Extortion emails have been around for a long time, the most common of which is known as ‘porn scamming’ or ‘sextortion’. For the lucky few that have never received a sextortion scam, it’s where cyber criminals send you an email claiming to have a video of you watching pornography by installing malware on your computer and spying through your webcam.
Typically, the sender will claim that they have hacked into your inbox and will threaten to release the video to your entire contact list. The emails can be incredibly scary, designed to instill fear and therefore result in the victim paying the extortion fee to make the problem go away. The extortion amount varies, but it can reach the thousands, payable via Bitcoin to a cryptocoin wallet specified in the email.
We have seen a whole host of sextortion emails and have yet to see the scam develop beyond a few emails – because the criminals on the other side of the screen don’t actually have the footage they say they do. They are simply hoping that a few of the victims who receive their emails will pay up out of fear, because the scams are still relatively successful.
A SophosLabs report published earlier this year found that although porn scamming doesn’t earn as much as ransomware, sextortion scammers can earn as much as $100,000 a month. Not totally satisfied with such meager earnings, cyber criminals are now turning their hands to a scam Sophos have nicknamed “breachstortion”.
In breachstortion scams, criminals are claiming to have hacked your website and stolen your data. In what looks like a ransomware attack, they attempt to trick businesses into parting with cash in return for the stolen data – however much like sextortion scams, they don’t have your information at all.
In the examples Sophos has seen, the scammers give targets five days to comply by paying a fee in cryptocurrency – up to $2,000 - to a Bitcoin wallet given in the email. There are often no email or website contact details in the messages and no way to trace the payment to see if the money was received.
Perhaps not immediately obvious, Bitcoin is anonymous unless both parties know the other’s wallet details. With no contact details in the email to confirm the payment was sent and from which wallet, how do the criminals sending these emails propose to track which payments correspond to which demand? This is proof that the crooks don’t have your data.
What to do?
When a ransomware attack takes place, there is no doubt that your company’s data has been stolen or encrypted by hackers. There are three main types to be aware of:
Rogue security software and tech support scams. You might receive a pop-up message claiming that malware was discovered and the only way to get rid of it is to pay up. If you do nothing, you’ll likely continue to be bombarded with pop-ups, but your files are essentially safe.
When lock-screen ransomware infects your computer and you’re frozen out of your PC entirely. Upon starting up your computer, a full-size window will appear demanding a ransom payment in return for access to your PC and files.
When hackers take your files and encrypt them, demanding payment in order to decrypt and redeliver. Once cyber criminals take your files, no security software or system restore can return them to you until a ransom if paid. However paying the ransom doesn’t guarantee that your files will be returned.
Where breachstortion is concerned, there is no malware, no hack, no attack other than the extortion email. Of course, in both sextortion and breachstortion cases, the claims that cyber criminals make are technically possible: webcams can be hijacked by malware and data breaches really do happen.
So the dilemma is – what if what the email says is true?
Firstly, how can you tell that your data hasn’t already been sold? There is no reason to trust that just because you pay, your files will be protected.
Secondly, we have seen cases where companies or individuals have paid the scammers only to receive further demands – once they know you’re willing to pay, they may continue to press for more money.
We advise that in the event your company receives a breachstortion email, you:
- Don’t pay the demand
- Reach out to a cyber security professional who can take a deeper look and advise whether a system bug or vulnerability really exists
- Monitor the Dark Web for your company’s information.
- Regularly train your employees on how to handle scam emails.
DynaRisk Breach Defence
Our new SME platform is designed to help small and medium enterprises manage cyber threats like this. With data breach monitoring, employee training and phishing simulation, you can monitor your company’s entire digital attack surface.
- Discover if your company’s data has been breached or leaked and get ongoing monitoring and assistance.
- Keep track of your external facing assets and services, and reduce your risk profile as your technology footprint evolves
- Train your staff on the basics of cyber security.
- Get an overview of your entire attack surface in one platform.
Discover how DynaRisk Breach Defence can protect your business online by signing up to our beta program. You'll get pre-launch access, priority on-boarding and exclusive discounts when the platform launches in July 2020.