If you watch crime dramas or mysteries, you have seen numerous episodes where blackmail plays a part. The victim has done something that they don’t want to become public knowledge, and revealing the misdeed will have serious consequences. Hence the demand for money in order to maintain silence. On TV, the blackmailer never stops making demands and things go badly for everyone concerned.
Sometimes blackmail can be effective even when no misconduct on the part of the victim exists. Just the threat of even a false accusation moves the victim to pay up.
This is the case with the latest round of (legalistically) misnamed social engineering scam: sextortion. The scam works like this:
1) The victim gets an email claiming that a split screen video exists of them watching porn. Supposedly this was obtained via malware on the user’s computer. Unless a sum is paid, the video will be sent to all the victim’s contacts.
2) To legitimize the claim, the criminal sends a password used by the victim in the past. What they don’t know is this password was obtained from a data breach, and not from the victim’s hacked computer. Many old passwords are available on the dark web.
3) A new twist is spoofing the victim’s email so it looks like it was sent from their hacked email account.
None of this is new or complex. It is just social engineering at its simplest.
Any ransomware attack (more properly considered extortion since there will be ‘violence’ done to the victim’s data), extortion/blackmail attack, wire transfer fraud, W2 fraud, or many others that make the news are, at their core, social engineering. Successfully defending your accounts from attacks involves recognizing social engineering when it’s being used on you or your company. You need to have procedures in place to short circuit attacks of this kind that gain a foothold on your network.
When it comes to wire transfer fraud for example, don’t rely on one method of approval. Procedures that require an additional and different channel for verification can stop scams in their tracks. If you require voice and email authorization, then just an email will not allow the fraud to happen. The CFO should designate an alternate if not available, to avoid compromising a two step approval procedure. The often heard “But sometimes I can’t call the CFO to get timely authorization” should never be the reason to risk things that are this important. Talk to the folks at Ashton for real life examples of how implementing a two-step approval stopped a large financial loss.
So back to ‘sextortion’. Even if you have watched porn on your computer, don’t be so quick to believe the exploit. Unfortunately, there are quite a few people dancing to the blackmailer’s tune. In the last three months, $4 million has been paid out due to this scam. Paying is never recommended by law enforcement, so be very careful about any threats you receive whether they be sextortion, ransomware or otherwise. The usual social engineering threats are the end result of broad attacks where criminals hope someone will react. Don’t be that someone. Obviously, if someone is threatening bodily harm, you need to contact law enforcement, but the usual ‘give me money to be quiet’ scheme can be ignored. In the ransomware arena, those who paid were much more likely to be hit again since they have shown a willingness to pay.
The sextortion scam, like most others only works because the victim allowed themselves to be persuaded. The person that knows what to look for can avoid the effects of these scams easily. In this case the best defense is not a good offense, but rather awareness. Can you or your employees recognize a social engineering attack?
Proper training will allow you to answer “Yes”!
Call Ashton Technology Solutions at 216.397.4080 for security awareness training for your ENTIRE team.