Sextortion scams have increased in frequency and scope since we first highlighted this type of attack in our October Threat Spotlight. Previously, sextortion scams were used as part of large-scale spam campaigns, but now many of these attacks are getting more sophisticated and bypassing email gateways.
We analyzed spear phishing attacks targeted at Barracuda customers and found that 1 in 10 were blackmail or sextortion attacks. In fact, employees are more likely to receive a sextortion scam than an employee impersonation or business email compromise attack.
In this Threat Spotlight, we’ll take a closer look at this research and what we uncovered about the tactics used most frequently in sextortion scams and who is most likely to be targeted by this type of blackmail threat.
Sextortion Scam – Attackers use passwords stolen in past data breaches to trick users into paying Bitcoin to avoid having a compromising video, which attacker claim to have recorded on the victim’s computer, shared with all their contacts.
The basic approach of sextortion scams remains the same. Attackers are harvesting email addresses and passwords and using them in the threatening email to add to the victim’s fears. Often, attackers will spoof their victim’s email address and pretend to have access to it to make the attack even more convincing. Payment demands usually ask for Bitcoin, and Bitcoin wallet details are included in the message.
Most sextortion scams are sent as part of larger spam campaigns to thousands of people at a time, so most get caught in spam filters. But, like with many other types of email fraud, scammers are evolving their techniques using social engineering tactics to bypass traditional email security gateways.
Many sextortion emails end up in users’ inboxes because they originate from high-reputation senders and IPs. In fact, hackers will use already compromised Office 365 or Gmail accounts in their campaigns. Emails from these legitimate, high-reputation-score accounts will pass through gateways and land in their victims’ mailboxes.
These emails don’t usually contain any malicious links or attachments that traditional gateways will look for. Attackers have also started to vary and personalize the content of the emails, making it difficult for spam filters don’t stop them.
Sextortion scams are also under-reported due to the intentionally embarrassing or sensitive nature of the threats. As a result, IT teams are often unaware of these attacks because employees either choose to pay a ransom or are simply too embarrassed to report the email.
Most common sextortion subject lines
In our study of sextortion and blackmail attacks, we looked at the 30 most common subject lines, which represent over 60 percent of all the sextortion emails we analyzed. We noticed patterns in the subject lines used by attackers. The two most common subject lines are security alerts and requests to change passwords. Attackers will often include either the victim’s email address or their password in the subject line to get them to open and read the email.
Here are some examples of security alert subject lines we saw in our research:
firstname.lastname@example.org was under attack change you access data
Your account has been hacked you need to unlock
Your account is being used by another person
Here are some examples of password change subject lines we saw:
Change your password [password] immediately your account has been hacked
Hackers know your password [password] password much be changed now
We found that almost every subject line on a sextortion email will contain some form of security warning, with more than a third requesting a password change.
Other common subject lines that we saw include references to a customer service ticket number or incident report.
Occasionally, attackers are more straightforward with the subject line, using threats like:
You are my victim
Better listen to me
You don’t have much time
You can avoid problems
This is my last warning email@example.com
Industries most likely to be targeted by sextortion
In our research, we found education was the industry targeted most frequently by sextortion and blackmail, making up 55 percent of attacks. A full 14 percent of attacks targeted government employees, and 11 percent went after business services organizations.
The overwhelming focus on education is a calculated move by attackers. Educational organizations usually have a lot of users, with a very diverse and young user base that is less informed about security awareness and may be less aware of where to seek help and advice. Students and young people are also more likely to be scared into wiring the money, given the nature of the threat.
4 ways to protect against sextortion scams
1. Spear phishing protection — Because attackers are adapting sextortion emails to bypass email gateways and spam filters, a good spear phishing solution that protects against blackmail and sextortion is a must. For example, Barracuda Sentinel has built-in components designed to detect these types of attacks.
2. Account takeover protection — Many sextortion attacks originate from compromised accounts, so make sure scammers aren’t using your organization as a base camp to launch these attacks. Deploy technology that uses artificial intelligence to recognize when accounts have been compromised. Barracuda Sentinel allows you to remediate in real time by alerting users and removing malicious emails sent from compromised accounts.
3. Proactive investigations — Given the nature of sextortion scams, employees might be less willing than usual to report these attacks, so you should conduct regular searches on delivered mail to detect emails related to password changes and other content we discussed above. Many of sextortion emails originate from outside North America or Western Europe. Evaluate where your delivered mail is coming from, review any that are of suspicious origin, and remediate.
Barracuda Forensics and Incident Response will help with searches, provide interactive report on geographic origin of delivered email, and help you automatically remove any malicious messages that you find inside your users mail boxes.
4. Security awareness training — Educate users about sextortion fraud, especially if you have a large and diverse user base, like education sector. Make it part of your security awareness training program. Ensure your staff can recognize these attacks, understand their fraudulent nature, and feel comfortable reporting them. We also recommend using phishing simulation, such as Barracuda PhishLine to test effectiveness of your training and evaluate users who are most vulnerable to extortion attacks.