Awareness of Sextortion emails spoofing your own email address
Introduction
As one of these type of emails ended up in my junk folder and was a new one to myself I thought it would be a good idea to share information about this type of online sextortion scam. A reminder sextortion scams are a type of phishing attack whereby people are coerced to pay a crypto currency ransom because they have been threatened with sharing video of themselves visiting adult websites. These scams are made to appear all the more credible because they provide seemingly plausible technical details about how this was achieved, and the phish can sometimes also include the individual’s password.
Phishes are designed to play on people’s emotions so that they will behave in a way which is out of character, and scams such as this are no different. The phisher is gambling that enough people will respond so that their scam is profitable; they do not know if you have a webcam, have been visiting adult websites, or the means by which you communicate with people, in short, they are guessing. The phisher hopes to emotionally trigger people so that they will ‘take the bait’ and pay the ransom, a typical modus operandi.
A reminder what phishing schemes are. They often use spoofing techniques to lure you in and get you to take the bait. These scams are designed to trick you into giving information to criminals that they shouldn’t have access to.
In a phishing scam, you might receive an email that appears to be from a legitimate business and is asking you to update or verify your personal information by replying to the email or visiting a website. The web address might look similar to one you’ve used before. The email may be convincing enough to get you to take the action requested.
But once you click on that link, you’re sent to a spoofed website that might look nearly identical to the real thing, like your bank or credit card site, and asked to enter sensitive information like passwords, credit card numbers, banking PINs, etc. These fake websites are used solely to steal your information.
Phishing has evolved and now has several variations that use similar techniques:
- Vishing scams happen over the phone, voice email, or VoIP (voice over Internet Protocol) calls.
- Smishing scams happen through SMS (text) messages.
- Pharming scams happen when malicious code is installed on your computer to redirect you to fake websites.
Spoofing
It is becoming more common for sextortion emails to arrive apparently from your own account, which frightens a lot of people into thinking the crooks already have access to their computer. Though, it’s not true (touch wood). The sextortionist has not, in fact, demonstrated that they hacked your email. All they have done is demonstrate that anyone can send an email claiming to be from someone else. This is nothing new, it’s just the way email is designed, and plenty of phishers use this fact to send spoofed email that looks like it comes from a trusted party.
Generally, sextortion emails have included an intended victim’s password, that the attackers actually found in a data breach dump, in order to make their claims to have taken over somebody’s computer seem legitimate. Those passwords are typically outdated. But with the latest spin, they’re also pretending to have access to their victim’s email account, by simply spoofing the sender of the scam email to make it look like the same email as that of the victim.
It may be just a slight tweak of an extortion scam, but people are unfortunately falling for it. It is easy to see why. Generally, most people who watch online porn would be horrified at the notion that they’d been filmed while doing so and that their reputations could wind up in the gutter if embarrassing video of them were to be disseminated to friends, family and colleagues.
It’s not hard to believe that a hacker could take over your microphone and webcam, after all. It is possible to use a piece of malicious software called a remote access trojan (RAT) to take over your computer, record your conversations, and yes, to turn on your webcam and microphone to spy on you. Paired with the too-real threat of RATs and hijacked webcams with an email that looks like it came from within your very own email account, and it’s easy to see how people can get strung along. Like most scam email artists, these criminals are adept at playing on our fears.
Staying Safe
- As with other phishes, often advice is not to engage with the phisher, report the email as phishing, block the email address, and then delete it.
- Do not worry if the phish includes your password; in all likelihood this has been obtained from historic breaches of personal data. You can check if your account has been compromised and get future notifications by visiting: https://haveibeenpwned.com/
- If you have been a victim of a sextortion scam and have paid the crypto coin ransom, then report it to your local police force.
- Carefully examine the email address, URL, and spelling used in any correspondence. Scammers use slight differences to trick your eye and gain your trust.
- Be careful what you download. Never open an email attachment from someone you don’t know and be wary of email attachments forwarded to you.
- Set up two-factor (or multi-factor) authentication on any account that allows it, and never disable it.
- Be careful with what information you share online or on social media. By openly sharing things like pet names, schools you attended, family members, and your birthday, you can give a scammer all the information they need to guess your password or answer your security questions.
Conclusion
I hope this post has been informative and kept reminded you to be aware of the problem of sextortion. As in the near and longer term future ETSI Cyber group will be working on issues surrounding social cybersecurity concerns these types of attacks which online sextortion comes under so hopefully positive measures which reduce or prevent these types of attacks will occur.
Sources
https://www.ncsc.gov.uk/guidance/sextortion-scams-how-to-protect-yourself
https://www.actionfraud.police.uk/sextortion
https://nakedsecurity.sophos.com/2018/10/15/beware-sextortionists-spoofing-your-own-email-address/
Comments
Post a Comment