by Bharat Mistry
The UK’s national fraud and cybercrime reporting centre is warning UK netizens of a new sextortion campaign in which the attackers threaten to publish an intimate webcam video of their victims. They make the threat more realistic by including a genuine password that the victim has used in the past. While user education is the most effective way to counter this kind of opportunistic digital blackmail, the case highlights yet again the potential downstream impact of corporate breaches.
By improving enterprise security standards across the board and migrating away from password-based systems, organisations can not only reduce data breach costs but also the knock-on effects of PII compromise that may haunt customers for years.
A new take
Online extortion is nothing new, in fact it’s what has made ransomware such a popular money-maker for cyber-criminals. But this campaign is slightly different in that it includes the victim’s password in the subject line. Action Fraud claimed to have contacted several of the 110+ victims who reported the unsolicited scam email and they confirmed the credential to be recent. It’s more than likely that they were bought on a dark web site, after originally being stolen from an online provider.
Having grabbed the recipient’s attention by posting the valid password, the extorter then claims to have recorded a webcam video of the individual watching pornography, and to have used malware to harvest all of their social media contacts. Users are required to pay $2,900 in Bitcoin within 24 hours.
The email concludes:
“If I do not receive the BitCoins, I will definately send out your video recording to all of your contacts including close relatives, co-workers, and many others. Nevertheless, if I receive the payment, I’ll destroy the video immidiately. If you need evidence, reply with “Yes!” and I will send your video to your 10 friends. It is a non-negotiable offer, therefore do not waste my time and yours by responding to this message.”
What can we learn?
Action Fraud is quite rightly urging netizens not to panic, not to pay up and to always respond to any unsolicited message like this critically. It also pays to cover up your webcam, just in case. While this sextortion campaign is clearly a scam, previous ones have used malware to genuinely record individuals via their webcams. In fact, it was estimated in 2016 that thousands of Brits are likely caught out by such attacks each year, with at least four suicides linked to the trend.
But pulling back even further, this particular scam campaign is made possible in part via breached credentials. One could argue that if organisations worked harder to secure customer data in the first place, as the GDPR demands, there would be fewer opportunities for follow-on blackmail and fraud. That means choosing a trusted partner to provide security at every layer of your infrastructure, from endpoint to web/email gateway, network and server. Trend Micro’s cross-generational blend of cyber-defence tools is optimised to offer protection where you need it most from the huge range of modern threats.
Best practice security today also dictates moving away from static password-based systems for your employees and customers and towards multi-factor authentication. With no passwords to steal, breaches become harder to carry out and the resulting impact on users diminishes.
Scams like this one are just the tip of the iceberg and we could see an escalation in similar blackmail attempts using breached PII as a highly effective social engineering tactic. The GDPR should be your guide here. Only with improved security processes backed up with state-of-the-art technologies can organisations minimise opportunities for the cyber-criminals and reduce the risk of long-term post-breach brand damage.