Preying on a victim’s fear of having “private” browsing details leaked sits at the center of these well-crafted attacks that leverage stolen or harvested passwords to establish credibility.
Cybercriminals have upped their sextortion game. It started with the LinkedIn data breach where a simple email presenting the users old password in the subject line was enough to establish credibility in the victim’s mind that they need to respond… or face the consequences.
But the latest data from researchers at security vendor Barracuda highlights some “improvements” in these types of attacks, used to increase the likelihood of success.
According to the findings, here are some of the ways attackers have stepped up their game:
- They harvest passwords – instead of using a password from many years ago, cybercriminals are now harvesting passwords using security alerts and password change request emails first, and then hitting the user with the sextortion scam. This dramatically improves their ability to collect.
- They use high-reputation senders and IPs – attackers now send from compromised Office 365 or Gmail accounts to ensure emails end up in Inboxes and not spam.
- They avoid virus filters – by not using malicious links or attachments, these emails aren’t flagged and quarantined.
- They avoid spam filters – the content used in the email is constantly being changed to avoid detection.
- They use bitcoin for payment – this makes it nearly impossible to track down the sender.
Also, according to Barracuda, employees are twice as likely to be targeted in a sextortion scam than a business email compromise attack. And, because of the potentially embarrassing nature of the scam, these scams often go unreported.
Organizations need to educate users through Security Awareness Training to understand the benign nature of these scams and – most importantly – how to spot malicious emails designed to harvest their passwords (which can be used for far more devious purposes than trying to solicit money via blackmail).