In January, Avast protected users from sextortion campaigns which could have resulted in over 500,000 incidents worldwide
Sextortion is an emerging online scam that takes advantage of people’s fear that their most intimate moments will be exposed to the public. They usually come in the form of emails, which are not only dangerous and unsettling but can have serious real-world consequences.
In January, Avast protected users from various sextortion campaigns which could have resulted in more than 500,000 incidents worldwide. Most of these attacks targeted English-speaking users in the United Kingdom and the United States, though we detected campaigns in other languages as well. The image below shows the prevalence of sextortion attacks worldwide:
Sextortion starts with an email. Sextortion emails mislead victims into thinking the attacker owns a recording of their screen and camera and that recording contains images or videos of the potential victim in sexually explicit situations. The attackers use this claim of a recording to blackmail the victim into paying the attacker. The attacker threatens to send the recording to the victim’s contacts, friends, and family if they don’t comply. In reality, the attacker doesn't actually own any recordings and just uses social engineering techniques to try to scare and shame the potential victim into paying.
Sextortion relies on people’s willingness to pay money in order to keep damaging secrets quiet. In a potential victim’s view, this kind of attack is a sudden threat to his or her reputation. A potential victim can think of the consequences in the Jeffrey Toobin case, for example, and see the risk of private moments being exposed to the public. The attackers prey on this fear and apply other social engineering techniques — such as limiting the time period for paying — to create an illusion that the user’s machine is hacked. They might also provide a list of activities that an attacker will take to harm the victim.
Below is one example of a sextortion email. The attacker first claims to have knowledge of the potential victim visiting adult websites — an immediate attempt to make the potential victim feel guilt or shame. The attacker claims to have complete control of the potential victim’s system and to have used that control to take or falsely create a sexually explicit video of the potential victim, asserting their control in the situation. The attacker then says that as part of that control, they can send this compromising video to the potential victim’s contacts. Finally, the attacker makes the extortion pitch, telling the potential victim they can “make it go away” by paying $1,350 in Bitcoin. The attacker adds the social engineering tactic of time pressure, saying the potential victim only has 48 hours to pay the money.
An important thing to note is that there’s no way to be sure that the attacker’s claims are true. In fact, very often the attackers behind these threats are bluffing and there is no actual video.
This is a generic example of sextortion emails. But attackers commonly prepare spam campaigns with regard to current trends and events.
We’ve tracked a variety of different sextortion campaigns in the last two months, but two types stood out as the most common. One is a series of campaigns abusing the ubiquity of Zoom during lockdowns. The other is a series of campaigns that falsely claim to have installed a Trojan on the potential victim’s system.
The most prevalent campaign we observed took advantage of increased use of Zoom during the Covid-19 pandemic. In particular, we saw an uptick during the 2020 holiday season. Attackers claim that they’ve taken advantage of critical vulnerabilities in the Zoom application, allowing them access to a user’s device and camera. But, to be clear, we haven’t found any actual vulnerabilities in Zoom — the attackers are lying.
Attackers use social engineering techniques and mention Jeffrey Toobin’s scandal to get victims to pay up. The rest of the email is a typical extortion email, where attackers use phrases such as “the recorded sexual act”, “access to sensitive information”, and “terrible reputation damage” and offer up payment as a way out.
A distinctive feature of this type of campaign is that emails look like they are sent from the user's email address to themselves. This is another social engineering technique, aiming to make it look like the attacker really does have control of their system. In reality, the “from” address has been tampered with and closer analysis reveals the real address of the sender.
The second prevalent campaign utilizes the threat of Trojan malware. The potential victim receives an email in which the attackers claim a Trojan was installed on their machine a few months previous. The attackers also claim that this “Trojan” recorded all of the potential victim’s actions with a microphone and webcam and exfiltrated all data from the devices, including chats, social media, and contacts. They then use a common extortion scenario: attackers demand a ransom in cryptocurrencies. In the end, attackers include a note about the fake “timer” that started when the email was received, in order to set a ransom deadline.
Just like Zoom campaigns, these threats are all fake. There are no undetectable Trojans, nothing is recorded and attackers do not have your data. The timer included in the email is another social engineering technique used to pressure victims into paying.
Below is a sample email from a Trojan campaign (in Spanish).
Another sample email from a Trojan campaign (in English).
We’ve observed many other sextortion scams in addition to Zoom and Trojan campaigns. Some of them are originally in different languages and the content is automatically translated using a tool like Google Translate.
We’ve also seen a significant rise in the volume of sextortion emails sent since January 11 — it seems that attackers are getting back to work after the holidays. We’ve seen sextortion attacks mentioning hacked programs, software, website, or utilizing vulnerabilities in a victim’s router, OS, or RDP.
While sextortion is scary, there are simple steps you can take to better protect yourself against this type of attack.
First, if a “sextortion” email appears in your inbox, stay calm. Do not answer it and do not pay money to the attacker. Nobody will actually blackmail you; it’s just spam. Even if you get an email that looks like it was sent from your own account, ignore it.
Next, attackers may provide older leaked passwords to boost the credibility of their threat. If that’s the case, change your passwords and follow password best practices.
Finally, make use of security products that can protect against sextortion.
Businesses can protect their sites from DDoS attacks with specialized software and cloud protection, while consumers can prevent their devices from being used as part of a botnet by using reliable antivirus software.
Hacked Facebook accounts belonging to a Brazilian ISP, Mexican sporting goods store, mountain tourism site from Slovakia, and a computer repair shop in the Philippines are spreading posts linking to malware to users around the world.
A crypto investment scam is circulating on Facebook and in people’s inboxes across Europe, Canada, and Australia. Avast is actively protecting its users from the campaign and has protected more than 10,000 users from the scam in August.