Barracuda researchers have uncovered some startling new revelations about sextortion scams. In the past, sextortion scams were used as part of large-scale spam campaigns. Now, they’ve expanded in scope, even since Barracuda first highlighted this type of attack last fall.
A recent analysis of spear phishing attacks targeted at Barracuda customers found that 1 in 10 were blackmail or sextortion attacks. In fact, employees are twice as likely to be targeted in a sextortion scam than a business email compromise attack.
“The digital world has unknown vulnerabilities, and the emails often the weakest link in the security system with the highest touchpoint. Blackmailing scams are increasing in frequency, becoming more sophisticated and bypassing email gateways. Business Email Compromise (BEC) attacks are now becoming one of the most critical problems that every organization must address. User education, vulnerability analysis, threat intelligence, good backup processes, security solutions and certainly common sense will be the go to approach to tackle this issue.” Opined Asaf Cidon, Vice President of Email Security at Barracuda Networks
Here’s a closer look at the research, more details about sextortion scams and ways to protect your business from this type of blackmail threat
The Details
In most sextortion scams, attackers use a harvested email address and password to prey on a victim’s fears in a threatening email. Often, attackers spoof their victim’s email address, pretending to have access to it, to make the attack even more convincing. Bitcoin is the form of payment typically demanded, with wallet details included in the message.
Sextortion emails are usually sent to thousands of people at a time, as part of larger spam campaigns, so most get caught in spam filters. But scammers are continually evolving their email-fraud techniques, including using social-engineering tactics to bypass traditional email-security gateways.
Sextortion emails that end up in inboxes typically do so because they originate from high-reputation senders and IPs; hackers use already-compromised Office 365 or Gmail accounts.
Sextortion emails don’t usually contain malicious links or attachments found by traditional gateways. Attackers have also started to vary and personalize the content of the emails, making it difficult for spam filters to stop them.
Sextortion scams are under reported due to the intentionally-embarrassing and sensitive nature of the threats. IT teams are often unaware of these attacks because employees don’t report the emails, regardless of whether they pay the ransom.
Common Sextortion Subject Lines
Barracuda’s research reveals that the majority of subject lines on the sextortion emails analyzed contain some form of security alert. More than a third request a password change.
Attackers often include the victim’s email address or password in the subject line, to get them to open and read the email.
Here are some examples of security-alert subject lines:
# name@emailaddress.com was under attack change your access data
# Your account has been hacked you need to unlock
# Your account is being used by another person
Here are some examples of password-change subject lines:
# Change your password
# Hackers know your password
Other common subject lines include references to a customer service ticket number or incident report.
Occasionally, attackers are more straightforward, using threatening subject lines:
# You are my victim
# Better listen to me
# You don’t have much time
# You can avoid problems
# This is my last warning name@emailaddress.com
Industries Most Targeted By Sextortion
Barracuda’s research identifies education as the industry most frequently targeted by sextortion and blackmail, making up the majority of attacks. Government employees are the second largest targets of sextortion. Business services organizations were the third most-targeted industry.
The overwhelming focus on education is a calculated move by attackers. Educational organizations usually have a lot of users, some with a very diverse and young user base that may be less informed about security awareness and that may be less aware of where to seek help and advice. Given their lack of training and experience with the nature of these types of threats, students and young people can be more likely to fall victim in these attack scenarios.
4 Ways To Protect Against Sextortion Scams
AI-based protection — Attackers are adapting sextortion emails to bypass email gateways and spam filters, so a good spear phishing solution that protects against blackmail and sextortion is a must. For example, Barracuda Sentinel has built-in components designed to detect these types of attacks.
Account-takeover protection — Many sextortion attacks originate from compromised accounts; be sure scammers aren’t using your organization as a base camp to launch these attacks. Deploy technology that uses artificial intelligence to recognize when accounts have been compromised. Barracuda Sentinel allows you to remediate in real time by alerting users and removing malicious emails sent from compromised accounts.
Proactive investigations — Given the nature of sextortion scams, employees might be less willing than usual to report these attacks. Conduct regular searches on delivered mail to detect emails related to password changes, security alerts and other content. Many sextortion emails originate from outside North America or Western Europe. Evaluate where your delivered mail is coming from, review any of suspicious origin, and remediate.
Barracuda Forensics and Incident Response helps with email searches, provides interactive reports on geographic origin of emails, and helps you automatically remove any malicious messages found in mail boxes.
Security-awareness training — Educate users about sextortion fraud, especially if you have a large and diverse user base, like in the education industry. Make it part of your security awareness training program. Ensure your staff can recognize these attacks, understand their fraudulent nature, and feel comfortable reporting them. Use phishing simulation, such as Barracuda PhishLine, to test the effectiveness of your training and evaluate the users most vulnerable to extortion attacks.