Sextortion accounts for one in 10 spear-phishing emails

Sextortion scams have typically been used as part of large-scale spam campaigns, but now many of these attacks are getting more sophisticated and are bypassing email gateways, researchers warn.

In these scams, attackers use passwords stolen in past data breaches to trick victims into paying bitcoin to avoid having a compromising video, which the attacker claims to have recorded on the victim’s computer, shared with all their contacts, said Jonathan Tanner, a software engineer at Barracuda Networks in a blog post at the end of October 2018.

An analysis of phishing attacks targeted at Barracuda customers since then revealed that one in 10 were blackmail or sextortion attacks, according to the network security firm’s researchers.

The statistics show that employees of organisations are more likely to receive a sextortion scam than an employee impersonation or business email compromise (BEC) attack. 

The updated sextortion research from Barracuda comes just a week after researchers at security firm Digital Shadows urged businesses to gear up to defend against this type of attack, which often targets C-level executives. Cyber criminal groups promise rewards averaging £276,300 a year to accomplices, with some even offering between £600,000 and £840,000 to accomplices with network management, penetration testing and programming skills.

In the past, most sextortion scams were sent as part of larger spam campaigns and tended to get caught in spam filters, but the Barracuda researchers have found that scammers are evolving their techniques using social engineering tactics to bypass traditional email security gateways.

Many sextortion emails end up in users’ inboxes because they originate from high-reputation senders and organisations, with attackers using already compromised Microsoft Office 365 or Gmail accounts in their campaigns. Emails from these legitimate, high-reputation-score accounts will pass through gateways and land in their victims’ mailboxes.

The emails do not usually contain any malicious links or attachments that traditional gateways will look for, and attackers have also started to vary and personalise the content of the emails, making it less likely that they will be blocked by spam filters.

Sextortion scams are also under-reported because of the intentionally embarrassing or sensitive nature of the threats, the researchers said. As a result, IT teams are often unaware of these attacks because employees either choose to pay a ransom or are simply too embarrassed to report the email. 

The most common subject lines the scam emails use are security alerts (54%) and requests to change passwords (34%). Attackers will also often include either the victim’s email address or their password in the subject line to get them to open and read the email. 

Other common subject lines observed by the researchers included references to a customer service ticket number or incident report.

The education sector is most often targeted by sextortion scams, the researchers found, accounting for 55% of the total, compared with government employees (14%) business services organisations (11%), retail (7%) and technology (6%).

The focus on education is a calculated move by attackers, said the researchers, because educational organisations usually have a lot of users, with a very diverse and young user base that is less informed about security awareness and may be less aware of where to seek help and advice. Students and young people are also more likely to be scared into paying the money, given the nature of the threat. 

Barracuda recommends four ways that organisation can protect against sextortion scams:

• Spear phishing protection: Because attackers are adapting sextortion emails to bypass email gateways and spam filters, a good spear-phishing solution that protects against blackmail and sextortion is a must.
• Account takeover protection: Many sextortion attacks originate from compromised accounts, so make sure scammers are not using your organisation as a base camp to launch these attacks. Deploy technology that uses artificial intelligence to recognise when accounts have been compromised. 
• Proactive investigations: Given the nature of sextortion scams, employees might be less willing than usual to report such attacks, so conduct regular searches on delivered mail to detect emails related to password changes and other content discussed above. Many sextortion emails originate from outside North America or Western Europe. Evaluate where your delivered mail is coming from, review any that are of suspicious origin, and remediate.
• Security awareness training:  Educate users about sextortion fraud, especially if you have a large and diverse user base, such as the education sector. Make it part of your security awareness training. Ensure your staff can recognise these attacks, understand their fraudulent nature, and feel comfortable about reporting them. Use phishing simulation to test the effectiveness of your training and evaluate users who are most vulnerable to extortion attacks.