Threat Spotlight: Evolving ‘We Know Where You Live’ Tactics Personalize Sextortion Scams
Barracuda threat researchers have identified evolving tactics being used by cybercriminals in targeted sextortion scams. Criminals are now frequently using victimsโ€™ addresses and photos of their homes to better personalize sextortion phishing attacks and increase the pressure to pay. Extortion demands are also increasing from hundreds to thousands of dollars, and criminals are making it easier for victims to pay with quick response (QR) codes.
Posted: Tuesday, Nov 19
  • KBI.Media
  • $
  • Threat Spotlight: Evolving ‘We Know Where You Live’ Tactics Personalize Sextortion Scams
Threat Spotlight: Evolving ‘We Know Where You Live’ Tactics Personalize Sextortion Scams

Key Findings

  • Barracuda threat researchers have identified evolving tactics being used by cybercriminals in targeted sextortion scams.
  • Criminals are now frequently using victimsโ€™ addresses and photos of their homes to better personalize sextortion phishing attacks and increase the pressure to pay.
  • Extortion demands are increasing from hundreds to thousands of dollars, and criminals are making it easier for victims to pay with quick response (QR) codes.

Understanding The Threat

Sextortion scams are a type of extortion where criminals attempt to extort money from victims by threatening to release explicit images or videos unless demands are met. Leveraging usernames and passwords stolen in data breaches, criminals contact victims and claim to have compromising content, allegedly from the victimโ€™s computer, and threaten to publicly share it if victims donโ€™t pay up.

Evolving Tactics Add Personalization and Pressure

Barracuda research shows that extortion emails make up roughly 3% of the total number of targeted phishing attacks detected annually. Most of these are sextortion attacks. Every incident is a serious crime with potentially devastating impact that can range from monetary loss to significant emotional and mental distress.

Barracuda researchers have identified evolving tactics โ€” including advanced personalization โ€” being used by criminals in these targeted attacks. Criminals are leveraging the personal data of targeted victims, including full names, telephone numbers, and addresses, to make their sextortion attempts more threatening and convincing. The sextortion emails address the victim by their first and last name, and the opening sentences of the email include the victimโ€™s telephone number, street address, and city.

In many cases, emails start with copy like this: โ€œI know that calling [telephone number] or visiting [street address] would be a better way to have a chat with you in case you donโ€™t cooperate. Donโ€™t even try to escape from this. You have no idea what Iโ€™m capable of in [city].โ€

An image from Google Maps of the targetโ€™s location is now frequently being included in the sextortion email. In analyzed emails, images included either a residential or commercial location, depending on the address associated with the victimโ€™s stolen data.

The payment demands are increasing. In the past, sextortion emails typically demanded payments of a couple hundred dollars, up to about $500 maximum. In the latest attacks seen by Barracuda researchers, the amounts are $1,950 and $2,000.

Different copy variations are being tested. While most of the copy in the emails is identical or very similar, there are some variations.

For example, several variations are being used in the line of copy that appears just before the Google Map image of the victimโ€™s address, including:

  • See you here?
  • Can you notice something here?
  • Is this the right place to meet?

Likewise, variations are being used in the line of copy that appears just below the bitcoin payment information, including:

  • Once you pay up, youโ€™ll sleep like a baby. I keep my word.
  • Let me tell ya, itโ€™s peanuts for your peace.
  • Let me tell ya, itโ€™s peanuts for your tranquility.

Additional points of personalization are being used. In some of the sextortion emails, an additional point of personalization is being included in the last sentence of the final paragraph that appears before the image of the victimโ€™s address: โ€œI donโ€™t make mistakes, [first name.]โ€ the email warns.

Criminals are leveraging technology to expedite payment. In some cases, quick response (QR) codes are being provided in the emails to make it faster and easier for victims to send bitcoin payments to the criminals. In the emails that include them, the QR codes appear directly below the bitcoin address.

Protecting Against Sextortion Scams

Sextortion emails are usually sent to thousands of people at a time as part of larger spam campaigns, so most get caught in spam filters. But attackers also vary and personalize the content of the emails, making them more difficult for spam filters to detect and stop.

Scammers are continually evolving their email fraud techniques, including using social-engineering tactics to bypass traditional email security gateways. Sextortion emails that end up in inboxes typically do so because they originate from high-reputation senders and IPs; hackers use already-compromised Microsoft 365 or Gmail accounts.

Here are several ways to defend against sextortion scams:

AI-based protectionย โ€”ย Attackers are continually adapting sextortion emails to bypass email gateways and spam filters, so a good spear-phishing solution that uses AI to detect and protect against these and other email attacks is a must.

Account-takeover protectionย โ€”ย Many sextortion attacks originate from compromised accounts; be sure scammers arenโ€™t using your organization as a base camp to launch these attacks. Deploy technology that uses AI to recognize when accounts have been compromised, allowing you to remediate in real time by alerting users and removing malicious emails sent from compromised accounts.

Proactive investigationsย โ€”ย Given the nature of sextortion scams, employees might be less willing than usual to report these attacks due to the intentionally embarrassing and sensitive nature of the threats. Conduct regular searches on delivered mail to detect emails related to password changes, security alerts, and other content. Many sextortion emails originate from outside North America or Western Europe. Evaluate where your delivered mail is coming from, review any of suspicious origin, and remediate.

Security-awareness trainingย โ€”ย Educate users about sextortion fraud, especially if you have a large and diverse user base. Make it part of your security awareness training program. Ensure employees can recognize these attacks, understand their fraudulent nature, and feel comfortable and know how to report them. Use phishing simulation to test the effectiveness of your training.

System maintenance โ€” Keeping browsers and operating systems up-to-dateย helps prevent exploits from infecting computers. Sextortion emails can infect targetsโ€™ devices with malware, and keeping browsers and operating systems up-to-date prevents infection.

Share This