Online Sextortion and Malware
Introduction
I have written about online sextortion so I will not be going into explanations about it. What this post aim is to highlight an upcoming trend and what may be a future wave of online sextortion attacks. This links to spam emails by aiming to take advantage of human behaviour to extort money usually some form of cryptocurrency from a victim. These are derived from social engineering and phishing attacks. But now Sextortion, Malware and Spam are being used together. Unhappily for a French ISP's users, online crooks combined all three in a hideous attempt to extort cash with custom malware that records their on-screen doings, according to infosec researchers.
In a curious evolution of online attempts to scam people, the Varenyky malware being tracked by Slovakian anti-malware company ESET briefly included a screen-recording feature that scanned for particular pornography-related terms before recording what was on screen.
ESET's described how the malware "was able to record what was going on the screen. Not everything but when the user opened the tab, specific keywords which were monitored were all explicit or sex-related."
Luckily or unluckily depending on the user location, the malware was written so it would only target customers of the Orange ISP in France. Operating as part of what seemed to be a multi-stage extortion campaign, Varenyky steals passwords, spies on victims and receives command-and-control messages through Tor.
Varenyky is planted through any of the usual email phishing techniques intended to get the victim to click a link or attachment – perhaps pretending to be an invoice from a legitimate supplier. Once opened, the malicious attachment (which tends to be a Microsoft Office document) says it needs macros to be enabled; once the victim does that, the email payload downloads the real malware.
Once in place on the target device, the malware presents the threat text (saying the victim is in trouble with the police, or has been filmed doing a private act, et cetera) along with a Bitcoin wallet address.
The extortion messages tended to contain "very technical language; RDP, keylogger, the authority to access..." and general computing-related terms intended to convince non-techies that they had been comprehensively pwned by an adept attacker.
ESET analysed transactions going through the named Bitcoin wallet and figured out that 123 victims had made a total of 6.5 Bitcoins – around £40,000 – in extortion payments. 3.7 Bitcoins had been withdrawn from the wallets, meaning the criminals had successfully converted £23,000+ into real-world cash.
To speed up extortion payments, the malware authors included a QR code linking directly to the Bitcoin wallet.
When it comes to email sextortion scams, suffice to say, business is unfortunately incredibly good. While the simplicity and profitability of the scam may serve an invitation for would-be criminals, the more users become aware of the scheme, the less we’ll be lining the bad guys’ pockets with our cryptocurrency.
But more importantly, this should be a wake-up call for users. A lot of people, even those who consider themselves Internet-savvy, are falling for or are rattled by the extortion messaging, especially those emails that make use of old passwords to scare innocent people into parting with their money.
If you or someone you know may have received sextortion emails, know that it’s highly likely they’re not watching you. What threat actors describe in their emails is not actually taking place.
Though with attackers combining data from malware from compromised devices paired with information from past data breaches there is now the risk that the attacks could be made to look more convincing by showing captured images of the user in the phishing email. They do not have to be compromising just the possible knowledge that the victims' image has been captured without their knowing may scare them enough to believe the threats are real.
Reducing the Risk
First thing you should be following good security practises. Furthermore, don’t panic. Do your due diligence and secure accounts that have been affected by massive breaches in the past (if you haven’t already). "Have I Been Pwned?" is a good place to start. Also, if you want to do as little hoop-jumping as possible, just delete the email and file them away in your mind as harmless spam. Though it would be better to report to your email provider as a phishing email and to block the email address itself. Finally, have awareness of what type of spam and phishing campaigns are fluting around have knowledge of them allows you to identify them and to give advice to others. Reddit' Spam thread is a good place to start.
Conclusion
Like flu this a continuously changing and evolving attack. This means as with the flu virus we cannot rely on last years shot to protect us we need to keep out responses to it up to date and relevant otherwise there is a risk that the criminals will have their big payday and the victims will lose money or if we as society may see victims commit suicide. Since people have already taken lives because of online sextortion. Remember cyberattacks can kill.
Sources
https://www.theregister.co.uk/2019/10/18/sextortion_malware_spam_eset_research/
https://blog.malwarebytes.com/scams/2019/08/the-lucrative-business-of-bitcoin-sextortion-scams/
Have I Been Pwned: Check if your email has been ...
https://www.reddit.com/r/Scams/
I have written about online sextortion so I will not be going into explanations about it. What this post aim is to highlight an upcoming trend and what may be a future wave of online sextortion attacks. This links to spam emails by aiming to take advantage of human behaviour to extort money usually some form of cryptocurrency from a victim. These are derived from social engineering and phishing attacks. But now Sextortion, Malware and Spam are being used together. Unhappily for a French ISP's users, online crooks combined all three in a hideous attempt to extort cash with custom malware that records their on-screen doings, according to infosec researchers.
In a curious evolution of online attempts to scam people, the Varenyky malware being tracked by Slovakian anti-malware company ESET briefly included a screen-recording feature that scanned for particular pornography-related terms before recording what was on screen.
ESET's described how the malware "was able to record what was going on the screen. Not everything but when the user opened the tab, specific keywords which were monitored were all explicit or sex-related."
Luckily or unluckily depending on the user location, the malware was written so it would only target customers of the Orange ISP in France. Operating as part of what seemed to be a multi-stage extortion campaign, Varenyky steals passwords, spies on victims and receives command-and-control messages through Tor.
Varenyky is planted through any of the usual email phishing techniques intended to get the victim to click a link or attachment – perhaps pretending to be an invoice from a legitimate supplier. Once opened, the malicious attachment (which tends to be a Microsoft Office document) says it needs macros to be enabled; once the victim does that, the email payload downloads the real malware.
Once in place on the target device, the malware presents the threat text (saying the victim is in trouble with the police, or has been filmed doing a private act, et cetera) along with a Bitcoin wallet address.
The extortion messages tended to contain "very technical language; RDP, keylogger, the authority to access..." and general computing-related terms intended to convince non-techies that they had been comprehensively pwned by an adept attacker.
ESET analysed transactions going through the named Bitcoin wallet and figured out that 123 victims had made a total of 6.5 Bitcoins – around £40,000 – in extortion payments. 3.7 Bitcoins had been withdrawn from the wallets, meaning the criminals had successfully converted £23,000+ into real-world cash.
To speed up extortion payments, the malware authors included a QR code linking directly to the Bitcoin wallet.
When it comes to email sextortion scams, suffice to say, business is unfortunately incredibly good. While the simplicity and profitability of the scam may serve an invitation for would-be criminals, the more users become aware of the scheme, the less we’ll be lining the bad guys’ pockets with our cryptocurrency.
But more importantly, this should be a wake-up call for users. A lot of people, even those who consider themselves Internet-savvy, are falling for or are rattled by the extortion messaging, especially those emails that make use of old passwords to scare innocent people into parting with their money.
If you or someone you know may have received sextortion emails, know that it’s highly likely they’re not watching you. What threat actors describe in their emails is not actually taking place.
Though with attackers combining data from malware from compromised devices paired with information from past data breaches there is now the risk that the attacks could be made to look more convincing by showing captured images of the user in the phishing email. They do not have to be compromising just the possible knowledge that the victims' image has been captured without their knowing may scare them enough to believe the threats are real.
Reducing the Risk
First thing you should be following good security practises. Furthermore, don’t panic. Do your due diligence and secure accounts that have been affected by massive breaches in the past (if you haven’t already). "Have I Been Pwned?" is a good place to start. Also, if you want to do as little hoop-jumping as possible, just delete the email and file them away in your mind as harmless spam. Though it would be better to report to your email provider as a phishing email and to block the email address itself. Finally, have awareness of what type of spam and phishing campaigns are fluting around have knowledge of them allows you to identify them and to give advice to others. Reddit' Spam thread is a good place to start.
Conclusion
Like flu this a continuously changing and evolving attack. This means as with the flu virus we cannot rely on last years shot to protect us we need to keep out responses to it up to date and relevant otherwise there is a risk that the criminals will have their big payday and the victims will lose money or if we as society may see victims commit suicide. Since people have already taken lives because of online sextortion. Remember cyberattacks can kill.
Sources
https://www.theregister.co.uk/2019/10/18/sextortion_malware_spam_eset_research/
https://blog.malwarebytes.com/scams/2019/08/the-lucrative-business-of-bitcoin-sextortion-scams/
Have I Been Pwned: Check if your email has been ...
https://www.reddit.com/r/Scams/
Comments
Post a Comment