calypso77 - stock.adobe.com
Organised criminals are playing on growing mainstream awareness of the risks of smart, connected internet of things (IoT) devices in a sextortion campaign targeting the owners of multiple brands of home security cameras, including Google Nest devices.
The campaign was uncovered by researchers at email cyber security company Mimecast, which found almost 1,700 examples sent to individuals, mostly in the US, earlier in January.
Although in essence a run-of-the-mill extortion racket, it is a more unusual campaign than usual due to a rather more complex methodology that appears to obfuscate the origins of the scam emails and other details that might make it possible to identify those responsible, said Mimecast’s head of data science overwatch, Kiri Addison.
Like any sextortion scam, the perpetrators claim to have compromising footage of the victim which they will release unless paid off. However, unlike in standard cases, where the original email will often link to, for example, a Bitcoin wallet, the first email does not tell the victim what the hackers want, just that they have the footage.
“They are trying to make it harder for people to detect what’s happening. They’re putting in more effort,” said Addison.
Instead, the victims are given a password to log in to an external web email account where they will find an email with a link to a site that contains genuine footage downloaded from the internet – note that this is not footage taken from the victim’s device.
From there, the victims are directed to another email inbox where they are told the footage will be posted within a week unless they are paid off. In the example seen by Computer Weekly, the blackmailers demanded €500 (£429) in Bitcoin, or gift cards redeemable at retailers including Amazon and iTunes, but also US chain stores Best Buy and Target.
“The campaign is exploiting the fact people know these [IoT] devices can be hacked very easily and preying on fears of that,” Addison told Computer Weekly.
“It is now widely known that many IoT devices lack basic security and are vulnerable to hacking, meaning that victims are more likely to believe the fraudsters’ claims, since the possibility of their device having really been hacked is highly plausible.
“Ensuring that users are aware of sextortion as a phishing technique is a key part of the defence against these campaigns,” she added.
Addison said she did not believe the campaign was specifically targeted, but more likely the result of email addresses being harvested from a larger database, and that those responsible were simply trying their luck.
She reiterated that while the blackmailers do have access to video footage, it is not genuine footage of their victims, and that any such emails received can be safely ignored.
Addison said that although not a direct result of an IoT-related breach, the issues around unsecured IoT devices are genuine ones.
“The vulnerabilities are real. It is quite possible to hack a lot of these devices, but I think at the same time education around these extortion campaigns is really important so that people know not to fall for them,” she said.
A spokesperson for Google Nest said: "Any incident where someone is made to feel unsafe in their home is deeply unfortunate and something Nest works hard to prevent. That’s why privacy and security are the foundation of our mission.
"Incidents like this campaign typically occur when a bad actor tries their luck with email addresses from databases of stolen information. Nest users who are contacted by these actors should not respond and we encourage them to contact Nest support if needed.
"We offer several key protections to prevent the likelihood of hacks and keep our products secure. Two-factor authentication has already been enabled by millions of people. We also offer the option to migrate to a new Google Account. Privacy and security continue to be a focus for us, and we'll continue to introduce features that prevent these incidents from happening."
Read more about email security
- Cyber security professionals need to keep up to date with email-borne threats because they continue to evolve and have a major impact on business, research reveals.
- Email security gateways protect enterprises from threats such as spam and phishing attacks. This article explains how these products get the job done.
- For most people, emails are an easy and harmless way to communicate in the workplace, but they could also be a security disaster waiting to happen.