Minimize your digital risk by detecting data loss, securing your online brand, and reducing your attack surface.
A powerful, easy-to-use search engine that combines structured technical data with content from the open, deep, and dark web.
Digital Risk Protection
Read our new practical guide to reducing digital risk.
New report recognizes Digital Shadows for strongest current offering, strategy, and market presence of 14 vendors profiled
Read Full Report
We recently wrote about sextortion campaigns and how they’ve developed their lures over time. As a result of these campaigns, tens of thousands of dollars have been transferred to attacker-controlled bitcoin wallets.
In this blog, I wanted to share how you can power responses to extortion campaigns with Shadow Search (while I’m using the sextortion campaign in this example, any extortion campaign could apply).
Within the long and rambling email, we can identify three elements requiring further investigation:
Using Shadow Search, we can gain vital context on each of these three elements. For those unfamiliar with Shadow Search, we provide instant access to a range of sources so you can perform your own research and investigations. These include:
The email states “the hacking was carried out using a hardware vulnerability through which you went online (Cisco router, vulnerability CVE-2018-0296)”. Searching for this CVE number in Shadow Search brings back NIST results, Digital Shadows intelligence reporting, and mentions across criminal forums. The victim would be able to ascertain that this is a Denial of Service vulnerability affecting the Cisco ASA web service, which is unlikely to have been exploited to steal your password – and may not even be in the victim’s environment at all.
Second, the attacker used the recipient’s password as “proof” of compromise (we have obscured the password in Figure 1). When you search for this email address across paste sites and criminal forums, several results demonstrate that this email and password have already been publicly exposed. This indicates that the extortionist may well have sourced the password from pre-existing breaches, rather than having compromised your personal computer. This should also be a cue for the victim to change this password if it’s still being used on any other online services.
The third nugget of information is the bitcoin address (1GXazHVQUdJEtpe62UFozFibPa8ToDoUn3). Again, searching for this on Shadow Search brings back copies of the exact same message that have been published on paste sites – most likely posted by another recipient of the extortion email. Furthermore, if the bitcoin address was associated with a known threat actor, then these results would also appear in ShadowSearch as part of our curated intelligence Actor Profiles.
Gaining context across these three characteristics gives a strong indication that the extortion attempt is bogus, and organizations can use this insight to inform their defenses. Within minutes you can make a call on whether this extortion threat is credible, and whether additional resources are needed to protect your organization and its employees.
Interested in Shadow Search? You can read more about the service in our datasheet, or you can try it for yourself by signing up for a test drive.
To stay up to date with the latest digital risk and threat intelligence news, subscribe to our threat intelligence emails here.