Using Shadow Search to Power Investigations: Sextortion Campaigns

Share and earn Cybytes
Facebook Twitter LinkedIn Email

We recently wrote about sextortion campaigns and how they’ve developed their lures over time. As a result of these campaigns, tens of thousands of dollars have been transferred to attacker-controlled bitcoin wallets.

In this blog, I wanted to share how you can power responses to extortion campaigns with Shadow Search (while I’m using the sextortion campaign in this example, any extortion campaign could apply).

Within the long and rambling email, we can identify three elements requiring further investigation:

  1. Exposed credentials listed in cleartext as “claim of compromise”. Including the recipient’s exposed password in extortion message gives it an air of credibility.
  2. Claimed exploitation of recent vulnerability that affects selected Cisco devices (CVE-2018-0296).
  3. Call to action to pay extortion demand to a specific Bitcoin address. The most recent wave appeared to have generated at least $19,000.



Using Shadow Search, we can gain vital context on each of these three elements. For those unfamiliar with Shadow Search, we provide instant access to a range of sources so you can perform your own research and investigations. These include:

  • Dark web pages and marketplaces
  • Criminal forums
  • Paste sites
  • Blog and news sites
  • IRC and Telegram Chat Channels
  • Technical forums
  • DNS lookup
  • WHOIS data
  • Indicator Feeds
  • Curated intelligence from Digital Shadows


Search for Context on Vulnerability

The email states “the hacking was carried out using a hardware vulnerability through which you went online (Cisco router, vulnerability CVE-2018-0296)”. Searching for this CVE number in Shadow Search brings back NIST results, Digital Shadows intelligence reporting, and mentions across criminal forums. The victim would be able to ascertain that this is a Denial of Service vulnerability affecting the Cisco ASA web service, which is unlikely to have been exploited to steal your password – and may not even be in the victim’s environment at all.


Search for Exposed Credentials

Second, the attacker used the recipient’s password as “proof” of compromise (we have obscured the password in Figure 1). When you search for this email address across paste sites and criminal forums, several results demonstrate that this email and password have already been publicly exposed. This indicates that the extortionist may well have sourced the password from pre-existing breaches, rather than having compromised your personal computer. This should also be a cue for the victim to change this password if it’s still being used on any other online services.

Search for Bitcoin Address

The third nugget of information is the bitcoin address (1GXazHVQUdJEtpe62UFozFibPa8ToDoUn3). Again, searching for this on Shadow Search brings back copies of the exact same message that have been published on paste sties – most likely posted by another recipient of the extortion email. Furthermore, if the bitcoin address was associated with a known threat actor, then these results would also appear in ShadowSearch as part of our curated intelligence Actor Profiles.


Make More Informed Decisions

Gaining context across these three characteristics gives a strong indication that the extortion attempt is bogus, and organizations can use this insight to inform their defenses. Within minutes you can make a call on whether this extortion threat is credible, and whether additional resources are needed to protect your organization and its employees.


Interested in Shadow Search? You can read more about the service in our datasheet, or you can try it for yourself by signing up for a test drive.

Share this post and earn Cybytes
Facebook Twitter LinkedIn Email
About Digital Shadows
Digital Shadows is the leader in Digital Risk Protection. Digital Shadows minimizes digital risk by identifying unwanted exposure and protecting against external threats. Organizations can suffer regulatory fines, loss of intellectual property, and reputational damage when digital risk is left unmanaged. Digital Shadows SearchLight™ helps you minimize these risks by detecting data loss, securing your online brand, and reducing your attack surface. To learn more and get free access to SearchLight, visit
Promoted Content
A Practical Guide to Reducing Digital Risk - Tools and Approaches for Security, Intelligence, and Fraud Teams
For those working to secure organizations, life isn't getting any easier. As businesses continue to invest in technology, the environment that must be secured has become more complex and challenging. This guide is written for people whose role it is to deal with this complexity: the practitioners. It provides advice to help understand how to identify critical business assets, understand the threat, monitor for exposure, and take action.

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Cybrary On The Go

Get the Cybrary app for Android for online and offline viewing of our lessons.

Get it on Google Play

Support Cybrary

Donate Here to Get This Month's Donor Badge

Skip to toolbar

We recommend always using caution when following any link

Are you sure you want to continue?