istockphoto

What is sextortion?

Sextortion starts with an email. The emails mislead victims into thinking the attacker owns a recording of their screen and camera and that recording contains images or videos of the potential victim in sexually explicit situations. The attackers use this claim of a recording to blackmail the victim into paying the attacker.

Threatens

The attacker threatens to send the recording to the victim’s contacts, friends, and family if they don’t comply. The attacker doesn’t own any recordings and just uses social engineering techniques to try to scare and shame the potential victim into paying.

How does sextortion work?

Sextortion relies on people’s willingness to pay money in order to keep damaging secrets quiet. In a potential victim’s view, this kind of attack is a sudden threat to his or her reputation. A potential victim can think of the consequences in the Jeffrey Toobin case, for example, and see the risk of private moments being exposed to the public. The attackers will prey on this fear and apply other social engineering techniques – such as limiting the time period for paying – to create an illusion that the user’s machine is hacked. They might also provide a list of activities that an attacker will take to harm the victim.

An Example

Below is one example of a sextortion email. The attacker first claims to have knowledge of the potential victim visiting adult websites – an immediate attempt to make the potential victim feel guilt or shame. The attacker claims to have complete control of the potential victim’s system and to have used that control to take or falsely create a sexually explicit video of the potential victim, asserting their control in the situation. The attacker then says that as part of that control, they can send this compromising video to the potential victim’s contacts. Finally, the attacker makes the extortion pitch, telling the potential victim they can “make it go away” by paying $1,350 in Bitcoin. The attacker adds the social engineering tactic of time pressure, saying the potential victim only has 48 hours to pay the money.

No way to be sure

An important thing to note is that there’s no way to be sure that the attacker’s claims are true. In fact, very often the attackers behind these threats are bluffing and there is no actual video.

This is a generic example of sextortion emails. But attackers commonly prepare spam campaigns regarding current trends and events.

We’ve tracked a variety of different sextortion campaigns in the last two months, but two types stood out as the most common. One is a series of campaigns abusing the ubiquity of Zoom during lockdowns. The other is a series of campaigns that falsely claim to have installed a Trojan on the potential victim’s system.

Zoom campaigns

The most prevalent campaign we observed took advantage of increased use of Zoom during the COVID-19 pandemic. There was an uptick during the 2020 holiday season. Attackers claim that they’ve taken advantage of critical vulnerabilities in the Zoom application, allowing them access to a user’s device and camera. But to be clear, we haven’t found any actual vulnerabilities in Zoom – the attackers are lying.

Attackers use social engineering techniques to get victims to pay up. The rest of the email is a typical extortion email, where attackers use phrases such as “the recorded sexual act”, “access to sensitive information”, and “terrible reputation damage” and offer up payment as a way out.

A distinctive feature

A distinctive feature of this type of campaign is that emails look like they are sent from the user’s email address to themselves. This is another social engineering technique, aiming to make it look like the attacker really does have control of their system. In reality, the “from” address has been tampered with and closer analysis reveals the real address of the sender.

Trojan campaigns

The second prevalent campaign utilises the threat of Trojan malware. The potential victim receives an email in which the attackers claim a Trojan was installed on their machine a few months previous. The attackers also claim that this “Trojan” recorded all the potential victim’s actions with a microphone and webcam and exfiltrated all data from the devices, including chats, social media, and contacts. They then use a common extortion scenario: attackers demand a ransom in cryptocurrencies. In the end, attackers include a note about the fake “timer” that started when the email was received, in order to set a ransom deadline.

Threats are all fake

Just like Zoom campaigns, these threats are all fake. There are no undetectable Trojans, nothing is recorded, and attackers do not have your data. The timer included in the email is another social engineering technique used to pressure victims into paying.