Between The Hacks

View Original

Sextortion Revisited

Sextortion is extortion over something sexual. This can take many forms and has been a problem for years. Typically we hear about sextortion as an attacker asking a victim for money or the attacker will send a nude photo of the victim to everyone in their contact list or post it on the Internet. Earlier this year, we saw a new form of sextortion surface that targets people whose online accounts have been compromised.

Lately I have been approached by a handful of friends and colleagues who have received an email that claims a malicious hacker had installed malware on their computer through a porn site. The email showed one of the recipient’s passwords and explained that the hacker has access to the recipient’s webcam and has a log of all of their keystrokes. Then the hacker gives the recipient two choices:

  1. Ignore the email and a video of the recipient, visiting the porn site will be sent to all of the recipient’s contacts.

  2. Or, pay a ransom in bitcoin and the hacker will delete the video.

This is a continued campaign of an email scam that has been a popular phishing attack in 2018. As cybersecurity reporter, Brian Krebs, blogged about back in July, “Here’s a clever new twist on an old email scam that could serve to make the con far more believable.”

If you happen to receive one of these emails, don’t panic. This is a scam.

How Did Attackers Get a Valid Password? 

At a high level the attacker is using old lists of known usernames and passwords that were harvested from data breaches like LinkedIn, Adobe, etc. and posted, shared and sold on the dark web. This data has been floating around the Internet for years in some cases. But, because many people reuse passwords, they may still be using an old password sent in the email on some sites. There is a more in-depth description at the end of this blog, for anyone who is interested.

What Can Sextortion Victims Do?

If you receive an email like this, there are some things you can and should do. Below is a list of those recommended actions:

1.     If this is a business email address, let your cybersecurity team know that you received the threatening email. There could be a company-wide campaign happening that they can stop, if they know about it and they can help educate employees.

2.     Visit https://haveibeenpwned.com/  This is hosted by a respected cybersecurity professional named Troy Hunt. Make sure you put all of your work and personal email addresses in there and subscribe to get updates. If your email address is ever found in a data breach, you will be alerted. They won’t have every data breach, but if there is a large number of usernames/passwords posted to the dark web, the site will likely add that list and email you if your username/password has been part of that data breach.

3.     Use two-factor authentication (2FA) or multi-factor authentication (MFA) everywhere possible!

4.     Use a password manager. This will allow you to make great passwords (20+ characters) that are unique for every website. AND, you won’t need to remember any of them!

5.     NEVER reuse passwords and if you have reused passwords, take time to change them now, before it’s too late. Threat actors buy up those username/password lists and start trying to log in with the username and password on other site, like Twitter, Facebook, Spotify, etc.

6.     If you are alerted that a password has been compromised, change it immediately and see #3.

7.     Be very skeptical about incoming email. Read the following phishing blog to learn more on how to identify phishing attacks.

8.     Be wary of short urls. Sometimes malicious links are sent in them through social media. Check short urls with a tool like checkshorturl.com to preview the real address before clicking.

9.     Be aware of doppelgänger domains, which are domain names that look like a valid, trusted domain. Like goog1e.com. If you don’t look closely at URLs sent in email, you could quickly overlook this.

Overview of a Sextortion Attack 

As promised above, here is a more in-depth overview of the attack and an example.

In May 2016, LinkedIn had 164 million email addresses and passwords exposed. Originally hacked in 2012, the data remained out of sight until being offered for sale on a dark market site four years later. The majority of passwords were not well protected and were quickly cracked in the days following the release of the data.

Most people probably forgot about this or vaguely remember this event, but the long list of millions of email addresses and passwords still exists. While most of those accounts have changed their passwords, this group of attackers thought of a clever new way to monetize an old list.

Below is an explanation of how the attackers probably created this attack with little investment of time and money.

Step 1: Getting the List

Getting a list of compromised usernames and passwords isn’t very difficult, especially a list that is over 2 years old. While it may take some time to find them, links to the data has been available online for years, especially if you know where to look.

Step 2: Create a Bitcoin Wallet

This is an easy step. I won’t go through the details of how to create a bitcoin wallet, just know that this is an important part because it allows the attacker to collect money that is very difficult to trace back to them.

Step 3: Automated Phishing E-mail

I assume they automated this phishing attack by using a script or automated program. The script would subsequently take the email address from the list and put it in the To: field of an email then take the associated password and place it in the body of the email. Using this method, the attackers could quickly send out large volumes of emails. I share this so that you understand that this was likely not something that was written specifically for the recipient.

For our example, let’s assume that one of the LinkedIn accounts was for the following email address: example2018@yahoo.com and the password for this account is: Fido7a.m.walk

The script would send an email to example2018@yahoo.com, with the password from the LinkedIn list, that looks like what is below. There is a lot of broken English in this example and is typical of many phishing campaigns, especially when they are threatening the recipient rather than trying to trick them into sharing sensitive data or running code on their computer.

Example sextortion email

Lessons Learned: Check Email Closely

In summary, we must be vigilant about checking email closely. According to a 2017 report, 90% - 95% of all cyberattacks start with a phishing email. With this being such a large attack vector, we have to continue to learn now to identify those attacks that get past our spam filters.