Social Engineering, Photos and Extortion

Warning: Some of the terminology in this article may be considered distasteful to some readers, but the intention is to educate on an important issue, not to cause any offense. If you feel that you may be offended the terminology discussed in this article, please stop reading now.

Social Engineering: E-Whoring and Sextortion

The world we live in today is an interesting one; threat vectors are ever expanding and becoming more complicated and dangerous. The topics of Sextortion and E-Whoring probably don't come up as a potential issue for a company's security, but this couldn't be further from the truth.

What is E-Whoring?

E-Whoring is the act of pretending to be someone you are not using various lewd images (most likely stolen through a data theft campaign) to coax the target into purchasing/joining a service or to have the target exchange photos.

What is Sextortion?

Sextortion is the act of threatening someone to distribute private or sensitive material if they don't provide you something in return.

How are these two connected?

Typically most threat actors will leverage image packs (a package of lewd photographs/videos), to start their E-Whoring campaign. These image packs are usually the byproduct of another data theft campaign in which the threat actor either hacked into a cellphone's photo library or by breaking into someone's computer.

From there, the threat actor has a few choices to make. One, hold these images hostage from the person who owned them. Two, reach out to random people via various social media outlets to coax them into joining a paid-for service to see more. Three, use these images to trick another person into exchanging their private photos to hold them then hostage. Four, all of the above.

That seems only to affect one or two people, how could this harm my company? 

Given the very targeted nature of these social engineering methods, threat actors could/ would target high ranking members inside of a company to then extort them for company resources (funds, employee data, and intellectual property).

How can we protect the employees/company from this sort of attack?

First, talk to employees and let them know these acts exist. You already send out phishing emails, so just add this to the list of items to discuss.

Second, create a plan. The plan should center around helping employees who fall victim to these sort of attacks and providing methods to help them. That plan should include the contact information for the FBI.

Wait, isn't there some product I can buy to just protect everyone in my company from this sort of campaign?

Sadly, no. Your best/only option here is training. Awareness is the key to success.