Between The Hacks

View Original

Breachstortion

Sextortion and other “I know your password” scams have been a favorite phishing attack method for years. This week, the Sophos Naked Security blog revealed how some attackers have changed tactics by creating a similar email extortion campaign that Naked Security is calling ‘breachstortion.’

What Is Breachstortion?

A breachstortion attack consists of a malicious email which claims that the sender has breached the victim’s website or company network, copied data from their databases and moved that data to an offshore server. The email then threatens to post the data publicly unless the victim pays the ransom.

Unlike sextortion, a breachstortion attack does not show the victim one of his or her passwords as a means to “prove” that the attackers have access to the victim’s computer. In fact, the email does not contain any evidence that the attacker has breached anything.

SophosLabs reports that they have received numerous samples in the past two months and all of them give the victim only five days to pay the $1500 to $2000 ransom to a Bitcoin address that is included in the email.

How Did Attackers Get Your Data?

Much like a sextortion attack, the attackers do not have any data and they are relying on the victim’s fear to cause them to pay the ransom, even with no evidence of a breach. Typically when attackers have access to victim data, they will post a small portion of that data online to prove that they have it but that’s not the case with the breachstortion attacks that Sophos has analyzed to date.

Example of A Breachstortion Attack

As you can see in the example below, this breachstortion email is short and to the point. It conveys a sense of urgency and preys on the fears of the victim to entice them to pay.

What Can Breachstortion Victims Do?

If you find a breachstortion email in your inbox, don’t panic. As you now know, this is a scam but below are some tips that may help.

  1. If this was received at a business email address, let your cybersecurity team know that you received the threatening email. There could be a company-wide campaign happening that they can stop if they know about it and they can use that email to help educate employees.

  2. Be very skeptical about incoming email. Read the following phishing blog to learn more on how to identify phishing attacks.

  3. Be wary of short urls (e.g. bit.ly). Sometimes malicious links are sent through social media in a short url. Check short urls with a tool like checkshorturl.com to preview the real address before clicking.

  4. Be aware of doppelgänger domains, which are domain names that look like a valid, trusted domain. Like goog1e.com. If you don’t look closely at URLs sent in email, you could quickly overlook this.

  5. Don’t pay! If you do pay, will you pay again in a month or six months if they come back with more demands? Digital data can be copied endless times and these criminals play outside of the rules and laws.