So-called “sextortion” attacks are a growing threat, replacing other e-mail borne threats like spam, ransomware and business e-mail compromise attacks as they increase in sophistication and scope, a new report finds.
A report released Thursday by Barracuda Networks that analyzed spear-phishing attacks targeting Barracuda customers found that 1 in 10 were blackmail or sextortion attacks. In fact, employees were twice as likely to be targeted in a sextortion scam than a business e-mail compromise attack, researchers found.
“The fact that they make up more than one tenth of the targeted attacks was truly surprising to us,” Asaf Cidon, vice president of content security at Barracuda, told Security Ledger. “A year ago this scam didn’t exist, and it’s not one of the most common attacks, and is probably one of the most successful ones; otherwise, the attackers wouldn’t be investing significant resources in the strategy.”
Sextortion scams are a new type of email threat that use claims that attackers have personal information about sexual misconduct and will reveal it in a way that harms the victim unless they pay ransom fees, often in the thousands.
Specifically, bad actors leverage usernames and passwords stolen in data breaches, using the information to contact and try to trick victims into giving them money, according to Barracuda researchers. The scammers claim to have a compromising video, allegedly recorded on the victims’ computers, and threaten to share it with all of their contacts if they don’t pay.
In the scams, attackers use a harvested email address and password to :prey on a victim’s fears in a threatening email,” researchers wrote in the report released by Barracuda Thursday. “Often, attackers spoof their victim’s email address, pretending to have access to it, to make the attack even more convincing. Bitcoin is the form of payment typically demanded, with wallet details included in the message.”
Sextortion displacing ransomware
The report builds on research the firm revealed in collaboration with Cisco Talos Intelligence Group last October highlighting the emergence of sextortion campaigns and their employment of new methods used by attackers to extort money from potential victims.
In the latest report, researchers shed new light on common threads identified throughout these types of attacks, which are especially dangerous and hard to track because the embarrassing nature of the subject matter tends to discourage victims from reporting them, researchers said.
Those crafting sextortion attacks also are adapting the emails to bypass email gateways and spam filters, which also makes them difficult to catch by security administrators, according to the report. This also is contributing to their replacement of other more traditional-styled email attacks, which filters are designed to identify, Cidon said.
“‘Classic’ spam and even ransomware seem to be on the decline,” he acknowledged. “In particular, we are seeing that ransomware is becoming a much less effective attack, since most organizations apply relatively effective sandboxing and/or email backup solutions, which are effective at preventing and remediating attacks.”
Anatomy of attacks
Password references and threats are common themes of the sextortion attacks researchers are seeing, researchers revealed in the report. Two common subject lines of attack email either suggest that victims “change your password immediately” because “your account has been hacked.” Another common subject line tells a recipient that hackers know his or her password, also prompting them to change it immediately.
Sometimes attackers are a bit more direct and even menacing in the subject line of sextortion emails, using threatening language to get users’ attention. These emails include subjects such as “you are my victim,” “better listen to me,” “you don’t have much time,” or “this is my last warning.”
“They explicitly call out compromised passwords of the recipient to personalize the email and ‘socially engineer’ the recipient to believe their account has been compromised,” Cidon explained.
He compared the attacks to a “hybrid” of business email compromise (BEC) and ransomware. Similar to BEC, the emails are highly personalized and don’t contain any malicious attachments or links. “On the other hand, similar to ransomware, the main goal is to extract a ransom in the form of bitcoin, which is very hard to trace back to the attacker,” he said.
Defense and protection
Emerging sextortion scams are generally targeting employees of all departments, with the most common impersonated employees usually those in positions of authority, such as the CEO, other executives or the manager of the recipient, Cidon told us.
Education is the sector most frequently targeted by sextortion and blackmail, making up the majority of attacks, researchers observed. They believe this is because that gives attackers a broad swathe of users to target, as well as a generally young and diverse population that might be naive to such attacks and therefore easy to fool. Government employees are the second largest targets of sextortion, with business-services organizations the third most-targeted industry, according to the report.
Researchers made several recommendations to help organizations targeted by sextortion scams thwart these attacks, including the use of email security based on artificial intelligence (AI) rather than traditional signals such as IP or sender reputation and sandboxing, Cidon said.
“[AI] can detect anomalies in email traffic, even when the email does not contain obviously malicious attachments or links,” he said, adding that Barracuda offers such a solution with Barracuda Sentinel.
Researchers also recommend implementing a security awareness training program that can test employees awareness to sextortion and other targeted attacks to help them better identify them so they don’t fall for these and other email scams, Cidon added.