A highly effective new email scam now circling the web uses a clever ploy to trick victims into paying up.
The email uses an old password dump to convince the victims that the hacker was able to break into their webcam and record them as they watched online pornography. In order to keep this video from being released to the public web, the criminal demands a payment.
One of the extortion letters reads: “$1,400 is a fair price for our little secret.”
The scam is part of a new wave of financially-motivated sextortion campaigns targeting web users. And it could soon plague businesses as well.
Online sextortion has been around for many years, but previously it was primarily limited to predators who tried to extort victims into sending them nude photos and videos. The new wave of sextortion scams is entirely different — its motivation is money, not sex, and it’s being run by cybercriminals and hackers, some of whom may have connections to organized crime.
So, why are hackers shifting to sextortion? It’s part of an overall trend in the cybercrime community toward extortion and blackmail in general, as this tactic is proving to be more profitable than many other types of scams.
‘13,000 complaints in July alone’
With the ubiquity of online pornography, and the fact that people are now more exposed online than ever before (from social media to cloud-based storage), sextortion is a scam that also makes a lot of sense for criminals. After all, what could be more humiliating for the average person than to have their nude photos or pornography habits exposed to family, friends, and business associates online?
This August, the FBI reported that online sextortion attempts of this type are on the rise. Over 13,000 complaints were filed in July alone.
As of now, most of these sextortion attempts seem to be part of generic spam campaigns, which are blasted out to internet users across the country. However, a growing concern for businesses, banks, and the U.S. government is that hackers could soon use sextortion as a means for getting a backdoor inside a company.
For example, if someone can blackmail a vulnerable employee with the exposure of embarrassing videos and photos, the victim may be willing to share a password or provide some other way into a corporate or government network for a hacker. The U.S. military has become so concerned with the threat of sextortion as a means of breaching a sensitive network that its various branches have launched multiple public awareness campaigns, like this Army CID alert.
The types of sextortion scams
Sextortion can take many forms, including email-based scams, “watering holes,” and more personalized social engineering.
Currently documented email scams include the one mentioned above, which uses stolen PII (personally identifiable information) to convince the intended victim that their computer or online accounts have been compromised, exposing embarrassing material.
Another clever email scam uses a pornography link as bait, and if the link is clicked, the user receives a second followup email which claims: “I know what you watched” to blackmail them into paying. Hackers have also developed a new type of ransomware which, instead of encrypting the computer, will hunt for any nude images stored on the device and then threaten to release them to the person’s online contacts.
While most of these email scammers are bluffing about having embarrassing images or videos of the victim, in some cases they actually do. A type of malware called the Remote Access Trojan (or RAT) can be used to hijack webcams, allowing the attacker to watch and record his victims, known as “slaves.”
Watering holes are another growing danger. Hackers are both creating fake pornography websites and mobile apps, and compromising legitimate adult sites. The ultimate motivation behind these attacks is money, whether it’s to infect the visitors with “blackmailware” or “scareware,” hijack account credentials, infect them with spyware or steal their credit card numbers outright.
Lastly, more direct social engineering attacks also exist. Typically these are “women” — either real women or men impersonating women — who connect with potential victims over Facebook and other social media channels. They will quickly steer the conversation toward sex, trying to get the victim to share nude photos or videos of themselves, either over email or through an actual video call. As soon as the nude images are shared, the conversation shifts from flirtation to extortion.
Who is most At risk?
Anyone with an internet connection is a potential target for sextortion criminals. This is not a crime that only affects people who act “naughty” online. Even if a person has never visited a pornographic website, cybercriminals can still use webcam hacks — or fake claims of such — to convince victims they have been exposed.
That said, certain risk factors should be considered. Visiting pornography websites or downloading these apps may increase a person’s risk of malware and credential theft. A few years ago, one security researcher found that visitors to Pornhub had a 53% risk of getting infected with malware.
Of course, any time a person engages in online sex with a stranger, they are exposing themselves to scammers, webcam RATs, and other threats. Taking nude photographs also puts the person in danger of eventual exposure — this can occur in various ways, from lost/stolen devices to nude photo-stealing malware, hacked cloud accounts, and more.
From individual vitcims to businesses
There are two important ways the sextortion threat could evolve.
First, it is highly likely we will see sophisticated cybercriminal groups turn to sexual blackmail as a way to force employees into providing back-end access to corporate networks.
Hackers already engage in “spear-phishing” attacks, in which they find specific high-value targets within a company and email them a well-crafted, personalized phishing email in order to get them to click. It is not a stretch to imagine future attacks that exploit a person’s interest in pornography or compromising photos in a hacked account in order to blackmail that person into handing over company passwords. The hackers could engage in even more malicious and subversive activity.
Second, a new technique called “deepfakes” could take sextortion to a whole new level. Deepfakes uses artificial intelligence-based video editing software to create fake videos based on real facial images. Recently, a number of Hollywood celebrities have been exploited in this manner, as their public photos were used to create fake pornographic videos. This same technique could be used on anyone who shares photos of themselves online.
Never respond to a sextortion demand
The most important way to avoid sextortion victimization is to use common sense.
Avoid high-risk activities like sexually explicit video calls or instant messaging with strangers met online. Don’t take or store nude images from a web-connected device — like a smartphone or tablet. Don’t visit pornography websites from the same computer or smartphone that is used to login to bank accounts, check email or social media. Instead, have a dedicated device to use for this, so it won’t matter as much if the device is infected. Tape over PC webcams.
Never respond to a sextortion demand. Scammers are looking for easy targets and, in most cases, they will move on if they don’t receive a response. Remember, that even if a victim does try to pay, there is nothing stopping the scammer from releasing the nude photos to the web anyway.
Businesses also need to have a layered defense in place that anticipates the threat of “rogue employees” who could be compromised by sextortion scammers. No single employee should have too much access to sensitive material or accounts. Passwords should be changed regularly and require two-factor authentication whenever possible. Wire transfers should require dual authorization within the company. Incorporate sextortion awareness into security training for employees.
Jason Glassberg is co-founder of Casaba Security, a cybersecurity and ethical hacking firm that advises cryptocurrency businesses, traditional financial institutions, technology companies and Fortune 500s. He is a former cybersecurity executive for Ernst & Young and Lehman Brothers.