Cybercriminals have scammed people out of $332,000 since July 2018 by threatening to publish footage of the individuals engaging in some kind of sexual act, according to research published Thursday.
The threat intelligence company Digital Shadows examined 790,000 “sextortion” attempts sent to 89,000 email recipients to find that digital con artists typically build their bogus stories on existing information about real hacks.
They often review a database of username and password credentials leaked in previous data breaches to find possible extortion victims. Upon contacting a user, scammers claim to have video of the victim watching internet pornography, providing the stolen password to boost their legitimacy. Others claim they exploited a known vulnerability in Cisco routers to monitor their web activity.
The tactic was enough to convince more than 3,100 people worldwide to send bitcoin to 92 addresses, according to Digital Shadows.
Attacks ranged from sloppy thieves who demonstrated little knowledge of how to organize such an operation to smarter con artists who were better prepared.
“[S]ome of the campaigns were clearly well-coordinated, with emails sent from newly created outlook.com email addresses,” the research stated. “In some instances, the local-part of the sender’s email addresses (firstname.lastname@example.org) appeared to be randomly generated. As these emails don’t appear in previous public breaches, attackers may have created specific addresses for these campaigns rather than relying on using compromised credentials for email distribution.”
Digital Shadows cautioned that hackers with legitimate access to a victim’s computer could find easier ways of stealing their money, either by logging their banking details or collecting personally identifiable information to commit fraud later.
Researchers also observed message board posts advertising annual salaries of $30,000 for applicants willing to aim sextortion scams at corporate executives and lawyers.
“It is not unheard of to get $100k from a single target,” states one posting full of spelling errors and offering no evidence to backup its claim. “We tell them if they don’t pay we will expose them, most times they will pay. And even if they don’t it’s still a positive for us since we can blast that person on social media, the news, their work etc. and [ruin their life]. We can then take that example…and show that to our next targets and that will make them more likely to … pay us more than they would since they now see what the effects of sextortion can do to someones life[.]”
The report also highlights the rise of crowdfunded-based extortion schemes that exploit public attention to generate interest auctions promising the release of sensitive documents. Hacking groups including the Shadow Brokers, deemed by some to be a Russian intelligence operation, and The Dark Overlord, a black hat collective that claimed to have new evidence about the 9/11 attacks, have used this technique in recent years.