Found in Environments Protected By: Microsoft
By: Justin Rudd, Cofense Phishing Defense Center
In recent weeks, the Cofense Phish Defense Center (PDC) observed an evolution of a commonly seen scam tactic known as “sextortion” scams. These scams are prevalent across different sectors and industries and are difficult to stop due to the general lack of malicious URLs or attachments within the email, randomized sending addresses, and each scam being tailored to the target in question. These factors make it difficult for traditional security suites to detect and neutralize the threat.
Figure 1: Email Body
Though blurred in Figure1, the threat actor lists the target’s supposed address and phone number in the email body to grab the target’s initial attention. While the usual sextortion scam email will originate from random or spoofed email addresses, the trend with this version is that the emails originate from Gmail accounts that appear randomly chosen. Previous scam emails are also simpler in that everything is contained within the email body and rarely come with URLs or attachments. In the case of these email bodies, they only contain unique individual information: the name, address, and contact information of the potential target.
Figure 2: Attached PDF File
Attached to these emails are PDF documents containing the language expected from sextortion emails with the twist of including an image of the target’s supposed home or place of work. The images used are not always of their residence; instead, they might just be pictures of the street or the environment around it. This suggests that they are likely auto-generating the images they are using in the email instead of grabbing them manually. The document starts by addressing the target by their first and last name along with their street address and an image of the address. The threat actor has likely made use of mapping services such as Google Street View to obtain an image of the target’s residency or place of work and threatens to visit them if they don’t respond to the email.
The threat actor will assert that they compromised the target’s system using “Pegasus” spyware and will use additional technical verbiage to prey on the target’s potential lack of knowledge. They will claim that they’ve been watching the target for an extended period, amassing a large amount of information. To bolster their credibility, the threat actor will use casual language and slang, expressing confidence while suggesting they have recorded the target, even complementing their surroundings.
The threat actor presents two options to the target. The first is to ignore the email, which would result in the sender threatening to release the supposed videos to the target’s contacts. In the second choice, the threat actor claims that they will delete the videos and disappear if the target pays them a certain amount in the cryptocurrency “Bitcoin”. They will then list their bitcoin wallet address, along with the requested amount, and include a QR code containing the same listed bitcoin address.
The way this has evolved from previously observed scams of this type comes in the form of consistently using random Gmail addresses and the inclusion of the target’s residency or place of work as well as potential photos of it. While previous versions of sextortion scams would sometimes make use of spoofed email addresses as an intimidation tactic, it seems that threat actors are beginning to shift their focus towards the more direct and more easily intimidating approach of threatening the target in a much more personal way. Remember to always be vigilant of attacks and protect your personal information. If you would like to learn more about how the Cofense PDC can help keep your organization safe, contact us.
All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of endpoint protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats. Past performance is not indicative of future results.
The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.