SecurityBrief Asia - Technology news for CISOs & cybersecurity decision-makers
Story image
Sextortion attacks targeting education orgs - Barracuda
Mon, 4th Mar 2019
FYI, this story is more than a year old

Sextortion scams have increased in frequency and scope since Barracuda first highlighted this type of attack in its October Threat Spotlight.

Previously, sextortion scams were used as part of large-scale spam campaigns, but now many of these attacks are getting more sophisticated and bypassing email gateways.

Barracuda analysed spear phishing attacks targeted at its customers and found that 1 in 10 were blackmail or sextortion attacks.

In fact, employees are more likely to receive a sextortion scam than an employee impersonation or business email compromise attack.

Highlighted Threat:

Sextortion Scam – Attackers use passwords stolen in past data breaches to trick users into paying Bitcoin to avoid having a compromising video, which attacker claim to have recorded on the victim's computer, shared with all their contacts.

The Details:

The basic approach of sextortion scams remains the same.

Attackers are harvesting email addresses and passwords and using them in the threatening email to add to the victim's fears.

Often, attackers will spoof their victim's email address and pretend to have access to it to make the attack even more convincing.

Payment demands usually ask for Bitcoin, and Bitcoin wallet details are included in the message.

Most sextortion scams are sent as part of larger spam campaigns to thousands of people at a time, so most get caught in spam filters.

But, like with many other types of email fraud, scammers are evolving their techniques using social engineering tactics to bypass traditional email security gateways.

Many sextortion emails end up in users' inboxes because they originate from high-reputation senders and IPs.

In fact, hackers will use already compromised Office 365 or Gmail accounts in their campaigns. Emails from these legitimate, high-reputation-score accounts will pass through gateways and land in their victims' mailboxes.

These emails don't usually contain any malicious links or attachments that traditional gateways will look for.

Attackers have also started to vary and personalise the content of the emails, making it difficult for spam filters don't stop them.

Sextortion scams are also under-reported due to the intentionally embarrassing or sensitive nature of the threats.

As a result, IT teams are often unaware of these attacks because employees either choose to pay a ransom or are simply too embarrassed to report the email.

Most common sextortion subject lines

In Barracuda's study of sextortion and blackmail attacks, we looked at the 30 most common subject lines, which represent over 60% of all the sextortion emails analysed.

Barracuda noticed patterns in the subject lines used by attackers.

The two most common subject lines are security alerts and requests to change passwords. Attackers will often include either the victim's email address or their password in the subject line to get them to open and read the email.

Here are some examples of security alert subject lines seen in the research:

  • name@emailaddress.com was under attack change you access data

  • Your account has been hacked you need to unlock

  • Your account is being used by another person

Here are some examples of password change subject lines we saw:

  • Change your password [password] immediately your account has been hacked

  • Hackers know your password [password] password much be changed now

We found that almost every subject line on a sextortion email will contain some form of security warning, with more than a third requesting a password change.

Other common subject lines that we saw include references to a customer service ticket number or incident report.

Occasionally, attackers are more straightforward with the subject line, using threats like:

  • You are my victim

  • Better listen to me

  • You don't have much time

  • You can avoid problems

  • This is my last warning name@emailaddress.com

Industries most likely to be targeted by sextortion

In the research, Barracuda found education was the industry targeted most frequently by sextortion and blackmail, making up 55% of attacks.

A full 14% of attacks targeted government employees, and 11% went after business services organisations.

The overwhelming focus on education is a calculated move by attackers.

Educational organisations usually have a lot of users, with a very diverse and young user base that is less informed about security awareness and may be less aware of where to seek help and advice.

Students and young people are also more likely to be scared into wiring the money, given the nature of the threat.

4 ways to protect against sextortion scams

1. Spear phishing protection — Because attackers are adapting sextortion emails to bypass email gateways and spam filters, a good spear phishing solution that protects against blackmail and sextortion is a must.

2. Account takeover protection — Many sextortion attacks originate from compromised accounts, so make sure scammers aren't using your organisation as a base camp to launch these attacks. Deploy technology that uses artificial intelligence to recognise when accounts have been compromised.

3. Proactive investigations — Given the nature of sextortion scams, employees might be less willing than usual to report these attacks, so you should conduct regular searches on delivered mail to detect emails related to password changes and other content we discussed above. Many of sextortion emails originate from outside North America or Western Europe. Evaluate where your delivered mail is coming from, review any that are of suspicious origin, and remediate.

4. Security awareness training —  Educate users about sextortion fraud, especially if you have a large and diverse user base, like the education sector.  Make it part of your security awareness training program. Ensure your staff can recognise these attacks, understand their fraudulent nature, and feel comfortable reporting them.