Using Shadow Search to Power Investigations: Sextortion Campaigns

Share and earn Cybytes
Facebook Twitter Google+ LinkedIn Email

We recently wrote about sextortion campaigns and how they’ve developed their lures over time. As a result of these campaigns, tens of thousands of dollars have been transferred to attacker-controlled bitcoin wallets.

In this blog, I wanted to share how you can power responses to extortion campaigns with Shadow Search (while I’m using the sextortion campaign in this example, any extortion campaign could apply).

Within the long and rambling email, we can identify three elements requiring further investigation:

  1. Exposed credentials listed in cleartext as “claim of compromise”. Including the recipient’s exposed password in extortion message gives it an air of credibility.
  2. Claimed exploitation of recent vulnerability that affects selected Cisco devices (CVE-2018-0296).
  3. Call to action to pay extortion demand to a specific Bitcoin address. The most recent wave appeared to have generated at least $19,000.



Using Shadow Search, we can gain vital context on each of these three elements. For those unfamiliar with Shadow Search, we provide instant access to a range of sources so you can perform your own research and investigations. These include:

  • Dark web pages and marketplaces
  • Criminal forums
  • Paste sites
  • Blog and news sites
  • IRC and Telegram Chat Channels
  • Technical forums
  • DNS lookup
  • WHOIS data
  • Indicator Feeds
  • Curated intelligence from Digital Shadows


Search for Context on Vulnerability

The email states “the hacking was carried out using a hardware vulnerability through which you went online (Cisco router, vulnerability CVE-2018-0296)”. Searching for this CVE number in Shadow Search brings back NIST results, Digital Shadows intelligence reporting, and mentions across criminal forums. The victim would be able to ascertain that this is a Denial of Service vulnerability affecting the Cisco ASA web service, which is unlikely to have been exploited to steal your password – and may not even be in the victim’s environment at all.


Search for Exposed Credentials

Second, the attacker used the recipient’s password as “proof” of compromise (we have obscured the password in Figure 1). When you search for this email address across paste sites and criminal forums, several results demonstrate that this email and password have already been publicly exposed. This indicates that the extortionist may well have sourced the password from pre-existing breaches, rather than having compromised your personal computer. This should also be a cue for the victim to change this password if it’s still being used on any other online services.

Search for Bitcoin Address

The third nugget of information is the bitcoin address (1GXazHVQUdJEtpe62UFozFibPa8ToDoUn3). Again, searching for this on Shadow Search brings back copies of the exact same message that have been published on paste sties – most likely posted by another recipient of the extortion email. Furthermore, if the bitcoin address was associated with a known threat actor, then these results would also appear in ShadowSearch as part of our curated intelligence Actor Profiles.


Make More Informed Decisions

Gaining context across these three characteristics gives a strong indication that the extortion attempt is bogus, and organizations can use this insight to inform their defenses. Within minutes you can make a call on whether this extortion threat is credible, and whether additional resources are needed to protect your organization and its employees.


Interested in Shadow Search? You can read more about the service in our datasheet, or you can try it for yourself by signing up for a test drive.

Share this post and earn Cybytes
Facebook Twitter Google+ LinkedIn Email
About Digital Shadows
Digital Shadows monitors and manages an organization’s digital risk, providing relevant threat intelligence across the widest range of data sources within the open, deep, and dark web to protect their brand, and reputation. The Digital Shadows SearchLight™ service combines scalable data analytics with human data analysts to manage and mitigate risks of an organization’s brand exposure, VIP exposure, cyber threat, data exposure, infrastructure exposure, physical threat, and third party risk, and create an up-to-the minute view of an organization’s digital risk with tailored threat intelligence.

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Cybrary On The Go

Get the Cybrary app for Android for online and offline viewing of our lessons.

Get it on Google Play

Support Cybrary

Donate Here to Get This Month's Donor Badge

Skip to toolbar

We recommend always using caution when following any link

Are you sure you want to continue?