Euro Security Watch with Mathew J. Schwartz

Cybercrime , Fraud Management & Cybercrime , Social Engineering

Sextortion Scam Wields Stolen Passwords, Demands Bitcoins

Attackers Send a Leaked Password as 'Proof' Victim Was Hacked
Sextortion Scam Wields Stolen Passwords, Demands Bitcoins
Excerpt from ongoing sextortion campaign's shakedown note (Source: Barracuda Networks)

Scammers behind "sextortion" campaigns often email individuals with fake threats in an attempt to trick them into giving attackers bitcoins.

See Also: Breaking Free from VPN Limitations: Simplifying Remote Access Security

In recent months, one sextortion campaign has been adding a twist: The blackmailers claim to have stolen a video of the email recipient watching porn, via a remote access Trojan attack. As supposed proof, the attacker will include one of the email recipient's passwords, saying it was stolen via the same RAT attack. And unless the recipient pays up, the attacker threatens to email the video to everyone on the victim's - also stolen - email contact list.

So says Barracuda Networks, which has been tracking this attack campaign since July. Since September, it has counted in the wild more than 24,000 emails sent from the same group of sender email addresses, including 1,000 examples in just the past few days.

No New Passwords Harmed by Attackers

"The attacker does have a legitimate password, but this was obtained most likely from the Anti Public Combo List - a list of more than 500 million leaked passwords revealed through a number of breaches, which was made available back in 2016 - rather than from malware on the user's computer," Jonathan Tanner, a software engineer at Barracuda Networks, says in a blog post published on Wednesday.

The bad news, of course, is that these types of social engineering attacks - aka trickery - still snare at least some victims, or else why would scammers bother?

Onoing Sextortion attack campaign's shakedown note (Source: Barracuda Networks)

So far, Barracuda reports that it's only seen four transfers get made to the approximately 1,000 different bitcoin wallets referenced by attackers, to which the would-be victims are meant to transfer their payments.

Attacks Remain Cheap, Easy, Scary

Four payments might not sound like much. But it's still a payday for someone.

"With blackmail amounts at anywhere from $1,000 to $7,000, it's easy to see why this campaign is popular, especially given that the overhead is so low," Tanner says. "The cybercriminals simply need to send emails to addresses on publicly available lists. It's also possible the attack was more effective early on, before articles confirming it was just a scam started to surface."

Based on the emails intercepted by Barracuda (and the campaign may be more widespread than it was able to see), the campaign has been targeting users in 15 countries: Australia, Belgium, Canada, China, Czech Republic, Spain, Guatemala, Hungary, Ireland, Iceland, Japan, Sri Lanka, the Netherlands, the United Kingdom and the United States.

The campaign has also been promulgated in German and Spanish, although Tanner says only the English-language emails include a legitimate password tied to the email recipient's address. "It seems campaigns in other languages use spam lists rather than the password list that the English version uses," he says.

Toolbox: Psychological Levers

Online scams often look a lot like offline ones in that they attempt to rapidly compel victims into paying a fraudster.

But many criminals continue to prey on victims online through simple social engineering techniques. And such trickery can prove to be quite difficult to resist.

Indeed, when explaining the difficulty of countering social engineering attacks - and ease of hacking the "human operating system" - Raj Samani, chief scientist at security firm McAfee, has referenced the work of psychologist Robert Cialdini, who said there are six psychological levers that can be used to appeal to people's subconscious. These levers include appeals to reciprocation - people are naturally inclined to repay perceived favors - as well as exploiting people's tendency to comply with requests that appear to come from an authority figure. That's why criminals sometimes add an FBI logo to their shakedown attempts (see: Crime: Why So Much Is Cyber-Enabled).

In the case of the sextortion campaign analyzed by Barracuda, add in the psychologically compelling double whammy of leaked passwords and the supposed video of the recipient viewing online pornography.

"Providing something that is intended to be secret - i.e. the user's password - not only causes worry or fear, but it also may cause them to assume that claims to know other information intended to be secret - i.e. their 'internet browsing habits' - are also legitimate," Barracuda's Tanner says. "The contradiction that porn is both widely popular yet taboo in many areas certainly increases the potential of success for this campaign as well."

Reveton Tactic Redux

Such scams are nothing new. In 2012, for example, the FBI's Internet Crime Complaint Center - IC3 - warned that a strain of ransomware called Reveton was freezing PCs and posting a warning, badged with the FBI or Department of Homeland Security logo, saying they'd accessed "prohibited pornographic content." The PC lockscreen included a "pay MoneyPak" code-entry box so victims could unlock their systems.

A 2012 example of Reveton screen-locking ransomware's FBI-badged shakedown attempt (Source: ESET)

At the time, attackers used MoneyPak, which bills itself as being the world's largest prepaid debit card company, to receive funds from victims, which they could load onto a debit card for money mules to withdraw (see: Researcher: Cryptolocker Not Dead Yet).

Since then, online extortionists have largely switched to virtual currencies and demanded payoffs in bitcoin, dash or other cryptocurrencies.

But many of their tactics remain the same.

One mitigating factor in this ongoing sextortion scam, however, is that the attackers' emails are beset by poor grammar, Tanner notes, "which is a common sign of any phishing-based scam," provided the recipient spots it of course. In addition, the password list is somewhat outdated, meaning it's possible the user will have changed it. Attackers are also "relying on a gamble that the user has, in fact, been to a porn site recently," he says.

Then again, attackers don't need to snare every victim. And even if the victim has never visited such a site, merely the threat of their having done so might be sufficient to get them to pay off their attacker.

As with so many things "cyber," the only thing that's internet-enabled about this particular crime is that it arrives via email, and drops an old, leaked password tied to the recipient's email address.

Everything else is down to age-old psychological manipulation.

Sanity Check

This sextortion attack campaign is a reminder to practice good cybersecurity hygiene, Tanner notes. Start here:

  • Track breaches: Register your email address at Have I Been Pwned to get alerts when public dumps of passwords appear, thus allowing you to change it at the affected site.
  • Use password managers: Always use a password manager to generate long and strong passwords and use a unique one for every different site you use. Some password managers tie into Have I Been Pwned to automatically notify you when a new breach has come to light and you should change your password.
  • Cover up: Cover the webcam on your laptop or PC.
  • Stop and search: Never react out of fear, especially before running a web search. "Doing web searches for key phrases in suspect emails may help to verify that a scam is taking place or at least increase awareness of the attack," Tanner says.

About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.