Using Shadow Search to Power Investigations: Sextortion Campaigns
December 6, 2018
We recently wrote about sextortion campaigns and how they’ve developed their lures over time. As a result of these campaigns, tens of thousands of dollars have been transferred to attacker-controlled bitcoin wallets.
In this blog, I wanted to share how you can power responses to extortion campaigns with Shadow Search (while I’m using the sextortion campaign in this example, any extortion campaign could apply).
Within the long and rambling email, we can identify three elements requiring further investigation:
- Exposed credentials listed in cleartext as “claim of compromise”. Including the recipient’s exposed password in extortion message gives it an air of credibility.
- Claimed exploitation of recent vulnerability that affects selected Cisco devices (CVE-2018-0296).
- Call to action to pay extortion demand to a specific Bitcoin address. The most recent wave appeared to have generated at least $19,000.
Using Shadow Search, we can gain vital context on each of these three elements. For those unfamiliar with Shadow Search, we provide instant access to a range of sources so you can perform your own research and investigations. These include:
- Dark web pages and marketplaces
- Criminal forums
- Paste sites
- Blog and news sites
- IRC and Telegram Chat Channels
- Technical forums
- DNS lookup
- WHOIS data
- Indicator Feeds
- Curated intelligence from Digital Shadows
Search for Context on Vulnerability
The email states “the hacking was carried out using a hardware vulnerability through which you went online (Cisco router, vulnerability CVE-2018-0296)”. Searching for this CVE number in Shadow Search brings back NIST results, Digital Shadows intelligence reporting, and mentions across criminal forums. The victim would be able to ascertain that this is a Denial of Service vulnerability affecting the Cisco ASA web service, which is unlikely to have been exploited to steal your password – and may not even be in the victim’s environment at all.
Search for Exposed Credentials
Second, the attacker used the recipient’s password as “proof” of compromise (we have obscured the password in Figure 1). When you search for this email address across paste sites and criminal forums, several results demonstrate that this email and password have already been publicly exposed. This indicates that the extortionist may well have sourced the password from pre-existing breaches, rather than having compromised your personal computer. This should also be a cue for the victim to change this password if it’s still being used on any other online services.
Search for Bitcoin Address
The third nugget of information is the bitcoin address (1GXazHVQUdJEtpe62UFozFibPa8ToDoUn3). Again, searching for this on Shadow Search brings back copies of the exact same message that have been published on paste sites – most likely posted by another recipient of the extortion email. Furthermore, if the bitcoin address was associated with a known threat actor, then these results would also appear in ShadowSearch as part of our curated intelligence Actor Profiles.
Make More Informed Decisions
Gaining context across these three characteristics gives a strong indication that the extortion attempt is bogus, and organizations can use this insight to inform their defenses. Within minutes you can make a call on whether this extortion threat is credible, and whether additional resources are needed to protect your organization and its employees.
To stay up to date with the latest digital risk and threat intelligence news, subscribe to our threat intelligence emails here.