Online scams are increasingly prolific because they piggyback on human weaknesses rather than software vulnerabilities that take significant effort to exploit. Simply put, it’s easier for criminals to pull the right strings in users’ conscience than to go the tedious route of writing and deploying complex malicious code. Crooks love shortcuts and therefore it comes as no surprise that Internet hoaxes are spreading like wildfire these days.
A manipulative technique known as sextortion (sex + extortion) occupies a separate niche in this ecosystem and it’s gearing up for a rise. First spotted in 2018, these hoaxes revolve around people’s natural desire to avoid embarrassment. The logic of a classic sextortion scam is to send somebody an email stating that a hacker has compromised the recipient’s computer and recorded an incriminating video of the victim as he or she was watching some content on an adult site. The fraudster threatens to leak this footage to the public unless the user pays a ransom. The email subject is along the lines of “Final warning”, “You have been hacked” or something equally scary.
Below is a rundown of all sextortion methods known to date. This information will help you identify the hoax if you receive one of those deceptive emails.
A scam with a flavor of a data breach
A sextortion campaign unearthed in July 2018 became the wakeup call that paved the way for this nasty phenomenon towards mainstream circulation. The cybercrooks generated a wave of spam stating that a piece of malware had infected the recipient’s computer when the person was on an X-rated website. Specifically, the fraudsters claimed to have exploited the Remote Desktop Protocol (RDP) to deposit a keylogger onto the host.
The email went on to say that the hack allegedly allowed the attacker to access the victim’s webcam and screen and steal the list of contacts from Facebook and messenger apps. According to the felons’ story, they also compiled a double-screen video whose first part shows the adult materials being watched and the second part displays the camera feed of what the victim was doing. To keep this video secret, the sender asked for $2,900 worth of Bitcoin and set a 24-hour payment deadline.
A particularly tricky aspect is that the message included the victim’s real password for one of the services they used. This made the hoax look more trustworthy. However, researchers found that the perpetrators used credentials leaked on cybercriminal forums in the aftermath of past data breaches. Therefore, people could simply ignore these emails. In such scenarios, the only caveat is to change the password immediately if it is still in use at the time of the attack.
False claims about a hack through EternalBlue exploit
A newer sextortion scam variant is designed to add extra scare and some feigned technical complexity to the mix. The misleading email says that the recipient’s computer has been infiltrated by a Remote Access Trojan (RAT). What makes this hoax unique is that the criminals claim to have used a cutting-edge exploit called EternalBlue to execute this attack.
For the record, EternalBlue was masterminded by the NSA and later obtained by threat actors. It zeroes in on security loopholes in SMBv1 protocol to infect Windows PCs surreptitiously. The exploit gained notoriety for being used to orchestrate the massive WannaCry ransomware outbreak in May 2017.
By purporting to leverage EternalBlue for the attack, sextortion scammers try to pass themselves off as high-profile cybercriminals and thereby make the plot more convincing. According to the email, the Remote Access Trojan allowed its operators to take embarrassing videos of the victim. To prevent these materials from being sent to the user’s contacts, the crooks demand $600 in cryptocurrency. The message additionally includes a password for one of the victim’s accounts – again, it comes from a credentials database dumped on the dark web as a result of a data breach previously incurred by a service provider.
Phony evidence files attached
In another clever move, pseudo hackers enhance the common sextortion technique by providing a password-protected archive that supposedly contains proof of the compromise and a video of the victim’s NSFW pastime. When opened, the ZIP attachment only shows the names of files that are allegedly at the attacker’s disposal. Some examples are Camera-Vid.avi, screenshot.jpg, and contacts.txt. In order to open them and see what’s inside, the recipient is instructed to purchase the password for $50. Of course, this is bluff aimed at defrauding gullible users of their money.
Sextortion email sent from your own compromised account? Not really
To hoodwink users into thinking they got hacked for real, some cybercriminal groups have added a social engineering technique called email spoofing to their repertoire. This way, the deceptive message appears to have been sent from the victim’s email address. Such a trick is persuasive enough for many users to get on the hook. This particular hoax originally targeted people in the Netherlands and later extended its reach to other locations around the world.
The subject of the message includes the recipient’s actual email address and the phrase “48 hours to pay”. The story in the email body fits the mold of a typical sextortion scam. It includes claims about a computer virus that allowed the malefactor to record a video of the user when he or she was visiting an erotic site. The ransom for the self-proclaimed hacker’s silence ranges from $800 to $1,000 worth of Bitcoin. However, the recipients should keep in mind that the email address is fabricated to look like their real one, so the message can be ignored and safely deleted.
The CIA investigation scare
This one stands out from the rest in two ways. First of all, the blackmail is related to allegations that the user has stored and distributed pornography content involving children. Secondly, the sender pretends to be a “technical collection officer” working for the CIA rather than a hacker. The email subject includes the case number registered by the intelligence service so that the hoax looks truer to life.
According to the message, the exposure is part of an international law enforcement operation surveilling more than 2,000 individuals suspected of child pornography-related felonies. The self-proclaimed CIA employee demands $10,000 in Bitcoin for removing the victim’s details from the list of suspects.
Sextortion-style emails spreading malware
A scam campaign spotted in March 2020 is yet more intricate than its counterparts because it leverages the sextortion theme as bait to distribute a strain of info-stealing malware dubbed Raccoon. The fraudsters’ narrative is about an unsuccessful extortion attack targeting the recipient’s friend or colleague. The person is allegedly unwilling to pay for nondisclosure of embarrassing photos of his girlfriend that ended up in the hackers’ hands. As a result, the crooks are now supposedly sending out these nude pics to all of the intended victim’s contacts.
If the recipient gets curious enough to open the attached Word document, the images are blurred and there is a prompt asking the user to enable macros and thereby see the embedded data. If this trick works out and the victim turns macros on, a stealthy script will download the Raccoon malware payload from the attackers’ Command and Control server and execute it on the computer.
Multistep sextortion involving feed from smart cameras
In January 2020, researchers came across an intricate type of sextortion where a victim is instructed to get through a merry-go-round of email accounts to understand what kind of information the crooks allegedly have and what their demands are. To set this scam in motion, cybercrooks first send an email stating that they have nude videos of the user recorded with the phone camera. To see some evidence that this isn’t a joke, the victim is told to log into a specified email account using a password included in the original message.
From there, the user is lured to click on a link that leads to a website rendering live feed from Nest cameras installed in public places. The malefactors claim to have hacked these connected devices, thus trying to demonstrate that they are technically proficient attackers. However, it turns out that the footage is actually “borrowed” from the official website of Nest, the manufacturer of these cameras.
The web page rendering these videos also contains a ransom note and lists the crooks’ contact details so that the user can finally find out their ultimatum. At the end of the day, the perplexed victim is coerced to pay up to $800 within four days. This multi-pronged and confusing technique is most likely just a way for the scammers to show that they are highly experienced hackers who actually have some incriminating content involving the user.
Coronavirus-themed sextortion? Sounds wicked, but it’s underway
The latest scam unveiled in April 2020 relies on a hugely bizarre blackmail combo. Not only do the criminals threaten to leak adult materials featuring the victim in case of non-payment, but they also warn the person that they could infect his or her whole family with COVID-19.
Believe it or not, this absurd wave of sextortion is currently in the wild. Its operators tell recipients to pay $4,000 in Bitcoin within a 24-hour deadline. Fortunately, the obvious nonsense does the fraudsters a disservice because no judicious user will ever fall for such ridiculous claims.
The bottom line
Although sextortion scams are all bark and no bite, lots of people fall for them and cough up money for nondisclosure of the materials the felons supposedly have. Furthermore, malicious actors have some tricks up their sleeve to make the hoaxes more persuasive, as is the case with email address spoofing and attachments purportedly containing evidence files.
So, how to treat these emails? The rule of thumb is to avoid paying the ransom. Bear in mind that these are no more than scams. The black hats are bluffing, so the right response is to disregard their threats and delete the message without a second thought.
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.