It’s embarrassing, so few employees tend to report it, but a type of phishing attack known as sextortion is becoming increasingly common at workplaces, according to one security company’s recent analysis. To get the attention of users, many of these threatening messages are initially disguised as legitimate security warnings.
These type of scams are carried out by criminals who claim to have stolen compromising material from their intended victim’s device and usually involve a threat to release it unless they pay up. Sometimes they claim to have seized control of a victim’s webcam, or imply that they’ve infiltrated their accounts and discovered some batch of salacious material. More often than not, the claims are bogus. The FBI’s definition of sextortion also extends to attackers who demand sexual images or favors instead of money. (Bitcoin, of course, continues to be the favorite form of payment for this specific category of lowlife.)
But regardless of whether they’re bogus or not, few users want to report such threats up the chain, because, well, people do in fact do things in front of computers that they’d prefer not to discuss with their bosses or their company’s IT department. (Yes, we mean sex stuff.) Either way, the fear of being publicly humiliated is certainly real—and one of life’s great motivators. Attackers understand that many potential victims will ultimately decide not to gamble with the possibility of being exposed and having their family, neighbors, and coworkers see something that cannot be unseen. Instead, they’ll just quickly cough up some cash.
It’s vile, but also pretty lucrative apparently. So it’s unlikely this type of scam is going away anytime soon.
New research from the security firm Barracuda offers some insight into various techniques used by sextortionists to trick and pressure their victims into compliance. In an analysis of its own customers, the company says as many as one-in-10 spear phishing attacks involve some form of sextortion or blackmail. (“Spear phishing” applies to phishing attacks that are personalized, not the result of criminals casting a wide net using, for example, spam.)
Spam does, however, continue to be a preferred vehicle for sextortionists. “Sextortion emails are usually sent to thousands of people at a time, as part of larger spam campaigns, so most get caught in spam filters,” Barracuda says. “But scammers are continually evolving their email-fraud techniques, including using social-engineering tactics to bypass traditional email-security gateways.”
While the emails do not often contain malicious links, since the objective is not to infect a person’s device, they may be personalized in an effort to convince the target that the threat is legitimate. Barracuda explains:
In most sextortion scams, attackers use a harvested email address and password to prey on a victim’s fears in a threatening email. Often, attackers spoof their victim’s email address, pretending to have access to it, to make the attack even more convincing. Bitcoin is the form of payment typically demanded, with wallet details included in the message.
To increase the odds that a victim will actual read the email, many sextortion messages will use subject lines containing a generic security warning, such as, “Your account is being used by another person.” To avoid the appearance of spam, it may also contain the user’s account name or full email address. Around 34 percent of such scams, the company says, involve subject lines that ask users to change their passwords.
A password commonly used by the victim may also be found by combing through files released in a major data breach; the attacker can then repeat it to their target, possibly in the subject line itself, to help complete the illusion that their personal files are compromised. In other cases, the attacker may be more straightforward, says Barracuda. Some common subject lines include, “You are my victim,” or “This is my last warning firstname.lastname@example.org”
Barracuda’s analysis found more than half of sextortion attacks involved educational services, with private business and government agencies also being among the top targets.
“The overwhelming focus on education is a calculated move by attackers. Educational organizations usually have a lot of users, some with a very diverse and young user base that may be less informed about security awareness and that may be less aware of where to seek help and advice,” Barracuda says. “Given their lack of training and experience with the nature of these types of threats, students and young people can be more likely to fall victim in these attack scenarios.”
One of the chief ways to combat this threat is security-awareness, something users should acquire through training—and hopefully not from their own repeated mistakes. There are also a variety of software solutions offered by companies, including Barracuda, that actively try to identify and filter out the messages so users never see them. (Gizmodo has not tested the efficacy of these tools, many of which are marketed as “artificial-intelligence based.”)
Moreover, companies that actually conduct thorough investigations of the sextortion scams and spend time learning, for instance, where the messages originate, then take active steps to protect the users on their networks, are less likely to be caught a second time with their pants down (so to speak).
A full copy of the Barracuda report can be viewed here.