Sextortion 2.0: A New Lure

save
Share and earn Cybytes
Facebook Twitter Google+ LinkedIn Email

Back in September we released a blog about the large volume of sextortion email campaigns that were hitting people’s inboxes. We have continued to monitor the campaigns and have seen a recent change in tactics, with some unusual approaches being favoured by the sextortionists this time around.

 

Cisco ASA vulnerability lure – too long; didn’t read

Previously the emails were simple and straightforward for the target – “I have your password this is proof that I have access to your computer”. The recent shift in tactics for these campaigns is to suggest that they have access to the user’s email by spoofing the sender’s email address. This is an easy trick to pull off, though it does increase the risk of the email being flagged as spam or dropped completely by the recipient mail server.

The other significant change was to make mention of a recent 2018 vulnerability that affects selected Cisco devices (CVE-2018-0296), which relates to a Denial of Service (DoS) vulnerability affecting the Cisco ASA web service. Once again, this seems too specific and is more likely to reduce the chances of a successful campaign, as most users know whether they have a Cisco or a generic broadband router. Moreover, these days an increasing amount of corporate email domains are being configured with security solutions such Sender Policy Framework (SPF) to reduce the risk of email spoofing.

The body of text has also changed and differs between variants of the email. Certain words appear and then disappear, while some emails provide the passwords and others do not. Some even have spelling mistakes throughout. All of these may be techniques used to avoid simple keyword and pattern matching.

Figure 1 – TLDR: Latest sextortion email with Cisco vulnerability lure

 

Figure 2 – Closeup of latest sextortion email with Cisco vulnerability lure

 

Who has been targeted?

As in the previous campaigns we investigated, the target information (email/password) is being picked from breached or leaked data, with Anti Public and Exploit[.]in combination lists being the preferred choices.

With demands ranging from $550 to $899, the attacker(s) have been able to amass over $19,000 so far based on the number of transactions made to the associated Bitcoin addresses we’ve tracked.

 

What is the scale looking like this time around?

We’ve noticed the campaign(s) using these newer methods over the last month; however most of the emails using the Cisco vulnerability tactic have been a feature of the last week, with a huge spike occurring on 10 November.

Figure 3 – CVE-related campaign volume since 10 November, 2018

 

Figure 4: Comparison between previous sextortion campaigns and recent CVE-related variation

 

Conclusion

While the attempts seem to be a bit over the top, current indications are that the campaign(s) are receiving Bitcoin, or they are shifting Bitcoin around in an attempt to add some kind of credibility. As we have discussed previously, these scams are a volume game; with large enough target lists the campaigners will continue to receive payments. The best thing that users can do is:

  • Stay vigilant and inspect your email with a bit more caution and suspicion. Look out for the tell-tale signs that you are being targeted by a mass scam campaign
  • Make sure you are refreshing passwords and aren’t reusing them across sensitive accounts, particularly as these email and password pairs appear to have been sourced from breached data and public combination lists
  • Enable two-factor authentication where possible to help prevent account takeovers even if your password is leaked publicly.

If these emails are making their way into your corporate inbox, then it’s probably time to speak to your IT teams and work on that email security! In future blogs from the Security Engineering Team, we’ll be focusing on ways practitioners can improve their organization’s email security and risk reduction processes.

 

To stay up to date with the latest digital risk and threat intelligence news, subscribe to our threat intelligence emails here.

Share this post and earn Cybytes
Facebook Twitter Google+ LinkedIn Email
Follow
3 Followers
About Digital Shadows
Digital Shadows monitors and manages an organization’s digital risk, providing relevant threat intelligence across the widest range of data sources within the open, deep, and dark web to protect their brand, and reputation. The Digital Shadows SearchLight™ service combines scalable data analytics with human data analysts to manage and mitigate risks of an organization’s brand exposure, VIP exposure, cyber threat, data exposure, infrastructure exposure, physical threat, and third party risk, and create an up-to-the minute view of an organization’s digital risk with tailored threat intelligence.

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Cybrary On The Go

Get the Cybrary app for Android for online and offline viewing of our lessons.

Get it on Google Play
 

Support Cybrary

Donate Here to Get This Month's Donor Badge

 
Skip to toolbar

We recommend always using caution when following any link

Are you sure you want to continue?

Continue
Cancel