Back in September we released a blog about the large volume of sextortion email campaigns that were hitting people’s inboxes. We have continued to monitor the campaigns and have seen a recent change in tactics, with some unusual approaches being favoured by the sextortionists this time around.
Cisco ASA vulnerability lure – too long; didn’t read
Previously the emails were simple and straightforward for the target – “I have your password this is proof that I have access to your computer”. The recent shift in tactics for these campaigns is to suggest that they have access to the user’s email by spoofing the sender’s email address. This is an easy trick to pull off, though it does increase the risk of the email being flagged as spam or dropped completely by the recipient mail server.
The other significant change was to make mention of a recent 2018 vulnerability that affects selected Cisco devices (CVE-2018-0296), which relates to a Denial of Service (DoS) vulnerability affecting the Cisco ASA web service. Once again, this seems too specific and is more likely to reduce the chances of a successful campaign, as most users know whether they have a Cisco or a generic broadband router. Moreover, these days an increasing amount of corporate email domains are being configured with security solutions such Sender Policy Framework (SPF) to reduce the risk of email spoofing.
The body of text has also changed and differs between variants of the email. Certain words appear and then disappear, while some emails provide the passwords and others do not. Some even have spelling mistakes throughout. All of these may be techniques used to avoid simple keyword and pattern matching.
Figure 1 – TLDR: Latest sextortion email with Cisco vulnerability lure
Figure 2 – Closeup of latest sextortion email with Cisco vulnerability lure
Who has been targeted?
As in the previous campaigns we investigated, the target information (email/password) is being picked from breached or leaked data, with Anti Public and Exploit[.]in combination lists being the preferred choices.
With demands ranging from $550 to $899, the attacker(s) have been able to amass over $19,000 so far based on the number of transactions made to the associated Bitcoin addresses we’ve tracked.
What is the scale looking like this time around?
We’ve noticed the campaign(s) using these newer methods over the last month; however most of the emails using the Cisco vulnerability tactic have been a feature of the last week, with a huge spike occurring on 10 November.
Figure 3 – CVE-related campaign volume since 10 November, 2018
Figure 4: Comparison between previous sextortion campaigns and recent CVE-related variation
While the attempts seem to be a bit over the top, current indications are that the campaign(s) are receiving Bitcoin, or they are shifting Bitcoin around in an attempt to add some kind of credibility. As we have discussed previously, these scams are a volume game; with large enough target lists the campaigners will continue to receive payments. The best thing that users can do is:
- Stay vigilant and inspect your email with a bit more caution and suspicion. Look out for the tell-tale signs that you are being targeted by a mass scam campaign
- Make sure you are refreshing passwords and aren’t reusing them across sensitive accounts, particularly as these email and password pairs appear to have been sourced from breached data and public combination lists
- Enable two-factor authentication where possible to help prevent account takeovers even if your password is leaked publicly.
If these emails are making their way into your corporate inbox, then it’s probably time to speak to your IT teams and work on that email security! In future blogs from the Security Engineering Team, we’ll be focusing on ways practitioners can improve their organization’s email security and risk reduction processes.
To stay up to date with the latest digital risk and threat intelligence news, subscribe to our threat intelligence emails here.