Have you come across an email from an unknown sender claiming to have captured your webcam feed while you were visiting an adult website and that if you didn’t pay up, the video will be shared with your family members, friends and colleagues? The attacker would also claim that they have access to your complete contact list from Facebook, Messenger and Email. To make the threat sound more convincing, the email would casually mention the username and last few digits of the password of one of the social media accounts or websites you subscribed to.
This a common modus operandi used for what is widely referred to as a sextortion scam, where attackers prey on fear and embarrassment to coerce targets into paying money in Bitcoins. In fact, a SophosLabs’ investigation, published April, shows that cyber criminals have made almost half a million US dollars in profits between September 2019 and January 2020 through sextortion campaigns.
“Across the five months of our investigation we saw wave after wave of attacks, often taking place over the weekend and sometimes accounting for up to a fifth of all spam tracked by us. And while most recipients either didn’t open the email or didn’t pay, enough of them did to net the attackers around 50.9 Bitcoins, equivalent to nearly $500,000," Tamás Kocsír, security researcher at SophosLabs, who led the research, said in a press statement.
Previous study by another cybersecurity firm Symantec has also shown an increase in sextortion emails over 2019. Of the 300 million malicious emails Symantec blocked, most of them were related to sextortion.
The complexity of the attacks
To send out these emails to millions of targets, the criminals used an army of botnets made of compromised PCs. According to the Sophos report, 7.1% of all sextortion emails during the period originated from Vietnam, while 3.73% came from India. During their research, Kocsír’s team found some of the emails had used unique obfuscation techniques to bypass anti-spam filters. They would deliberately break up words with invisible random strings, or insert blocks of white garbage text, or add words in the Cyrillic alphabet to trick automated scanning tools.
Since the extortion was being carried out in Bitcoins, SophosLabs joined forces with CipherTrace, a Blockchain forensics company, to track the flow of money from the cryptocurrency wallets. They found that the extorted money was used to support other illicit activities on Dark Web (dark underbelly of Internet that is not indexed by search engines), such as buying stolen credit card credentials. Other funds were moved through multiple wallet addresses and put through mixers for money laundering.
How to protect yourself?
Kocsír warns, these are not beginner techniques and they are a good reminder that spam attacks of any kind should be taken seriously. However, like all phishing scams, the scam’s rate of success depends on the gullibility of the target. The username and password mentioned in the email is what often tricks users into believing the attacker. There is a high possibility the attacker got those details on Dark Web through previous data breaches. You can check which of your account details and passwords have been compromised, in past, through websites such as ‘Have I Been Pwned’.
Just to be sure, after receiving a sextortion email you should immediately check the social media platform or website in question and see if you can access it. If you have been signed out and can’t sign in anymore, try changing the password using ‘forgot password’ method. If you can access it, to be on the safer side, it is better to change passwords for all your apps and websites using a different device.
Talha Obaid, email security expert at Symantec, warns not to use the same password for every website, enable two-factor authentication wherever it is available, use different email ids for different purposes, not to click on links or attachments from unknown sources and delete them immediately.