Beazley breach insights - February 2019
Opportunistic cyber criminals are engaging in a new, darker strain of email compromise by attempting to bribe recipients into paying crypto-currency ransoms using so-called ‘sextortion’ tactics...
Opportunistic cyber criminals are engaging in a new, darker strain of email compromise by attempting to bribe recipients into paying crypto-currency ransoms using so-called ‘sextortion’ tactics.
A typical case of sextortion investigated by Beazley Breach Response (BBR) Services involves an email from someone claiming to have accessed the recipient’s work computer and found the addresses of pornographic websites they have viewed. The sender says they have simultaneously recorded footage of the recipient as they watched these sites using their webcam, and threatens to share the files with their email contacts if demands are not met.
The emails often contain a link or zip file they claim contains evidence of the internet or webcam activity, or to a website to pay the crypto-currency ransom. If clicked on, the link may in fact spread malware that can steal information and install GandCrab, a common ransomware used by hackers to lock-up the computer until the ransom is paid.
In the cases seen by BBR Services, assertions that the sender has compromising information have proved to be hoaxes. There is no sign yet that the targets of sextortion are anything other than random and it often turns out that no data has been compromised.
However, a small number of emails sent out to thousands of recipients may indeed hit home. If these individuals did engage in inappropriate behavior on their work computer, they could be vulnerable to extortion. When the first trickle of sextortion claims were reported to BBR Services in the summer of 2018, they took the form of spam campaigns aimed at credit unions, but since then, policyholders from various industries have been hit.
In the fourth quarter of 2018, BBR Services was notified of these cases by several policyholders involving demands for crypto-currency worth hundreds or thousands of dollars. To increase the authenticity of the demand, in some cases, the threatening email will include an old or current password linked to the recipient’s email address. Such information is often obtained via the dark web where hackers dump and sell user credentials that have been compromised in earlier data breaches.
Messages containing the recipient’s password potentially pose a larger security concern for businesses, especially as passwords are often recycled or only slightly changed by users. The issue can be further complicated if the email appears to come from another email address within the same organization. This can indicate a wider problem than a single, apparently random, phishing attempt. BBR Services has also seen advanced spoofing in connection with sextortion, where the email appears to be from the victim’s own email account and it takes some investigation to determine whether or not the account was actually compromised.
It remains extremely important to scrutinize the source of any such email and to ensure that practical measures are being taken by employees to prevent an incident escalating into a wider issue. At an organizational level, businesses should ensure their domains are locked down to make it harder for external users to spoof domains under their control.
As with any cyber incident, if an employee reports receiving one of these emails, organizations should notify BBR Services and take sensible precautions to protect themselves. These include:
- Warning employees about this risk, mindful some may be reluctant to report it because of the potentially embarrassing nature of the threat
- Resetting an employee's password to minimize any risks from password recycling
- Enforcing strong password policies and educating employees about the risks of recycling passwords for different applications
- Setting up a multi-factor authentication process for remote access to email and other applications
- Regular employee training on how to identify phishing.