Our threat intelligence have shared several threats they’ve uncovered through monitoring our B2B platform, in our recent report: Keeping pace with emerging threats. One of the standout threats to keep your users aware of is a rise in sextortion emails using fake threats to blackmail people into paying cryptocurrency ransoms.
Quick summary of these attacks
- Vector and type: Sextortion phishing email
- Technique: Social engineering
- Payload: Cryptocurrency address
- Targets: Individuals and organizations across the US and the UK
- Platform: Microsoft 365
- Bypassed secure email gateway: Yes
We saw a 334% increase in sextortion phishing emails across the UK and the US since March 2022. Across April, we discovered that 53% of these attacks were sent from compromised legitimate email accounts. All of the attacks contained cryptocurrency addresses, rather than traditional phishing payloads such as malicious links or attachments.
These tactics were likely the reason they bypassed SEGs, as they’re linguistic in nature and harder for traditional solutions to identify.
What the attacks look like
The attacks feature a variety of subject lines. Some are closely affiliated to the topic of the email in the hope that people panic and click through for more information, such as:
- “All your data has been hacked and copied to my servers. Instructions inside”
- “Here is the last warning! Your entire information has been copied. The entry in system is completed.”
We’ve also seen financial subject lines, for example:
- “You have an unpaid bill.”
- “You have to pay a debt.”
These might appear bland but they can be more effective. Some people will instantly delete a message with an alarmist subject line like the first examples. Plainer subject lines can catch people off guard and make them click, as well as avoid detection from solutions looking for keywords such as ‘HACKED.’
The emails use emotive and threatening language to socially engineer the target to extort payment, such as ‘I could ruin your life forever’ and ‘I don’t think this kind of content would be very good for your reputation’ (figure 1). The emails we analyzed followed a similar format, stating the problem, the threat, the ‘solution’, the deadline to comply by, and the futility of reporting the incident.
Figure 1: Ransom demand within a sextortion email
After analyzing a segment of the recipients of these sextortion emails, we discovered they were all part of either the Apollo and/or the Data Enrichment data breaches (figure 2). It is possible the cybercriminal(s) used email addresses from these breaches to build their target list(s).
Figure 2: Data breach results from www.haveibeenpwned.com for recipients’ email addresses
Egress analysis
Egress VP of Threat Intelligence Jack Chapman has offered the following analysis and advice you can share with your users: “Cybercriminals use our psychology against us in phishing attacks. They’re designed to make someone act quickly and without rational thought. As the longer we think about it, the more holes we might see in the cybercriminal’s story. For example, why has the scammer not included any evidence of what they claim to have?
“Shame, panic and fear are very primal feelings. The goal of sextortion is to trigger these feelings and make the recipient act irrationally by using language such as ‘dirty videos’, ‘disaster’, and ‘ruin your life’. By giving the recipient a deadline to respond by, the cybercriminal puts pressure on the individual to comply quickly, while warning them not to seek help from people who could think more rationally.
“However, this is all a psychological threat from the cybercriminals. These sextortion emails we’ve found are known as ‘replay attacks.’ The attackers have downloaded a contact list of everyone involved in a previous data breach and sent them their own phishing attack. They’re mass-produced attacks that don’t require technical sophistication to implement. Searching for the Bitcoin addresses will often turn up examples of the identical scam on cybersecurity forums.
“The most important advice is… Don’t pay the ransom! It’s easy for cybersecurity experts to say, and of course it can be alarming for someone to receive an email like this, especially if it’s one of the more believable ones. But the scammer is relying on the fact people will be embarrassed and won’t ask for help dealing with the issue.”
The takeaway
Sextortion emails tend to be empty threats exploiting previous data breaches. It’s important to educate users so they do not fall for psychological tricks. Advise them to simply delete the email – and never pay a ransom.
Get the full emerging threat report
This is just one of the emerging threats our Threat Intelligence team picked up on in the past few months. For the latest info on cryptocurrency charity scams exploiting the Ukraine crisis, LinkedIn impersonation phishing, and several newly-discovered zero-day exploits, download your full report.