Victims of this new type of sextortion scam are socially engineered by cybercriminals posing on dating and adult sites, slowly collecting personal information about their victim. Once enough personal detail has been gathered, those details are published on a relatively public forum and the victim is instructed to pay a fee in bitcoin to have the detail removed.
While this is a bit of a long-term play, it appears like it can be far more effective than the original sextortion scams we covered where all that was needed was an old password obtained years ago in a massive data breach to scare victims into paying an extorted fee.
This kind of scam demonstrates the lengths the bad guys will go to (and the patience they have) to see their scam through to the end. Whether the scam is sextortion doxing or sending a malicious attachment disguised as a fake invoice, cybercriminals will look to use social engineering tactics to accomplish a few things:
- Create the urgency or comfortability needed for the scam
- Establish credibility
- Engage the victim to create some form of emotional connection
- Get them to perform a needed action
In this case, the action was to give up personal information, but with social engineering-based scams, it can just as easily be to commit fraud by issuing a wire transfer to a bogus vendor.
Employees while at work and home need to be cognizant of the use of social engineering as a key tactic in any good scam. By leveraging Security Awareness Training, organizations can educate employees on how these tactics work, how to spot them, and to avoid falling for their crafty lure.
Hopefully, none of your employees are engaged in such activities, but do keep in mind, the extortion “payment” can just as easily be “give me your credentials” as it can be “pay me in bitcoin”.