Over a hundred people have recently contacted Action Fraud, the UK’s national cybercrime reporting center, about a particular targeted-extortion campaign that appears to be a growing threat.
The attackers contact their targets through email, claiming that they have video footage of their victim watching what I’ll delicately describe as ‘adult entertainment’ content. Most of the devices that people use to watch that sort of content online are either a smartphone or tablet with front facing cameras, or laptops with webcams. So, a lot of the targets might assume that the basis of the attackers’ extortion attempt is valid.
Combine that with the attackers’ claims of having acquired one of the targets’ passwords through malware exfiltration, then displaying that password in plaintext in the body of the email, and you’ve got a very convincing social engineering strategy.
The attackers then threaten to distribute the personally compromising footage to the targets’ friends, family, and coworkers through Facebook, Facebook Messenger, and email if the victim doesn’t fork over $2900 worth of bitcoin within one day.
Here’s an example of the emails that the targets have received (edited for appropriateness):
I'm aware, XXXXXX is your password. You don't know me and you're probably thinking why you are getting this mail, right?
Well, I actually placed a malware on the <adult content> website and guess what, you visited this website to experience fun (you know what I mean). While you were watching video clips, your internet browser started out working as a RDP (Remote Desktop) with a key logger which gave me access to your display screen as well as web camera. Just after that, my software program gathered every one of your contacts from your Messenger, Facebook, and email.
The extortion message goes on to instruct targets how to make payment under threat of exposure.
The passwords that the attackers have sent their targets are legitimate passwords the target really uses. That would alarm the targets, and people often behave foolishly out of fear.
But Action Fraud believes that it’s unlikely that the attackers actually have footage of their targets watching adult content. As far as the passwords are concerned, the attackers likely acquired them through data breaches conducted by other cyber attackers, not from adult content website malware, as they assert in their email.
Action Fraud discovered that nearly all of the targets have been subject to data breaches which have been reported by Have I Been Pwned. Have I Been Pwned and its founder Troy Hunt publicize data breaches in a responsible manner. They don’t share the passwords, they only share information about whether or not accounts related to a specific email address have been known to be subject to data breaches. Users of the service have to enter the email address in their web form, and information is only given about one email address at a time. There’s no way to access sensitive information that cyber attackers can exploit through Hunt’s service.
Databases full of passwords acquired through data breaches are often sold on the Dark Web. That’s the most probable way that the extorting cyber attackers acquired their targets’ real passwords.
Back in June, Action Fraud reported on a similar cyber attack campaign, but using the threat of WannaCry infection rather than humiliating video footage.
“Action Fraud has received almost 300 reports in the past two days about fake WannaCry emails that demand payment from victims in Bitcoins. The WannaCry emails are designed to cause panic and trick you into believing that your computer is infected with WannaCry ransomware. In reality the emails are just a phishing exercise to try and extort money."
This is a fascinating tactic: piggybacking onto a famous ransomware attack to try to profit from new ransoms - very clever. If there are many copycats in the future, ransomware infamy could drive other attackers to claim that they’re using the particular ransomware strain in order to acquire ransoms of their own.
Action Fraud advises cyber extortion targets to not pay the ransom, to avoid contacting the attackers, to update their antivirus software and operating systems, and to report incidents to them through the Action Fraud website.
It’s worth remembering that if an attacker has one of your passwords, it doesn’t necessarily mean that the attacker acquired it in the way that they claim. And they may not have the other sensitive data that they say they have either.
It’s also a good idea to regularly check Have I Been Pwned to see if you’ve been subject to a data breach. If so, change the password you use for the breached account immediately and be sure to also check that the account/password recovery information has not been altered by the attackers.