Sextortion Attempt in My Inbox
The sextortion hoax economy has a pulse. On Easter, during our modified annual family gathering and carefully coordinated and socially-distanced egg hunts with neighbors and friends, I received a sextortion phish. Its contents gave me pause. A scammer was seeking to trash my reputation online if I did not send $1900.00 in bitcoin by the next day. My response was not one of panic. “Exhale. This is a phish. None of us are exempt.”
I feel compelled to blog about this phish given a recent conversation I had with one of my mentors who, too, had been targeted with a similar sextortion scam. My mentor’s panic was palpable—the worry—intense. My mentor asked, “What can I do? This is not something I would do.” The concerns of my mentor were immediately evident. The fear of public shaming by an unknown actor is more than just disconcerting. Threats of this kind are paralyzing for a community leader of prominence and standing, and high integrity. Bad actors are seizing on the power of shame.
My mentor’s story, like many others, is one of defenseless against an unknown entity. I get phished often as we all do but this one was different. My gut said, “Do nothing. Do not respond to their threats.” At the same time, I had increased empathy for my mentor.
This particular scam dates back at least three years. Brian Krebs analyzed the sextortioners at length in a 2018 post on Krebs On Security. In the post, Krebs asserted that the scammer’s success was due to increased sophistication in execution. The hoax used semi-automated scripts to extract scores of stolen usernames and passwords “shady password lookup services.” Krebs and his readers’ (in the comment section) sextortion samples match my scammer’s threats verbatim.
My version of the scam included an oft-used username of mine plus an infrequently used password (other targeted users described different details, username + phone number). The scammers then claim to have compromised me on a not-safe-for-work (NSFW) site with malware planted to establish a remote desktop session (RDP) to a device of mine to harvest credentials and contact lists for my public shaming. Finally, the criminal(s) gave me 24 hours to avoid public shaming by sending compromising split video evidence to family friends and coworkers (some versions give targets 48 hrs to respond). CEO Marcin Kleczynski, in a 2019 CNBC post, labeled the sextortion scam a ‘commodity attack.’
The scammers cast a broad net of “odd” bitcoin ransoms, netting hauls of $10000 to $20000 a week. – an indication of those who have fallen prey through transactions tracked by enforcement agencies. It’s worth noting that criminal enterprises are moving away from bitcoin to other monetary platforms to avoid monitoring by enforcement agencies. Scammers like the ones described in this post will likely follow suit.
What Can Sextortion Victims Do in Response?
The stark reality is Scammers (among us) will always ‘scam’. Not surprisingly, sextortion scammers are out in full force during this current pandemic, with a marked resurgence of hoaxes in the last week. Awareness and vigilance are necessary more than ever. Small businesses, mom and pop stores, nonprofits, and community organizations deserve our concerted help. There is a growing need to amplify ‘wash-rinse-repeat’ message around hygiene and vigilance:
- Continue to update spam filters
- Check reputable sites like Troy Hunt’s Credential Breach Service, HaveIBeenPwned to determine if your credentials are listed in any of the repositories
- Avoid the practice of password reuse and change credentials, using adequate password complexity, should the need arise
- Use Multi-Factor Authentication (MFA) wherever possible
- Delete the sent email and NEVER pay the purveyors of sextortion attempts
Concerted efforts exist (e.g., No More Ransom is one example) to disseminate awareness and marshal resources to raise the bar for scammers in defense of citizens. It’s time to put sextortion hoaxes of this kind to rest so we can join forces with those fighting the broader scourge of sextortion worldwide. This fight is a global one worth taking on.
Mark Arnold has a 15+ cybersecurity career, serving 8 of those years in leadership roles. As a transformational leader, Mark has built security teams and programs, authored maturity model blueprints to optimize risk management processes, and implemented security domain practices at large enterprises and service providers. Mark’s areas of interest include cloud security, threat intelligence, and vulnerability research, nation-state attack methods and related activities (e.g. information operations and disinformation campaigns) and their collective impact on nations and society. Mark recently completed an executive education cohort on the intersection of cybersecurity and technology at Harvard’s Kennedy School.