There’s a particularly insidious type of targeted phishing scam that has grown in popularity since mid-2018. Our Cisco Talos researchers have been monitoring these scams, a few of which we’ll highlight here. As is the case with most phishing scams, they’re after your money, but it’s a departure from attempts to entice you with things like romance or wealth. Instead, the scammers leverage threats against your reputation, your relationships, and sometimes even your life. In essence it’s a transition from carrot to stick.

Let’s say for example that you received an email with the subject line containing both your user name and password. Surprising as this would be, it’s the body of email that really gets your attention.

Whoever this is, claims to have compromised a pornographic website and that you visited it. The scammer says he or she took control of your monitor and webcam, recorded both you and the pornographic material, and then synced the two video streams up.

As if this wasn’t disconcerting enough, the scammer claims to have gathered all of your contacts from Messenger, Facebook, and email. Finally, the scammer insinuates that it sure would be embarrassing if the video were to be sent to all of these contacts.

Now the scammer claims that he or she isn’t a monster and could easily erase this material. In fact, they’re willing to make it all go away for the paltry sum of a thousand dollars worth of Bitcoins.

If this sounds like extortion, that’s because it is. It’s also a bluff. Much like advance-fee scams, in these “sextortion” scams the malicious actors prey upon a vulnerable segment of users. Through the use of mass-mailing phishing campaigns, they’re expecting a portion of the recipients will think that they may have, at some point, performed said task in front of a device with a camera. They’re counting on the fact that a subset of those recipients would be subjected to intense enough shame and embarrassment that they will pay money to avoid it, true or not.

First and foremost, there is no truth to these emails. This is another series of phishing campaigns sent out in bulk, hoping to trick just enough recipients to make the scammer’s efforts profitable. The lion’s share of these emails have been distributed through the Necurs botnet, putting their legitimacy on par with pump and dump scams, ransomware, and other malicious activities the botnet has come to be known for.

These emails are also full of more than their fair share of techno-babble. That’s not to say it’s impossible to view your desktop or webcam remotely, it’s just highly improbable given the way the scammer describes it. But the scammers are likely counting on these emails reaching users who wouldn’t know this. Just as with vulnerable recipients likely to overlook spelling and grammatical errors in advance-fee scams, so too do the victims in these cases either overlook or don’t understand the technical details enough to realize the unlikelihood of such a hack.

While there have been cases where adult sites have inadvertently served up malicious ads alongside their content, these attacks focused on fraudulent advertising revenue, and not spying on an individual. Of course, given enough resources and sheer determination, such an attack isn’t impossible. This raises an entirely different question: Why would an attacker go to such great lengths to compromise an individual? This would be a long and rather complicated attack scenario when compared to most web-based threats.

Besides, why go through so much effort when they can simply bluff their target with a phishing email, right?

Hence the continued campaigns. The scammers that Talos first investigated back in October continue to distribute digital extortion scams. According to new research from Talos, the “Aaron Smith” sextortion campaign mentioned in Talos’ investigation has made up as much as 5 percent of all spam on a given day in early March.

What’s interesting, given how consistent these campaigns have been, is that even when recipients choose to pay, they don’t appear to be paying the full amount. Based on analysis by Talos of the Bitcoin wallets used in many of the campaigns, only a tiny percentage of the wallets analyzed contained positive Bitcoin balances. And many of these balances fall far below the thousands of dollars requested by the scammers. Even so, the final payout of two campaigns Talos looked at was a six-figure sum.

Given the moderate success of these sextortion-themed scams, digital extortion scammers have branched out into other, much more violent themes—often threatening the recipient’s life. In one such variant, the scammer purports to be a hitman who has been given a contract to kill you. Only, being the “good Samaritan” that this person is, they have had a change of heart. If you can pay them a set fee in Bitcoins, they would be willing to forget the whole contract.

Since their appearance in mid-2018, there have been many more variants of this scam, ranging from threats of acid attacks to “I know you’re cheating”-style emails. However, in December, digital extortion scams took an even darker twist, making national news in the process. This round of emails contained a bomb threat, resulting in the evacuation of schools, newspapers, transportation systems, and various businesses throughout the US and Canada. The extortion requests were much higher in this case, coming in around $20,000, but as of last check, none of the Bitcoin wallets associated with the campaign contained positive balances.

The good news is that anti-spam solutions will catch most digital extortion emails through the use of blocklists and other filters. Enabling the DMARC protocol on your mail server can also help filter out illegitimate emails. However, the scammers seem to have discovered this too and have taken measures to attempt to evade spam filters. For instance, Talos has recently discovered emails utilizing base64 encoding and garbage HTML text rendered white in the message body, which would be invisible to anyone reading the email against a white background. (See the first example email.)

In other instances, the scammers wrote their emails, took a screenshot of the text, and simply pasted the image into the message body. Of course, this creates more work for the victim, since they can no longer copy and paste the rather complicated Bitcoin wallet address. The scammers apparently considered this and have conveniently begun including QR codes to help facilitate the payments.

So if this is all a scam, how did the scammers get your password to begin with? In all likelihood, they managed to get ahold of a list of data breach records that included your email and password. You’re likely one of a large number of email addresses and password combinations pulled from the list. If it’s indeed a password you currently use, change it immediately and refrain from using that password elsewhere. If you’re interested to find out if your email address has been exposed in a breach, check services like Have I Been Pwned, which will list if and where this may have occurred.

In addition, consider the following:

  • Cisco Email Security includes advanced threat defense capabilities that detect, block, and remediate threats in incoming email faster. Simultaneously, it protects an organization’s brand, prevents data loss, and secures important information in transit with end-to-end encryption.
  • Cisco Advanced Phishing Protection further augments sender authentication and BEC detection capabilities already available in Cisco Email Security. It integrates machine learning that combines local identity and relationship modeling with behavior analytics to protect against identity deception-based threats.

At the end of the day, education is the best weapon. Training users to recognize such scams can go a long way to reduce their impact. Ultimately, if it sounds too good (or bad) to be true, it probably is.


Further reading:


Like this post? Subscribe to the Threat of the Month blog series and get alerted when the next blog post is released. 



Ben Nahorney

Threat Intelligence Analyst

Cisco Security