Email content filters have come a long way in recent years. Tremendous strides have been made in protecting us from the never-ending wave of malware and malicious intent. However, cybercriminals (if nothing else) are very creative and not easily detoured. As robust as email protection has become, it isn’t foolproof. Scammers are constantly evolving their attacks to exploit email content filters. One of the popular email scams going around is in the form of extortion or “sextortion” to be specific. It’s a phishing scam, laced with a healthy dose of social engineering. These types of scams have proven to be an effective means for scammers to turn a quick profit.
How it Works
Scammers try to invoke panic and fear, in order to get you to make a bitcoin payment to a provided account. The amount may vary but usually starts at a few hundred dollars and can go into the thousands. The formula is simple and commonly contains many of the following elements:
- “I am aware your password is xxxxxxxxxx”
- “You don’t know me but……”
- “I placed malware on an adult website that you visited…”
- “I had access to your screen and webcam…”
- “I have downloaded your entire contacts list….”
- “I have captured video evidence”
- “You have 24 hours to respond….”
- “Pay me X amount in bitcoin or I will release this video to everyone you know”
What’s going on here? What does this supposed hacker have? What should you do? First thing you need to do is relax. It is highly unlikely they have anything other than a bunch of lies. The entire email scam plays on panic and fear.
- First, they try to convince you that they have your information. They give a password (one that you have likely used in the past). Additionally, they may include your name, phone number and or address to convince you they know everything about you. This is nothing more than a scare tactic, used to add legitimacy to the claims that follow.
- Next, they claim to have video proof of adult content that you have viewed as well as webcam captured video of you viewing the content.
- Then comes the threat. They claim to have your contact list and they are going to release the video to everyone you know. This plays on our natural tendency of fear and panic. Nobody wants to be embarrassed and would naturally fear the ramifications that may come as a result.
- Lastly, there is the timeline. To instill a sense of urgency, you have 24 hours to pay X amount in bitcoin.
Take comfort in knowing you aren’t being directly targeted. These emails are sent out as part of mass-mailing campaigns. Due to the low degree of technical knowledge necessary, there's a likelihood that there are many groups and individual cybercriminals executing this scam. The passwords and personal details included most certainly came from one of the many data dumps that are available online. One of the easiest things you can do is check a site like haveibeenpwned.com. Simply search your email address to see if there are any published breaches containing your email address and password.
Why Is It So Effective?
It’s all about the ROI. It’s not just big corporations that care about their return on investment. The entire scam is predicated with the assumptions that:
- You will react out of fear/panic.
- You reuse your passwords (as many people do).
- You have actually used your computer to view adult content.
According to a study by Symantec, they examined 5,000 of the most-seen Bitcoin addresses associated with these types of attacks. Based on their analysis, they estimate just over $1.2 million in a year is generated from these types of scams in the U.S. This is a very effective process considering it requires little effort and skill to execute and any success results in profit.
What Can You Do?
Again, don’t react out of fear. Pay close attention to the details. Do a few quick google searches on key verbiage in the email and see if you can quickly identify the email as a scam. If this is a work computer, report the attempt immediately to your tech support. Reporting such activity can only help strengthen your organizational content filters.
If threats like this makes you nervous, get a camera cover or disable your computer’s camera. Even a piece of tape will work as a quick solution.
Don’t use your work email to sign up for non-work mailing lists or promotions. Hackers know that people reuse their passwords. In fact, they are counting on it. A breach which leaks your work email and password can be used against you.
Use a password manager to generate and track complex passwords. People are notoriously bad at creating passwords. Take the human element out of the equation with a password manager.
Periodically check sites like haveibeenpwned.com. This site makes it easy to check your email addresses and passwords for their involvement in breaches. Be ready to change your password if you discover a published breach involving your username and or password.
User Training and Awareness - Employees should take part of regularly scheduled training in order to stay up to date on evolving attack techniques.
Written by Aaron Moore
Aaron has over twenty years of IT experience spanning a variety of domains including: Banking, Agriculture, DoD and CPG industries. Aaron possesses his Security+ CE certification and currently serves as a Sales Engineer at TechGuard Security. In this role, he acts as the liaison between the sales and technical teams, matching client needs to the core capabilities. Aaron has served as a consultant for multiple Fortune 200 organizations, fulfilling roles in application development, database design and database administration. In his spare time, Aaron and his wife can usually be found at the baseball or soccer fields watching their kids play sports.