Intrepid cyber-investigative reporter Brian Krebs noticed that a story published on his blog July 12 about a new sextortion-based spear phishing scheme—which uses a real password used by each recipient—had become his most-read piece since his site launched in 2009.
He commented: "And with good reason — sex sells (the second most-read piece here was my 2015 scoop about the Ashley Madison hack).
But beneath the lurid allure of both stories lies a more unsettling reality: It has never been easier for scam artists to launch convincing, targeted phishing and extortion scams that are automated on a global scale.
And given the sheer volume of hacked and stolen personal data now available online, it seems almost certain we will soon witness many variations on these phishing campaigns that leverage customized data elements to enhance their effectiveness."
Krebs is right, this is only the start and most of these passwords were old. Cyber criminals test scams like companies test marketing campaigns and if the response rate is high enough in the beta, they go full-scale.
The Problem: 50% Of Casually Dating Men Watch Porn Weekly
The Institute for Family Studies recently confirmed what everyone more or less already knew, but since last year there are hard numbers. Men are more likely than women to view pornography, and this is particularly true of viewing porn regularly on a daily or weekly basis.
A whopping 50% of casually dating men watch porn weekly, and this percentage only drops to 40% when they are seriously dating, and 20% for engaged or married.
Unfortunately, looking at this from a "criminal marketing perspective" the total addressable extortion market is massive.
Cyber gangs will start using fresh hacks, with recent and real passwords, highly likely combined with other personal data that was sourced from the dark web and appended to the record using big data technology. This method is also going to be used by the tech support scam artists in a variety of ways.
It's almost a matter of: "What took you so long?", I have been warning here for a while that this was imminent. (The link is to a blog post of April 9, 2016).
Phishing Continues To Be On The Rise In 2018
The Anti-Phishing Working Group (APWG) most recent report (PDF) covers the phishing trends found in Q1 of 2018. The highlights of the report included:
- Over 11,000 phishing domains were created in Q1
- The total number of phishing sites increased 46% over Q4 2017
- The use of SSL certificates on phishing sites continues to increase to lull visitors into a false sense of security and site legitimacy.
All three of these trends add up to one thing – the bad guys are rapidly becoming more sophisticated. The higher the threat levels they can establish through targeted spear phishing attacks which leverage very private information, the more successful the campaign.
I suggest you send the following to your employees. You're welcome to copy, paste, and/or edit. You might want to coordinate with HR on this one.:
Sextortion is a serious internet crime that can lead to devastating consequences for victims. Sextortion occurs when someone threatens to distribute your private and sensitive material if you don’t provide them with images of a sexual nature, sexual favors, or money.
According to the FBI, here are some things you can do to avoid becoming a victim:
- Never send compromising images of yourself to anyone, no matter who they are — or who they say they are.
- Don’t open attachments from people you don’t know, and in general be wary of opening attachments even from those you do know.
- Turn off [and/or cover] any web cameras when you are not using them.
If you receive an email that claims they have video of you viewing pornography, do not answer, delete the scam email and do not pay any amount in any form.
The FBI says in many sextortion cases, the perpetrator is an adult pretending to be a teenager, and you are just one of the many victims being targeted by the same person. If you believe you’re a victim of sextortion, or know someone else who is, the FBI wants to hear from you: Contact your local FBI office (or toll-free at 1-800-CALL-FBI).
Find out if any employees are potential victims for sextortion scams
A whopping 25% of employees are using the same password for all logins. What if that password is available on the dark web? A massive amount of passwords are compromised due to data breaches and now used by the bad guys for sextortion attacks. Are any hacked passwords in use within your organization?
Using breached passwords puts your network at risk. Password policies often do not prevent employees using known bad passwords. Making your users frequently change their passwords isn’t a good solution either. It only takes one compromised password match for the bad guys to gain access.
KnowBe4’s complimentary NEW Breached Password Test (BPT) checks to see if your users are currently using passwords that are in publicly available breaches associated with your domain. BPT checks against your Active Directory and reports compromised passwords in use right now so that you can take action immediately!
Here’s how Breached Password Test works:
Checks to see if your company domains have been part of a data breach that included passwords
Checks to see if any of those breached passwords are currently in use in your Active Directory
Does not show/report on the actual passwords of accounts
Just download the install and run it
Results in a few minutes!
Find out now which users are using hacked passwords!
PS: Don't like to click on redirected buttons? Cut & Paste this link in your browser: