Sextortion is a blight that preys upon a user’s fears and guilt about their online behavior. Dan Raywood assesses where this concept derived from and how sextortion attackers succeed,
It has been five years since the Ashley Madison breach when the website offering extra-marital relationships lost around 32 million user records, which were subsequently made public. This was, of course, no laughing matter, and the impact upon those who were registered with the site was, in some cases, highly significant.
What’s more, the fallout of the breach is still being felt in 2020. For example, it was reported in January of this year by researchers at Vade Secure that “a highly personalized extortion scam” had been spotted, where the target receives an email threatening to share their Ashley Madison account details, along with other embarrassing data, with family and friends on social media and via email.
This particular scam is financially-driven, with the recipient asked to pay an amount in Bitcoin to avoid having this very sensitive information made publicly available. So, how realistic is this threat? Well, the emails are “highly personalized with information from the Ashley Madison data breach,” Vade Secure reports, with the subject including the target’s name and bank, and the email body including the user’s bank account number, telephone number, address, birthday and Ashley Madison site info such as their sign up date and answers to security questions.
As Vade Secure explains, “this Ashley Madison extortion scam is a good example that a data breach is never ‘one and done.’”
As we are now five years on from one of the most significant breaches of the last decade, it seems incredible that attacks are still being leveraged from the data set affected.
Alex Guirakhoo, threat research team lead at Digital Shadows says the Ashley Madison database continues to be circulated across various cyber-criminal communities, both on its own and as part of a conglomerate of other data breaches.
In fact, the concept of an extortion scam which uses a combination of a person’s private life, dating history and browsing habits to get the victim to pay money to avoid it being disclosed has spawned a new term – sextortion.
“Large data leaks that contain highly sensitive information are of high value to cyber-criminals as they contain personal details that can be used to conduct sextortion or other social engineering campaigns,” Guirakhoo says.
"Large data leaks that contain highly sensitive information are of high value to cyber-criminals"
Preying on the Taboo
This concept has most commonly been associated with revenge porn, blackmail and manipulation of personal images. Guirakhoo says sextortion campaigns leverage victims’ fears and attackers bank on victims being more likely to comply with demands when they read that their sensitive or intimate data will be released.
“The reality is that most claims of an attacker having access to a victim’s webcam are false; widespread sextortion campaigns rely on scare tactics rather than actual system compromise.”
It’s a pretty straightforward example, and all too often repeated: data gets breached and is leaked online and made available for purchase at a low price. The victim doesn’t change their password, so when an attacker sends a message to the victim claiming to have their password among other credentials and details, the victim is too worried to act upon advice around reporting it. After all, preying upon a victim’s most intimate and private interests is a sure fire way to install fear and embarrassment.
Security researcher Morgan Carter, who is a part of the Security Queens collective, says sextortion emails “are quite wicked, and the key reason they have more emotional impact than regular phishing emails is because in addition to the tone of urgency and sense of danger, the main area of focus (sex, pornography and so on) is very taboo.”
Carter says these emails often contain some element of personal information, such as your username and password in order to convince you they’re real, and that the sender actually does have private pictures or videos of you. “As the subject is so taboo, people might not immediately realize they’re basically just phishing emails, and a lot of people who receive sextortion attempts likely won’t have the technical knowledge to be confident that the sender doesn’t have the content they’re trying to blackmail them with,” she explains.
A State of Urgency
As well as the use of breached data to create that sense of reality and urgency, there has also been a number of reported cases of sextortion efforts which aim to part victims from their money – but without the use of breached data. These messages claim to have caught the victim on their webcam, and instruct them to pay a cash ransom or the video will be publically released.
These emails mostly surfaced in 2018, when security writer Brian Krebs mentioned that the scams in question used the victim’s hacked passwords. Krebs said at the time: “The basic elements of this sextortion scam email have been around for some time, and usually the only thing that changes with this particular message is the Bitcoin address that frightened targets can use to pay the amount demanded.”
Krebs explained he heard from several recipients of the sextortion email that a password referenced in the message was legitimate but close to 10-years-old, and that he suspected the attack was being conducted by an attacker with a script that draws directly from the usernames and passwords from a decade-old data breach. Every victim who had their password compromised as part of that breach was getting this same email at the address they used at the time.
As with the Ashley Madison-related sextortion campaign, this type of attack is preying on the fears of those who may have visited dating or adult websites, and are concerned about having that information shared.
“As the subject is so taboo, people might not immediately realize they’re basically just phishing emails"
Freely Available
So, how freely available is this type of data? At the end of 2019, it was reported that the personal details of 250,000 users from the Dutch prostitution forum Hookers.nl had been stolen, and the hacker was actively trying to sell the data for $300. The information included email addresses, user names, IP addresses and scrambled password data.
David Emm, principal security researcher at Kaspersky Lab, says if people want to use legal services of this nature, they have the right to do so, and they have the right to rest assured their data is stored safely. “The personal nature of these websites means the people using them would not want their information public, so this data is especially sensitive and could lead victims of the breach open to extortion and blackmail,” he says.
“Websites like Hookers.nl hold an awful lot of valuable data – and there could be serious consequences if this information is managed or stored incorrectly. The website operators of Hookers.nl had a responsibility to protect customer data, and they fell short of this.”
Guirakhoo says listings for data related to both Ashley Madison and Hookers.nl are active on dark web marketplaces. “Listings which include the Ashley Madison breach have been advertised on cyber-criminal marketplaces like Empire as recently as March 2020. As the data isn’t as ‘fresh’ now as it was back in 2015, it is now sold in conjunction with other breach databases in amalgamated ‘combo lists’ for as little as $5.”
As for the more recent Hookers.nl data breach, Guirakhoo says data from this is being widely circulated on cyber-criminal platforms. “A post from late June 2020 was identified on the prominent Russian-language cyber-criminal forum XSS as containing a link to download the breach for free.”
In terms of the economics of the sextortion emails, analysis by the Austrian Institute of Technology found that between June 2018 and April 2019 scammers made around $1.2m through “sophisticated pricing strategies” which are based on language and threat structures.
That research also determined that sextortion spamming “is a lucrative business and spammers will continue to send bulk emails that try to extort money through cryptocurrencies,” calling on the anti-spam community to focus on preventing these spam messages.
That is one tactic, but it could prove to be problematic if legitimate emails promoting cryptocurrencies and investment opportunities are caught up in these blocks.
Niels Schweisshelm, technical program manager at HackerOne, points out that the Austrian researchers were able to identify and track around 250 active Bitcoin wallets, and came to the conclusion that multiple scamming groups most likely used the same financial broker to manage their earnings. “They also identified 15 unique sextortion campaigns where sometimes Bitcoin wallet addresses were reused, indicating that those scams are done by the same groups or that they work together,” Schweisshelm says.
“The amount of money demanded from the victims differed quite heavily, depending on the language the email was written in. The average demanded amount in scam emails written in English was around $750, whereas the Italian-speaking victims were on average scammed for $300.”
Keeping it Simple
Overall, sextortion is enabled by its simplicity. Alex Tilley, senior researcher at Secureworks, tells Infosecurity that the “simplest way to do it” is to try the “caught you!” tactic, and it is surprisingly common for people to fall for that tactic as it “plays to your emotional trigger points” as your brain automatically presumes guilt and shame.
Tilley says there are many different ways to carry out a sextortion campaign, from a mail merge using a database, or even via random messages or by sending the same message but without a password, “and it is pretty effective as scammers are playing to your base level of emotions.”
He also says another common tactic is to send social media messages and to use lines like “OMG have you seen these photos?” or “is this you in the photo?” When such messages come from a ‘friend’s’ account, that is another emotional trigger as you trust your friend. “It is one of the things that is so simple to do and you can add an exploit or malware and go from there.”
"The best protection people have is to make sure they know the sextortion scourge exists"
The Real Thing
There is of course the real possibility of actual sextortion, where an attacker can place a Remote Access Trojan on a user’s device and switch on the webcam to record the victim. Tilley calls this “deeply harrowing” but also “incredibly common” as the message may contain an actual screenshot of the victim and this can be a real threat to a person.
What is the best method to detect and block these attacks? Carter says these typically come from a spoofed domain, so look for hallmarks such as poor quality grammar and spelling, or threatening language to try to force you to urgently take action. She also recommends using different passwords and, where possible, different email accounts depending on which service you’re signing up to.
Also, consider adding multi-factor authentication, as “having a second factor in place means that it’s harder to compromise your account if someone finds out what your password is.”
Tilley says better detection can be implemented where different character sets are used, as spam filtering picks up on words and this can be bypassed easily. “It is an arms race and the best protection people have is to make sure they know the sextortion scourge exists,” Tilley concludes.