached password or spoofed email means that you are currently compromised. Ask your ISP or tech support for help if you have questions.