Sextortion scum armed with leaked credentials are persistent pests

If you're going to batter 8,497 folk with over 60,000 threats, odds are someone will crack


Persistence pays off for crooks when it comes to sextortion-based phishing scams, research into its effectiveness suggests.

One variant bombards prospective marks with threats to release non-existent footage of them watching smut unless they give in to demands. Cleverly, these threats are lent an air of authenticity by using partial details of real passwords that have been exposed by genuine breaches.

Most often this involves cases where the compromised web service used weak and crackable password hashes. Password crackers sell compromised email addresses and passwords through underground forums, but they often leak and are therefore not difficult to acquire even without paying. Sextortionists take these lists before churning out batches of bogus emails often from newly created webmail accounts or alternatively take the lazier and less effective approach of using open email relays.

Threat intelligence firm Digital Shadows ran the rule over a large sample of such scam emails, sent over a two-month period, to gauge their effectiveness.

In the sample, a total of 8,497 individual email addresses were swamped with more than 60,000 spam messages (a sample of which appears in a blog post here).

The Anti Public and the Exploit[.]in leaks were the two main sources of compromised credentials harnessed in the scam sample, Digital Shadows discovered.

Researchers found that persistence paid off for scammers and marks would pay up after a sustained series of scams rather than when they first appeared in their inbox. Victims who had recently actually watched porn and were in the terrible habit of reusing password across multiple sites were more likely to cave in. Using a webcam was another factor that made marks respond.

Victims in the sample were told to send funds to various Bitcoin wallets. Digital Shadows discovered 26 transactions linked to a fraudulent campaign that brought in $28,000. The amount demanded by the sextortionists varied, Digital Shadows reported.

The attackers experimented with different methods to maximize their return. For example, by tracking one Bitcoin address, we can see the same one targeted 49 email addresses with demands ranging from $1,100 to $11,000. Eventually the attacker got lucky with a payment of $1,100 (0.1512 BTC).

The scam represents a new way to monetise breached credentials.

Other security researchers, such as Troy Mursch, have begun attempting to chart their extent, as well as how many Bitcoins has been paid to fraudsters as a result, but this work remains only preliminary and no firm conclusions can be drawn.

Bootnote

Sextortion as a term initially referred to a sleazy cybercrime where perverts planted trojans on the PCs of young victims. Youngsters' PCs are often in their bedrooms and the malware was used to surreptitiously turn on webcams and record footage or pictures of victims. This material was then used to coerce them into sending more explicit pictures or performing sex acts.

Similar topics

Broader topics

Narrower topics


Other stories you might like

  • Google: How we tackled this iPhone, Android spyware
    Watching people's every move and collecting their info – not on our watch, says web ads giant

    Spyware developed by Italian firm RCS Labs was used to target cellphones in Italy and Kazakhstan — in some cases with an assist from the victims' cellular network providers, according to Google's Threat Analysis Group (TAG).

    RCS Labs customers include law-enforcement agencies worldwide, according to the vendor's website. It's one of more than 30 outfits Google researchers are tracking that sell exploits or surveillance capabilities to government-backed groups. And we're told this particular spyware runs on both iOS and Android phones.

    We understand this particular campaign of espionage involving RCS's spyware was documented last week by Lookout, which dubbed the toolkit "Hermit." We're told it is potentially capable of spying on the victims' chat apps, camera and microphone, contacts book and calendars, browser, and clipboard, and beam that info back to base. It's said that Italian authorities have used this tool in tackling corruption cases, and the Kazakh government has had its hands on it, too.

    Continue reading
  • NSO claims 'more than 5' EU states use Pegasus spyware
    And it's like, what ... 12, 13,000 total targets a year max, exec says

    NSO Group told European lawmakers this week that "under 50" customers use its notorious Pegasus spyware, though these customers include "more than five" European Union member states.

    The surveillance-ware maker's General Counsel Chaim Gelfand refused to answer specific questions about the company's customers during a European Parliament committee meeting on Thursday. 

    Instead, he frequently repeated the company line that NSO exclusively sells its spyware to government agencies — not private companies or individuals — and only "for the purpose of preventing and investigating terrorism and other serious crimes."

    Continue reading
  • Never fear, the White House is here to tackle web trolls
    'No one should have to endure abuse just because they are attempting to participate in society'

    A US task force aims to prevent online harassment and abuse, with a specific focus on protecting women, girls and LGBTQI+ individuals.

    In the next 180 days, the White House Task Force to Address Online Harassment and Abuse will, among other things, draft a blueprint on a "whole-of-government approach" to stopping "technology-facilitated, gender-based violence." 

    A year after submitting the blueprint, the group will provide additional recommendations that federal and state agencies, service providers, technology companies, schools and other organisations should take to prevent online harassment, which VP Kamala Harris noted often spills over into physical violence, including self-harm and suicide for victims of cyberstalking as well mass shootings.

    Continue reading
  • World Economic Forum wants a global map of online crime
    Will cyber crimes shrug off Atlas Initiative? Objectively, yes

    RSA Conference An ambitious project spearheaded by the World Economic Forum (WEF) is working to develop a map of the cybercrime ecosystem using open source information.

    The Atlas initiative, whose contributors include Fortinet and Microsoft and other private-sector firms, involves mapping the relationships between criminal groups and their infrastructure with the end goal of helping both industry and the public sector — law enforcement and government agencies — disrupt these nefarious ecosystems.  

    This kind of visibility into the connections between the gang members can help security researchers identify vulnerabilities in the criminals' supply chain to develop better mitigation strategies and security controls for their customers. 

    Continue reading
  • State of internet crime in Q1 2022: Bot traffic on the rise, and more
    According to this cybersecurity outfit that wants your business, anyway

    The fraud industry, in some respects, grew in the first quarter of the year, with crooks putting more human resources into some attacks while increasingly relying on bots to carry out things like credential stuffing and fake account creation.

    That's according to Arkose Labs, which claimed in its latest State of Fraud and Account Security report that one in four online accounts created in Q1 2022 were fake and used for fraud, scams, and the like.

    The biz, which touts device and network defense software, said it came to this conclusion after analyzing "billions of sessions ... across our global network" during the first three months of the year. These sessions apparently spanned account registrations, logins, and interactions with financial, ecommerce, travel, social media, gaming, and entertainment services. Take all these numbers with a grain of salt as ultimately Arkose wants you to buy its stuff to prevent all this kind of crime.

    Continue reading
  • Cloud services proving handy for cybercriminals, SANS Institute warns
    Flying horses, gonna pwn me away...

    RSA Conference Living off the land is so 2021. These days, cybercriminals are living off the cloud, according to Katie Nickels, director of intelligence for Red Canary and a SANS Certified Instructor.

    "It's not enough to pay attention to the operating systems, the endpoints, said Nickels, speaking on a SANS Institute panel about the most dangerous new attack techniques at RSA Conference. "Adversaries, a lot of their intrusions, are using cloud services of different types."  

    And yes, living off the land (or the cloud), in which intruders use legitimate software and cloud services to deploy malware or spy on corporations and other nefarious activities, isn't a new type of attack, Nickels admitted. "But what's new here is the levels to which using cloud services [for cyberattacks] has risen." 

    Continue reading
  • Microsoft seizes 41 domains tied to 'Iranian phishing ring'
    Windows giant gets court order to take over dot-coms and more

    Microsoft has obtained a court order to seize 41 domains used by what the Windows giant said was an Iranian cybercrime group that ran a spear-phishing operation targeting organizations in the US, Middle East, and India. 

    The Microsoft Digital Crimes Unit said the gang, dubbed Bohrium, took a particular interest in those working in technology, transportation, government, and education sectors: its members would pretend to be job recruiters to lure marks into running malware on their PCs.

    "Bohrium actors create fake social media profiles, often posing as recruiters," said Amy Hogan-Burney, GM of Microsoft's Digital Crimes Unit. "Once personal information was obtained from the victims, Bohrium sent malicious emails with links that ultimately infected their target's computers with malware."

    Continue reading

Biting the hand that feeds IT © 1998–2022