02
Aug 18

The Year Targeted Phishing Went Mainstream

A story published here on July 12 about a new sextortion-based phishing scheme that invokes a real password used by each recipient has become the most-read piece on KrebsOnSecurity since this site launched in 2009. And with good reason — sex sells (the second most-read piece here was my 2015 scoop about the Ashley Madison hack).

But beneath the lurid allure of both stories lies a more unsettling reality: It has never been easier for scam artists to launch convincing, targeted phishing and extortion scams that are automated on a global scale. And given the sheer volume of hacked and stolen personal data now available online, it seems almost certain we will soon witness many variations on these phishing campaigns that leverage customized data elements to enhance their effectiveness.

The sextortion scheme that emerged this month falsely claims to have been sent from a hacker who’s compromised your computer and used your webcam to record a video of you while you were watching porn. The missive threatens to release the video to all your contacts unless you pay a Bitcoin ransom.

What spooked people most about this scam was that its salutation included a password that each recipient legitimately used at some point online. Like most phishing attacks, the sextortion scheme that went viral this month requires just a handful of recipients to fall victim for the entire scheme to be profitable.

From reviewing the Bitcoin addresses readers shared in the comments on that July 12 sextortion story, it is clear this scam tricked dozens of people into paying anywhere from a few hundred to thousands of dollars in Bitcoin. All told, those addresses received close to $100,000 in payments over the past two weeks.

And that is just from examining the Bitcoin addresses posted here; the total financial haul from different versions of this attack is likely far higher. A more comprehensive review by the Twitter user @SecGuru_OTX and posted to Pastebin suggests that as of July 26 there were more than 300 Bitcoin addresses used to con at least 150 victims out of a total of 30 Bitcoins, or approximately $250,000.

There are several interesting takeaways from this phishing campaign. The first is that it effectively inverted a familiar threat model: Most phishing campaigns try to steal your password, whereas this one leads with it.

A key component of a targeted phishing attack is personalization. And purloined passwords are an evergreen lure because your average Internet user hasn’t the slightest inkling of just how many of their passwords have been breached, leaked, lost or stolen over the years.

This was evidenced by the number of commenters here who acknowledged that the password included in the extortion email was one they were still using, with some even admitting they were using the password at multiple sites! 

Surprisingly, none of the sextortion emails appeared to include a Web site link of any kind. But consider how effective this “I’ve got your password” scam would be at enticing a fair number of recipients into clicking on one.

In such a scenario, the attacker might configure the link to lead to an “exploit kit,” crimeware designed to be stitched into hacked or malicious sites that exploits a variety of Web-browser vulnerabilities for the purposes of installing malware of the attacker’s choosing.

Also, most of the passwords referenced in the sextortion campaign appear to have been slurped from data breaches that are now several years old. For example, many readers reported that the password they received was the one compromised in LinkedIn’s massive 2012 data breach.

Now imagine how much more convincing such a campaign would be if it leveraged a fresh password breach — perhaps one that the breached company wasn’t even aware of yet.

There are many other data elements that could be embedded in extortion emails to make them more believable, particularly with regard to freshly-hacked databases. For example, it is common for user password databases that are stolen from hacked companies to include the Internet Protocol (IP) addresses used by each user upon registering their account.

This could be useful for phishers because there are many automated “geo-IP” services that try to determine the geographical location of Website visitors based on their Internet addresses.

Some of these services allow users to upload large lists of IP addresses and generate links that plot each address on Google Maps. Suddenly, the phishing email not only includes a password you are currently using, but it also bundles a Google Street View map of your neighborhood!

There are countless other ways these schemes could become far more personalized and terrifying — all in an automated fashion. The point is that automated, semi-targeted phishing campaigns are likely here to stay.

Here are some tips to help avoid falling prey to these increasingly sophisticated phishing schemes:

Avoid clicking on links and attachments in email, even in messages that appear to be sent from someone you know.

Urgency should be a giant red flag. Most phishing scams invoke a temporal element that warns of dire consequences should you fail to respond or act quickly. Take a deep breath. If you’re unsure whether the message is legitimate, visit the site or service in question manually (ideally, using a browser bookmark so as to avoid potential typosquatting sites).

Don’t re-use passwords. If you’re the kind of person who likes to use the same password across multiple sites, then you definitely need to be using a password manager. That’s because password managers handle the tedious task of creating and remembering unique, complex passwords on your behalf; all you need to do is remember a single, strong master password or passphrase. In essence, you effectively get to use the same password across all Web sites.

Some of the more popular password managers include DashlaneKeepass, LastPass. [Side note: Using unique passwords at each site also can provide a strong clue about which Web site likely got breached in the event that said password shows up in one of these targeted phishing attacks going forward].

-Do not respond to spam or phishing emails. Several readers reported sending virtual nastygrams back to their would-be sextortionists. Please resist any temptation to reply. In all likelihood, the only thing a reply will accomplish is letting the attackers know they have a live one on the hook, and ensuring that your email address will receive even more scams and spams in the future.

-Don’t pay off extortionists. For the same reason that replying to spammers is a bad idea, rewarding extortionists only serves to further the victimization of yourself and others. Also, even if someone really does have the goods on you, there is no way that you as the victim can be sure that paying makes the threat go away.

Tags: , , , , , , , , , ,

42 comments

  1. I have been tracking BTC addresses used by this campaign through the Internet Storm Center (https://isc.sans.edu/forums/diary/Sextortion+Follow+the+Money/23922/). I am currently tracking 337 BTC addresses. Those addresses have resulted in 130 payments for a total of $237,000 USD, an average payment of over $1800 USD.

    • I don’t see the Bitcoin address listed they used in the e-mail I got. Where do I submit it?

      • If anyone has BTC addresses they would like to add to be monitored they can send them to me at rwanner(at)isc.sans.edu. If possible if you could also send a copy of the email (preferably with headers) or at least the email address that sent it and whether or not the email contained a password.

        I am storing the BTC addresses without attribution, so your submission will be kept anonymous.

  2. The Sunshine State

    You forgot to add to your list, enable 2FA on accounts

  3. I got one today at an old work email address (company keeps changing names, so it was forwarded through). I have to say it was quite shocking to see a password I used to use for many things in the subject line. I am guessing that one of the business-related email lists or maybe a subscription house was hacked.

    Even if I believed the text and had visited such sites, I can tell you with 100% certainty that I NEVER would have used a work email address. Plus I have had my camera covered since they assigned me this laptop. Lol

    • OK. It DEFINITELY was an email address and pwd I would have used on LinkedIn.

    • How is this shocking?
      Have you never looked at the have I been pwned website?

      If you’re not checking you emails/passwords to see if they have been part of a data breach then you’re not very security aware

      • I disagree; while haveibeenpwned is a great tool to demonstrate the frequency with which passwords are exposed, it is not an entirely exhaustive list (i.e. just because you’re not on it, doesn’t mean you’re password is safe.)

        You’re much better off starting with a password manager (if you STILL haven’t gotten one), and as you access each website you use, change the password to a unique, unmemorable one. The next time one of those sites is breached, you’ll likely get prompted to change your password on your next logon, and there’s no other sites you have to worry about changing your password for (because you have no shared passwords.)

        Relying on tools like haveibeenpwned to determine the current security of your shared password means you’re behind the curve.

    • Yes, It is tempting to send a reply to these miscreants. I was thinking of something along the lines of “Thank you so much for informing me of the compromised password, so that I may correct the security shortfall.”

      However, resisting temptation is always the better choice.

  4. I’m pleasantly surprised the amount received by the bad actors isn’t greater than $250K as I assumed a lot more people would fall victim.

    • The issue is that we don’t know the total size of the campaign. That $250,000 may be only 1/10th, 1/100th, or 1/1000th of the total BTC addresses used in the campaign. While we don’t know the total paid, it is clear it was most likely wildly successful.

  5. Richard Pearce-Moses

    A note of personal thanks. As a recipient, your article put my mind at ease. I also posted a link to it on my FB page so that others would have an authoritative source.

    • Don’t forget to send all your facebuck friends copies forwards of the emails you get…. KIDDING!

      Anyone that values personal privacy should not be sharing anything of value, whatsoever, on fb. Or LinkedIn, or …

  6. I got a sextortion e-mail on July 26 demanding $7,000. This is after someone hacked my Twitter a couple weeks ago. A few days before that, my debit card was compromised and someone ordered over $1,400 worth of stuff online with it. In March 2018 I discovered an ex created an Instagram profile pretending to be me, trying to get other accounts to share intimate photos of me, so by now I’ve become a lot more security conscious but had failed to update my Twitter password in years. I’m still not sure how someone got my debit card info.

    My e-mail is on a few lists on haveibeenpwned.com, and I’m pretty sure it was part of the Ashley Madison breach. I wonder if they are using the Ashley Madison e-mails for the sextortion scams? Seems like a good chance they’d get a lot of people who would pay because they have a lot of secrets and are scared. (And no, I wasn’t looking for an affair; just had signed up to see what was on there.)

    • Don’t ever use a debit card online – in fact I don’t recommend using one over 100 miles from where you live! Even a local brick and mortar store could have been the source that compromised a debit card, but at least the local law enforcement is willing to check on localized crime. Debit cards have rules that put too much loss responsibility on the user, and don’t have the protections credit cards do.

      • Yes, ALWAYS use the Credit Card option if you are presented with it. The POS may LOOK like all it will except is your debit card and # but most have a way to make it a credit transaction.

      • JCitizen,

        As the InfoSec officer at a community bank, I can assure you that the bank is liable for all losses on a compromised debit card. The bad guys may empty the account, but the bank is liable for reimbursement. The customer may experience some inconvenience while the account is reconciled, but will have little to no losses (expect for late or rejected payment fees from third parties on transactions that occurred while the account was empty or low on cash). It’s a MasterCard and Visa Zero loss policy.

        This is why our particular institution blocks ALL bank debit card transactions processed via the Internet (customer or PoS initiated). Customers must use a credit card for Internet transactions (we’re liable there too, but at least make some money back in interest, and fraudulent charges can be disputed).

        We’ve lost customers because of this, but the risk liability for debit card transactions via the Internet outweighs the loss of a few customers. We have other security measures in place to catch or red flag suspicious transactions, and cards are sometimes blocked until the customer can be reached for verification (or calls us for declined purchases). However, blocking debit card Internet initiated transactions has saved us money (losses in accounts, replacing the compromised card, time…) and kept our customers safer.

      • My suggestion: NEVER USE A PIN number on ANYTHING but a BANK ATM. Saved my bank account from being wiped out, let me tell you.

        Been a victim twice, thanks to using card at grocery store and at a gas station, in town.

        Grocery store fell prey to people pretending to be Point-Of-Sale repairmen, swapping in a reader “man in the middle” device, to pick up all data. Big scandal on that one. Criminals then used my card to rent a hotel room in Dubai – $1,600. Thankfully no PIN number was captured from my debit ATM card, but I did hear of several people locally who had their entire accounts drained.

        The gas station criminal was one of the attendants, who plugged his laptop into the reader, and was spoofing transactions, then running the actual transaction separately, to prove his capture worked, and to hide the activity. He started using the card numbers about a month later. He got caught trying to use a “renumbered” credit card (mag stripe reprogrammed to stolen card) and was caught with the laundry list of numbers. Again, credit card use only, not a PIN transaction.

        I’ve also had checks stolen, and those criminals got caught by the Feds thankfully. I’d explain how, but that may give bad people a leg up.

  7. I received a sextortion emai too! I was shocked when they demanded they would release the photos if I didn’t pay them. I told them I wasn’t going to pay them and instead asked them to send me a sample of what they had to make sure they are reposting duplicates

    • Maybe I’m not as smart as you, Bonsurper. But I think the rule is:
      “Don’t reply to these emails!”

      They’ll know you are alive and will try to continue the conversatoin.

      • You are correct Roger. You should NEVER respond in anyway to these phishing emails. I too have received a couple of these phishing emails and I immediately delete them.

        I will say that my password is from many years back and one that I do not use at all so I know this information is very old.

  8. Stuff like this makes me remember I need to get back to the security basics presentation I wanted to put together for family/friends. But then I remember that I’ll probably be never left in peace if I do so and …

  9. Thank you, Brian Krebs, for publishing such clear descriptions of these vicious schemes. I’ve begun to notice your name, and your articles, mentioned as a source in other published articles.

    It’s not a matter of being paranoid. It’s a matter of being wary, and aware, and taking steps to protect ourselves and our loved ones.

    A couple of things I’ve been looking for: A carefully paced video describing how phishing occurs (using email or SMS), including the receipt of a likely-looking phishing message, the click, the resulting damage to the computer, and the resulting financial or other personal damage to the victim.

    Second, a video showing the impact of identity theft (and medical identity theft) on the victim’s lives.

    A link to a well-researched, dramatic TV show would suffice.

    • I do not know of any videos like that offhand but if you want to see the “working end” of clicking on an attachment go to https://app.any.run and watch some of the public submissions. It is a great site that I use when our users send me an email to analyze.

  10. There is also the possibility of the following type of targeting. From the initial compromise of a passcode and a geo-located IP Address, the scammers could be in a revenue-sharing arrangement with various adult sites. One of those sites associates the IP addresses or geolocation when the unsuspecting user visits the adult site. Then the scammers trigger the extortion email.

    That way, there is an increased fear by the victim that the threat is credible. If the victim pays, then the adult site and the scammers share in the bounty.

    Plausible?

  11. Wade A. Malone

    I want to personally say “Thanks” for everything you do.
    You’re a Stand Up Guy in a Sit Down World!

  12. The password used in the email I got was from the Adobe breach.

  13. when is it time for a new email?

    I would also suggest using http://haveibeenpwned.com/. if your email has been on lots of breached sites and your getting lots of spam, its time to get a new email address. It takes some time and work but it’s worth it… finally ditched the email I’ve had for over 12 years… been on about 9 breached sites so I know it’s on the dark web… now my new email so far gets zero spam.

  14. @brian:

    > [Side note: … going forward].

    That period should be inside the brackets…

  15. I have already been seeing highly-personalised malspam being sent to people for over a year with details including their full name, home address and personal telephone numbers, all sent to work email addresses. Attached to these is a banking trojan, and they have a pretty high clickthrough rate because the details do look fairly convincing. All of these victims can be found on HaveIBeenPwned (from memory it was the Anti Public Combo list) which is an amalgamation of large and small site breaches.

    It seems to me that this approach is probably lower risk than a banking trojan, and it doesn’t really require much in the way of technical skill to do it. When you consider just how much private data has leaked out for most people, you could easily include enough to look very convincing.

    As an aside, I only received a single on of these myself, the password quoted was from Myspace, although the majority of other ones I have seen were probably LinkedIn.

  16. Some times I find it hard to tell if you are advising or mentoring. While I do find your information and most of all your background on subject matter informative, at times I do see your articles as how to guides.

    Having been in IT for let just say 35+ years, many of todays supposed hackers are the level of script kitties of yesterday. So I don’t think it’s any more advanced than the scams of the 90’s, but I do agree that the target environment has evolved from those who were well off and could afford computing, to those who are less able to both afford to be scammed and are lacking the technical understanding.

    Now to the point, how do we educate the masses? We aren’t going to stop the trolling which range from phishing to politics. Keeping in mind it’s not just e-mail but includes, phone, text, social media post, and so on. Do we need a cyber police that funded from the spoils of the offenders? Will big brother (i.e. government, corporation, etc..) step in and save the day? Or can we educate effectively?

  17. “compromised your computer and used your webcam to record a video of you while you were watching porn. The missive threatens to release the video to all your contacts unless you pay a Bitcoin ransom.”

    LOL. No surprise to anyone that knows me.

  18. Crossword Mike

    Brian emphasized points such as these in this very article: “Don’t re-use passwords” and “Several readers reported sending virtual nastygrams back to their would-be sextortionists. Please resist any temptation to reply.”

    And he made note that the previous article on this topic drew plenty of descriptions of these insecure practices.

    So of course the comment section for this update article has a whole new set of descriptions of re-using passwords and replying to attackers (or to spoofed “From:” sources).

    Sigh.

  19. Yes, I have had this as well. The first attempt did not have the password scam, so I used a dummy email address and replied to the scammer. I asked him to post the video he claimed, as it would do my street cred no harm at all! I begged him to publish. It would have been interesting as to how he did his, as i only have cameras on my iDevices, not my desk top PC.

    The latest had a password. I use a password manager, and generate passwords for all the websites I visit. The only reuse of passwords is for my own, internal sites that are air gapped. The password claimed is not one I have on record. And as its a 12 character string of random numbers and letters I have no idea if I have ever used it.

    I strongly recommend a password manager. I use LastPass, which I secure with a phrase not a word, and have 2FA enabled. I use it to generate all passwords. I NEVER store password in the browser. EVER.

    Using a password manager means that all your passwords are different. They are random. Not even you know what they are, and you don’t need to know. And if I do need to share a password with my wife, I can do so in a secure manner.

  20. What are the consequences of using pwned email addresses?

  21. I received one recently and the password was definitely from the LinkedIn breach – the tip-off was that it was sent to a forwarding address that I’d created only for use with that site/account.

  22. I have had this happen and use disposable (or one time use) email addresses for my online interactions. (www.manyme.com). I also use a password manager (1password) for password management (as its hard to track a lot of unique pswds).

    My conclusion in this case was that it was linked in (as evidenced by the email used) and that the password theft was over two years old (as per the history of the password manager)

    Its still frightening to say the least and very disconcerting. My feeling is that people need to go to a multiple identity token model (i.e. my email address MUST be different for each website – how that is managed is a different issue) plus a different password. Google offers aliases (but clunky) – I like ManyMe and the service they offer but to each his or her own. In addition a password manager is also a requirement as you can otherwise not keep track of all the passwords.

    This is just the beginning……. Im sure more to come.

  23. About To Be Bonkers Wife

    Has there been any incidents of where the senders of this fake porn blackmail email scam have followed through with their threat? My husband received one on 8/6/18 and has been freaking out. He is not a porn viewer but did a stupid thing. On 8/4 we were watching a PG rated TV show where it turned out that many of the female stars had made porn movies in the past. He followed the trail and came upon the sites where they did. His letter was the exact version of what I have seen except it was a five day time limit. It has given him more time to sweat. We ran haveibeenpwned and sure enough he was part of the LinkedIn data breach where he used the password mentioned in the email. He had already changed from that password everywhere except his Facebook account. He has now changed that. I have told him I have read 50 articles on this, they all say the same thing. None of our email addresses use this password. We have ran a scan which shows no malware installed. He didn’t reply and of course didn’t send them the $1500. I have even told him don’t you think if someone was blackmailing you, they would send you evidence? Also, wouldn’t they pick someone who didn’t look like the most bored porn viewer in the world and had more that 200 FB contacts? I am just trying to tell him something else to put him at ease. If he gets another one of these it might just do him in.

Leave a comment