We've covered sextortion before, focusing in on how the core of the threat is an exercise in trust. The threat actor behind the campaign will use whatever information available on the target that causes them to trust that the threat actor does indeed have incriminating information on them. (They don't.) But as public awareness of the scam grows, threat actors have to pivot to less expected pitches to maintain the same response from victims. Let's take a look at a recent variant.
As we can see, the technique at hand appears to be peppering the pitch with as many technical terms as possible in order to wear down a victim's defenses and sell the lie that the threat actor actually hacked them. (NOTE: employing a blizzard of technical vocabulary as quickly as possible is a common technique to sell lies offline, as well as via email.) If we take a closer look, the facade begins to fall away fairly quickly.
- EternalBlue, RATs, and trojans are all different things
- Porn sites either don't allow anonymous user uploads, or scan and monitor those uploads for malicious content
- The social media data referenced is not stored locally and thus cannot be 'harvested' and is largely available on the open web anyway
- a RAT cannot take a specific action based on what you're doing in front of an activated camera. How would it know?
Some of these points would be difficult for an average user to realize, but the last two serve as pretty good red flags that the actor in the email is not as sophisticated as he claims. The problem is that by starting the pitch with the most alarming possible outcome, many users are pushed into a panic and don't stop to consider small details. A key to good defense against sextortion is taking a deep breath, reading the email carefully, and asking yourself - do these claims make sense?
Where did it come from?
Sextortion scammers typically take a shotgun approach to targeting, using compromised or disposable email addresses to send out as many messages as possible. Some variants will attempt to make the pitch more effective by including actual user passwords gleaned from old database breaches. The important thing to remember though, is that the scammers do not have any current information to disclose, because they didn't actually hack anyone. This is a fairly low effort social engineering attack that remains profitable precisely because the attacker does not have to expend resources actually hacking an end user.
How NOT to get help
The bulk of cyber threats out there are in fact symptoms of human systems failures. Appropriate, responsible infosec responses to these failures give people tools to shore up those systems, thereby ensuring the cyber threat does not claim a foothold to begin with. Less prudent infosec responses, however, do this:
An IP address is the rough online equivalent to a zip code. Could you find where someone whose name you don't know lives based solely on a zip code? Would you really trust a company who makes grammatical errors in their own Google ads?
Is there anyone in 2019 who genuinely believes it's possible to keep anything off the Internet? Extraordinary claims require extraordinary evidence, but unfortunately they don't provide any as their technology is "proprietary."
It can be very frightening for a user to receive one of these social engineering attempts, particularly if the pitch is loaded with a slew of technical terms they do not understand. But close reading of the email can sometimes reveal red flags indicating the threat actor is not exactly the sharpest hacker out there. Further, the defense against sextortion is one of the cheapest, easiest defenses against cyber threats out there: do nothing. Stay vigilant, and stay safe.