A report by cyber-crime researchers is warning professional people and those in higher level management positions that extortion scams are on the rise with higher earners as the obvious targets.
The report, from researchers at risk protection firm Digital Shadows, tracked so-called ‘sextortion’ campaigns from July 2018 to February 2019, during which time they discovered that more than 89,000 unique recipients were the targets of 792,000 extortion attempts!
Extortion scams aimed at higher earners become popular because:
– These scams are cheap and easy to operate. For example, aspiring extortionists can purchase sensitive corporate documents and extortion manuals online from other criminals for less than £10.
– The rewards are high. Professionals, business owners and high net worth individuals who hold positions of power within companies have the ability and often the motivation to pay. For example, as part of the research, analysis of bitcoin wallets associated with extortion scams showed that “sextortionists” are making an average of £414 per victim.
As the name suggests, sextortion involves blackmail and bribery through coercion based upon the criminal threatening to release images and/or other information about their victim.
This type of crime is now one of the main methods of extortion. Individuals who are thought likely to be vulnerable to this type of crime are often targeted with manufactured attacks. For example, one type of attack which features in extortion guides is carried out when a criminal begins an online relationship with a married person and then threatens to reveal details of the affair to their partner unless a ransom is paid. Less sophisticated ‘sextortion’ attacks involve using a password to ‘prove’ to the victim that they have been compromised, claiming to have video footage of the victim watching adult content online, and then telling the victim to pay a ransom to a specified bitcoin address.
What Does This Mean For Your Business?
Most businesses will continue to face some of the more common threats such as phishing attempts, malware, social engineering, hacking, credential compromise and DDoS attacks. Cybercriminals are, however, becoming even more daring, and the amount of resources available to them on criminal forums now makes extortion-style attacks more likely. For example, a massive leak of 2.6 billion rows of data from 12,000 files dubbed Collection #1 onto hacking forums was revealed in a blog post in January by security researcher Troy Hunt, who is most well-known for managing the ‘Have I Been Pwned’ service. Mr Hunt said that the leaked personal data is a set of email addresses and passwords totalling 2,692,818,238 rows and is made up of many different data breaches from thousands of different sources.
Some ways that businesses may be able to protect themselves from extortion attacks include:
- Checking the HaveIBeenPwned website to find out if your accounts have been previously breached.
- Regularly backing up data and storing sensitive files in detached storage away from your main network, and making disaster recovery plans, business continuity plans, and periodically testing your backup and recovery processes.
- Not answering extortion emails.
- Making sure that your email system is secure and applying best practices for user permissions.
- Educating / training staff on how to deal with extortion emails.
- Where possible, minimising your personal and professional online exposure.
- Keeping software patches up to date.
- Making your remote workers use a (good, paid-for) VPN.