Minimize your digital risk by detecting data loss, securing your online brand, and reducing your attack surface.
A powerful, easy-to-use search engine that combines structured technical data with content from the open, deep, and dark web.
Digital Risk Protection
Read our new practical guide to reducing digital risk.
New report recognizes Digital Shadows for strongest current offering, strategy, and market presence of 14 vendors profiled
Read Full Report
Back in September we released a blog about the large volume of sextortion email campaigns that were hitting people’s inboxes. We have continued to monitor the campaigns and have seen a recent change in tactics, with some unusual approaches being favoured by the sextortionists this time around.
Previously the emails were simple and straightforward for the target – “I have your password this is proof that I have access to your computer”. The recent shift in tactics for these campaigns is to suggest that they have access to the user’s email by spoofing the sender’s email address. This is an easy trick to pull off, though it does increase the risk of the email being flagged as spam or dropped completely by the recipient mail server.
The other significant change was to make mention of a recent 2018 vulnerability that affects selected Cisco devices (CVE-2018-0296), which relates to a Denial of Service (DoS) vulnerability affecting the Cisco ASA web service. Once again, this seems too specific and is more likely to reduce the chances of a successful campaign, as most users know whether they have a Cisco or a generic broadband router. Moreover, these days an increasing amount of corporate email domains are being configured with security solutions such Sender Policy Framework (SPF) to reduce the risk of email spoofing.
The body of text has also changed and differs between variants of the email. Certain words appear and then disappear, while some emails provide the passwords and others do not. Some even have spelling mistakes throughout. All of these may be techniques used to avoid simple keyword and pattern matching.
Figure 1 – TLDR: Latest sextortion email with Cisco vulnerability lure
Figure 2 – Closeup of latest sextortion email with Cisco vulnerability lure
As in the previous campaigns we investigated, the target information (email/password) is being picked from breached or leaked data, with Anti Public and Exploit[.]in combination lists being the preferred choices.
With demands ranging from $550 to $899, the attacker(s) have been able to amass over $19,000 so far based on the number of transactions made to the associated Bitcoin addresses we’ve tracked.
We’ve noticed the campaign(s) using these newer methods over the last month; however most of the emails using the Cisco vulnerability tactic have been a feature of the last week, with a huge spike occurring on 10 November.
Figure 3 – CVE-related campaign volume since 10 November, 2018
Figure 4: Comparison between previous sextortion campaigns and recent CVE-related variation
While the attempts seem to be a bit over the top, current indications are that the campaign(s) are receiving Bitcoin, or they are shifting Bitcoin around in an attempt to add some kind of credibility. As we have discussed previously, these scams are a volume game; with large enough target lists the campaigners will continue to receive payments. The best thing that users can do is:
If these emails are making their way into your corporate inbox, then it’s probably time to speak to your IT teams and work on that email security! In future blogs from the Security Engineering Team, we’ll be focusing on ways practitioners can improve their organization’s email security and risk reduction processes.
To stay up to date with the latest digital risk and threat intelligence news, subscribe to our threat intelligence emails here.