In marketing, there are two emotions that can increase sales: fear and pleasure. Therefore, it is not surprising that scammers used these marketing concepts, for their nefarious purposes. We can call it social or psychological hacking. It allows these fraudsters to gain money from their preys plus entree to places where they are not supposed to have access. Therefore, no one is safe including corporations and governments. This kind of attack starts with a new way of blackmail, sextortion.
Sextortion is quite profitable for swindles. The FBI’s Internet Compliance Center (IC3) estimates a total of 83 million dollars in losses (Fazzini). It is incredible how many people are victimized by this kind of attack. The victim receives a shocking email. In this email, the crook claims to have filmed the victim masturbating (or watching something indecent) by gaining access to the computer. To make the threat even more believable, information such as the name, email and password are included into the message.
The email continues that if the victim does not pay a certain ransom, via bitcoins, inside the period of 24 to 72 hours, then the “film” will be exposed to all the victim’s relatives and co-workers. To make the threat even more convincing, the attacker explains that by opening a text editor and typing ‘48hr more’ (or something similar), the victim will be granted such time to obtain the sum to pay the ransom. Finally, the email threats the victim that he or she should not reach any government authority because it would be a waste of time and will regret it dearly.
The victim should know that the current email system is quite old and insecure. Attackers can easily change the content of the ‘from’ field. Actually, they can change the content of any field in the email. This is called Email spoofing. So, if they try to impress you by displaying your own email in the ‘from’ field, while insisting your email got hack (and they have full control of it), don’t be. This trick is an old technique used by spammers and scammers to prevent being track back.
There are different ways to obtain your email and password. One way is via the Deep Web, Darknet or Dark Web of which many things can be purchased such as fake driver licenses, passwords, drugs and more (DarkOwl). In this case, your leaked information can be purchased. As some of you may know, well-known companies such as Facebook as being previously victims of information leakage (Winder).
Another way these ruffians obtain your email and password is by publishing extensions, plugins, and applications in online markets such as Google Market, Firefox, and such (Doffman). This is dangerous in mobile devices and browser because it only takes the user to grant access to the storage or peripherals (such as the camera) while in regular computers the software may gain automatic access at installation.
Thanks to social media, job seeking sites and such websites, your information is exposed. If your email belongs to a domain that you own, your registration information is publicly available, unless you pay an extra fee to keep it private. They can also try to trick you by sending an email that seems to belong to a service provider you are using such as your hosting provider. Never, ever, click on a link provided to you by such emails. It’s better for you to go directly to the site of your service provider than using any link in the email. The same goes to phone numbers.
If these attackers notices that they keep failing in their intent to intimidate you, they will keep sending more emails with different claims into them. They are trying to figure out what “makes you tick”. They will claim to have installed a keylogger into your computer. They will state to have installed software that allows them to take screenshots of what you were watching. They will say that they have access all your online services. They will accuse you of all short of crimes. They will even tell you how you are their slave and they are your masters. They will use any physiological warfare at their disposition to bend your will.
This form of blackmail goes beyond the ransom for money. It imposes a security threat to governments and corporations. Just think about it. It only takes one victim to grant access, to these thugs, into a system. If a person, who is being blackmail, is willing to pay the ransom, then he or she may be willing to provide confidential information to these attackers. The best prevention is to inform your employees of such attack and create an HR program for victimized employees. Victims should be able to approach HR without fear of repercussion of any kind. Remember that your employees are your last line of defense. They can make it easier or harder to any attacker to infiltrate your system; which takes us to the next threat: Ransomware.
Ransomware is a corporate and governmental nightmare. When the attacker gains access to your system, a software will penetrate your systems by propagating and encrypting all content. Then, a message will show up indicating that only when the ransom is paid that the content would be unencrypted. The cost of paying the ransom normally is lower than the cost of hiring someone (or a company) to decrypt such content is higher; plus, there is no guarantee that it can be successfully done. Therefore, it is not surprise that entities that fall victim of such attack will pay the ransom in hopes to continue operating.
Another method of installing software such as the ransomware is via gratification. This trick involve leaving a USB flash drive in a location, such as the parking lot, or by providing such flash drive “for free” to victims. People love receiving or finding things for free.
The first line of defense is skepticism and some basic security measurements. You should not believe everything that an email says. You should not click on any link that an email provides. It is better if you go directly to the service provider instead. You should ensure that all your online accounts hold different strong passwords and change them frequently. You should make sure of the veracity of any plugin, extension, or application you are planning to install. Ask yourself if you really need it. Make separate copy of your content. If you find any devices or you are given a device such as a USB flash drive, do not plug it. It is not worth the risk.
If you are a corporation or government entity, you should have an active program to educate and support your employees. This program should include a place where employees can reach for help without fear of being judged, punished, discriminated, humiliated and fired. The less information your employees leak, due fear to be exposed, the harder is to gain unauthorized access.
Doffman, Zak. “New Android Warning: Millions Have Installed Apps Hiding A Costly Scam—Uninstall Now.” Fobes, 25 Sept. 2019, https://www.forbes.com/sites/zakdoffman/2019/09/25/new-android-warning-nasty-apps-installed-by-millions-scamming-100-from-unaware-users/#1e95f15762ec.
Fazzini, Kate. “Email Sextortion Scams Are on the Rise and They’re Scary — Here’s What to Do If You Get One.” CNBC, 17 June 2019, https://www.cnbc.com/2019/06/17/email-sextortion-scams-on-the-rise-says-fbi.html.
“DarkOwl.” What is the Darknet? DarkOwl LLC. N.d. Web. September 12, 2019. https://www.darkowl.com/what-is-the-darknet
Winder, Davey. “Unsecured Facebook Databases Leak Data Of 419 Million Users.” Fobes, 5 Sept. 2019, https://www.forbes.com/sites/daveywinder/2019/09/05/facebook-security-snafu-exposes-419-million-user-phone-numbers/#1b46efad1ab7.
© 2019, Alejandro G. Carlstein Ramos Mejia. All rights reserved.