Phishing messages claiming to have videos of the recipient in a compromising situation have become a regular staple of the spam folder.
The emails, which claim to have a webcam video of the recipient and ask for a payment before it is released publicly, have been seen more over the past couple of years and according to Rob Norris, VP head of enterprise and cybersecurity EMEIA at Fujitsu, this is going to continue to be prevalent.
He said that since their widespread emergence in the last couple of years, the techniques used by these extortionists to evade filters have continued to develop.
Speaking to Infosecurity, Norris said that this is being classed as “sextortion” and people are more aware of adult content and dating websites than ever before, and there is potential for the embarrassment of someone believing that they have been caught, “and they would not want their organization to know what they were doing.”
He said that we see people become compromised because their details were caught up in another breach, and when an attacker sends them an email saying “we’ve got your password, we know what you’ve got on your computer,” it can catch the person out.
“There are a lot of passwords out there in the public domain and if people are not updating their passwords, you see people taking advantage of that and inventing messages, and alluding to the fact that they have access to your system and access to your system and emails. It is a natural exploitation.”
Norris said that attackers are picking up on growth industries and can be lucky, for example if they targeted someone in professional sport and claimed that they were using a gambling website, something which is often against the rules of professional sport. “What they are doing is cottoning on to where are the growth industries, and where is information easily accessible,” he said. “Unfortunately it is the world we now live in and the cyber-criminals utilize it, as it becomes more personal.”
Norris said that phishing was focused on getting into a company, or extorting money from a company, and now the area where there is an issue is with the user, who is not often educated in phishing scams.
In terms of how the messages are built, Norris explained that the developing techniques Fujitsu has observed being used to evade filters include:
- Script mixing: the practice of transposing characters from one script to another, with the aim of avoiding a word filter, such as including the Latin ‘ɭ´ and ‘ɼ’ in the phrase “You have 72 houɼs ɭeft”
- No attachment: if an attacker can simply construct a sentence with technical babble that makes it look like there should have been an attachment, it can fool unwitting individuals into making a ransom payment
- Multiple domains and subdomains: attackers sending extortion emails have been observed sending waves of them from differing ‘burnable’ domains. There are many new top level domains such as .xyz, .top and .monster that are cheap to purchase domains with, so for a £100, an attacker could buy 100 .xyz domains to send their phishing emails from. Blocking a domain is no longer an issue because a campaign will be sent from a domain and then ‘burned’, never to be used again
- Different Bitcoin wallets: an initial blocking mechanism is on the Bitcoin wallet address used, so many Bitcoin wallets are specifically generated to receive extortion payments
- Psychological tricks: now that the knowledge of these types of attacks is becoming more widespread, attackers have to add additional trickery to the wording of their emails. One example seen in some extortion emails is for attackers to state that they can be communicated with by having the victim open up the Notepad application on the PC and type “extension” if they need more time to get the funds together to pay the ransom. The attacker doesn’t have access to the victim’s machine, so will never see the message, but giving a victim that option may convince some otherwise
So, where does Norris see this going in the future? He said he does see it advancing, especially with the use of deepfake technology, and he predicted that deepfake tech will become part of sextortion where compromising videos can include the victim (if they are especially high profile) and the quality can be so high that it is believable. “Due to shame or embarrassment, even if it is not true, if people believe them, that is one area that will grow quite quickly,” he concluded.