Awareness of Sextortion emails spoofing your own email address

 Introduction

As one of these type of emails ended up in my junk folder and was a new one to myself I thought it would be a good idea to share information about this type of online sextortion scam. A reminder sextortion scams are a type of phishing attack whereby people are coerced to pay a crypto currency ransom because they have been threatened with sharing video of themselves visiting adult websites. These scams are made to appear all the more credible because they provide seemingly plausible technical details about how this was achieved, and the phish can sometimes also include the individual’s password.

Phishes are designed to play on people’s emotions so that they will behave in a way which is out of character, and scams such as this are no different. The phisher is gambling that enough people will respond so that their scam is profitable; they do not know if you have a webcam, have been visiting adult websites, or the means by which you communicate with people, in short, they are guessing. The phisher hopes to emotionally trigger people so that they will ‘take the bait’ and pay the ransom, a typical modus operandi.

A reminder what phishing schemes are. They often use spoofing techniques to lure you in and get you to take the bait. These scams are designed to trick you into giving information to criminals that they shouldn’t have access to.

In a phishing scam, you might receive an email that appears to be from a legitimate business and is asking you to update or verify your personal information by replying to the email or visiting a website. The web address might look similar to one you’ve used before. The email may be convincing enough to get you to take the action requested.

But once you click on that link, you’re sent to a spoofed website that might look nearly identical to the real thing, like your bank or credit card site, and asked to enter sensitive information like passwords, credit card numbers, banking PINs, etc. These fake websites are used solely to steal your information.

Phishing has evolved and now has several variations that use similar techniques: 

  • Vishing scams happen over the phone, voice email, or VoIP (voice over Internet Protocol) calls.
  • Smishing scams happen through SMS (text) messages.
  • Pharming scams happen when malicious code is installed on your computer to redirect you to fake websites.

Spoofing

It is becoming more common for sextortion emails to arrive apparently from your own account, which frightens a lot of people into thinking the crooks already have access to their computer. Though, it’s not true (touch wood). The sextortionist has not, in fact, demonstrated that they hacked your email. All they have done is demonstrate that anyone can send an email claiming to be from someone else. This is nothing new, it’s just the way email is designed, and plenty of phishers use this fact to send spoofed email that looks like it comes from a trusted party.

Generally, sextortion emails have included an intended victim’s password, that the attackers actually found in a data breach dump, in order to make their claims to have taken over somebody’s computer seem legitimate. Those passwords are typically outdated. But with the latest spin, they’re also pretending to have access to their victim’s email account, by simply spoofing the sender of the scam email to make it look like the same email as that of the victim.

It may be just a slight tweak of an extortion scam, but people are unfortunately falling for it. It is easy to see why. Generally, most people who watch online porn would be horrified at the notion that they’d been filmed while doing so and that their reputations could wind up in the gutter if embarrassing video of them were to be disseminated to friends, family and colleagues.

It’s not hard to believe that a hacker could take over your microphone and webcam, after all. It is possible to use a piece of malicious software called a remote access trojan (RAT) to take over your computer, record your conversations, and yes, to turn on your webcam and microphone to spy on you. Paired with the too-real threat of RATs and hijacked webcams with an email that looks like it came from within your very own email account, and it’s easy to see how people can get strung along. Like most scam email artists, these criminals are adept at playing on our fears. 

Staying Safe

  1. As with other phishes, often advice is not to engage with the phisher, report the email as phishing, block the email address, and then delete it.
  2. Do not worry if the phish includes your password; in all likelihood this has been obtained from historic breaches of personal data. You can check if your account has been compromised and get future notifications by visiting: https://haveibeenpwned.com/ 
  3. If you have been a victim of a sextortion scam and have paid the crypto coin ransom, then report it to your local police force. 
  4. Carefully examine the email address, URL, and spelling used in any correspondence. Scammers use slight differences to trick your eye and gain your trust.
  5. Be careful what you download. Never open an email attachment from someone you don’t know and be wary of email attachments forwarded to you.
  6. Set up two-factor (or multi-factor) authentication on any account that allows it, and never disable it.
  7. Be careful with what information you share online or on social media. By openly sharing things like pet names, schools you attended, family members, and your birthday, you can give a scammer all the information they need to guess your password or answer your security questions.

    • Conclusion

    I hope this post has been informative and kept reminded you to be aware of the problem of sextortion. As in the near and longer term future ETSI Cyber group will be working on issues surrounding social cybersecurity concerns these types of attacks which online sextortion comes under so hopefully positive measures which reduce or prevent these types of attacks will occur. 


    Sources

    https://www.ncsc.gov.uk/guidance/sextortion-scams-how-to-protect-yourself 

    https://www.fbi.gov/how-we-can-help-you/safety-resources/scams-and-safety/common-scams-and-crimes/spoofing-and-phishing

    https://nakedsecurity.sophos.com/2019/05/09/sextortion-mail-from-yourself-it-doesnt-mean-youve-been-hacked/

    https://www.actionfraud.police.uk/sextortion

    https://nakedsecurity.sophos.com/2018/10/15/beware-sextortionists-spoofing-your-own-email-address/

    https://answers.microsoft.com/en-us/outlook_com/forum/all/spam-email-from-my-own-email-address-sextortion/fb0143fe-0d8d-4baf-bead-b3c598731463

    Comments

    Post a Comment

    Popular posts

    Balancing functionality, usability and security in design

    Image
    Introduction When designing new devices or applications there is a requirement nowadays to consider there functionality, usability and security. While there has been a push through secure-by-design guidelines for security to be built-in from the beginning there are still gaps in implementation and part of these gaps are design considerations of functionality and usability. Part of this that doing security well is hard work, but it should never block useful functionality for the user. Ideally, when security interferes with key software capabilities, the security must be tweaked. The answer should never be to abandon the functionality and certainly not to abandon the security. Though achieving this balance is admittedly not straightforward. This blog post will aim to look at this triad and how they can be balanced and not compromise each other. Defining the Triad in design A triangle can be used to help explain the relationship between the concepts of security, functionality and ea
    Read more

    Personal Interest - Unbuilt fleets of the Royal Navy

    Image
    Introduction Throughout the 20th Century the Royal Navy designed and examined different types of fleets that were never realised either due to budget constraints, arms treaties or the changing nature of war. These are only a few examples of the different types of unbuilt fleets. Some of these had prototypes built and tasted for the Royal Navy which would serve as technological testbeds. Images and info from secret projects forum, shipbucket, popular mechanics/science and naval-matters. Washington Naval Treaty (WNT) The  Washington Naval Treaty  was a treaty signed during 1922 among the major nations that had won  World War I , which agreed to prevent an  arms race  by limiting naval construction. It was negotiated at the  Washington Naval Conference , held in  Washington, D.C. , from November 1921 to February 1922, and it was signed by the governments of the United Kingdom, the United States, France, Italy, and Japan. It limited the construction of  battleships ,  battlecruisers
    Read more

    Personal Interest - RAF Unbuilt Projects

    Image
      Introduction This blog post looks at the different groups of cancelled RAF projects. It will focus on the 50s, 60s, 90s/00s and a brief look at hypersonic research projects. While these projects were often cut or cancelled for budget or austerity reasons, they were also pushed by the changing nature of warfare firstly from conventional style WW2 warfare to the predicated quick, short scale nuclear war which was expected from 1947 to 1989. Later from the 90s and into the 21st Century a change from state on state conflict to facing insurgencies, counter-terrorism and peacekeeping missions again led to a change in how wars are fought. Though the work and research done on these projects would rarely go to waste with it being used and applied in other projects and works even if sometimes it could take another ten or twenty years before anything operational came of that work. There won't be large amounts of text explaining or exploring the designs there are far better sources for th
    Read more