Story image

Sextortion attacks targeting education orgs - Barracuda

04 Mar 2019

Sextortion scams have increased in frequency and scope since Barracuda first highlighted this type of attack in its October Threat Spotlight.

Previously, sextortion scams were used as part of large-scale spam campaigns, but now many of these attacks are getting more sophisticated and bypassing email gateways.  

Barracuda analysed spear phishing attacks targeted at its customers and found that 1 in 10 were blackmail or sextortion attacks.

In fact, employees are more likely to receive a sextortion scam than an employee impersonation or business email compromise attack.

Highlighted Threat:

Sextortion Scam – Attackers use passwords stolen in past data breaches to trick users into paying Bitcoin to avoid having a compromising video, which attacker claim to have recorded on the victim’s computer, shared with all their contacts.

The Details:

The basic approach of sextortion scams remains the same.

Attackers are harvesting email addresses and passwords and using them in the threatening email to add to the victim’s fears.

Often, attackers will spoof their victim’s email address and pretend to have access to it to make the attack even more convincing.

Payment demands usually ask for Bitcoin, and Bitcoin wallet details are included in the message.

Most sextortion scams are sent as part of larger spam campaigns to thousands of people at a time, so most get caught in spam filters.

But, like with many other types of email fraud, scammers are evolving their techniques using social engineering tactics to bypass traditional email security gateways.

Many sextortion emails end up in users’ inboxes because they originate from high-reputation senders and IPs.

In fact, hackers will use already compromised Office 365 or Gmail accounts in their campaigns. Emails from these legitimate, high-reputation-score accounts will pass through gateways and land in their victims’ mailboxes.  

These emails don’t usually contain any malicious links or attachments that traditional gateways will look for.

Attackers have also started to vary and personalise the content of the emails, making it difficult for spam filters don’t stop them.

Sextortion scams are also under-reported due to the intentionally embarrassing or sensitive nature of the threats.

As a result, IT teams are often unaware of these attacks because employees either choose to pay a ransom or are simply too embarrassed to report the email.

Most common sextortion subject lines

In Barracuda’s study of sextortion and blackmail attacks, we looked at the 30 most common subject lines, which represent over 60% of all the sextortion emails analysed.

Barracuda noticed patterns in the subject lines used by attackers.

The two most common subject lines are security alerts and requests to change passwords. Attackers will often include either the victim’s email address or their password in the subject line to get them to open and read the email.

Here are some examples of security alert subject lines seen in the research:

  • name@emailaddress.com was under attack change you access data

  • Your account has been hacked you need to unlock

  • Your account is being used by another person

Here are some examples of password change subject lines we saw:

  • Change your password [password] immediately your account has been hacked

  • Hackers know your password [password] password much be changed now

We found that almost every subject line on a sextortion email will contain some form of security warning, with more than a third requesting a password change.

Other common subject lines that we saw include references to a customer service ticket number or incident report.

Occasionally, attackers are more straightforward with the subject line, using threats like:

  • You are my victim

  • Better listen to me

  • You don’t have much time

  • You can avoid problems

  • This is my last warning name@emailaddress.com

Industries most likely to be targeted by sextortion

In the research, Barracuda found education was the industry targeted most frequently by sextortion and blackmail, making up 55% of attacks.

A full 14% of attacks targeted government employees, and 11% went after business services organisations.

The overwhelming focus on education is a calculated move by attackers.

Educational organisations usually have a lot of users, with a very diverse and young user base that is less informed about security awareness and may be less aware of where to seek help and advice.

Students and young people are also more likely to be scared into wiring the money, given the nature of the threat.

4 ways to protect against sextortion scams

1. Spear phishing protection — Because attackers are adapting sextortion emails to bypass email gateways and spam filters, a good spear phishing solution that protects against blackmail and sextortion is a must.

2. Account takeover protection — Many sextortion attacks originate from compromised accounts, so make sure scammers aren’t using your organisation as a base camp to launch these attacks. Deploy technology that uses artificial intelligence to recognise when accounts have been compromised.

3. Proactive investigations — Given the nature of sextortion scams, employees might be less willing than usual to report these attacks, so you should conduct regular searches on delivered mail to detect emails related to password changes and other content we discussed above. Many of sextortion emails originate from outside North America or Western Europe. Evaluate where your delivered mail is coming from, review any that are of suspicious origin, and remediate.

4. Security awareness training —  Educate users about sextortion fraud, especially if you have a large and diverse user base, like the education sector.  Make it part of your security awareness training program. Ensure your staff can recognise these attacks, understand their fraudulent nature, and feel comfortable reporting them.

Forescout strengthens investment in OT security
Forescout’s latest features will provide enterprises with improved productivity, lower risk profiles and faster mitigation of threats.
Hybrid cloud security big concern for business leaders
A new study highlights that IT and security professionals have significant concerns around security for hybrid cloud and multi-cloud environments.
GitHub launches fund to sponsor open source developers
In addition to GitHub Sponsors, GitHub is launching the GitHub Sponsors, GitHub will match all contributions up to $5,000 during a developer’s first year in GitHub Sponsors.
Check Point announces integration with Microsoft Azure
The integration of Check Point’s advanced policy enforcement capabilities with Microsoft AIP’s file classification and protection features enables enterprises to keep their business data and IP secure, irrespective of how it is shared. 
ESET researchers break down latest arsenal of the infamous Sednit group
At the end of August 2018, the Sednit group launched a spear-phishing email campaign, in which it distributed shortened URLs that delivered first-stage Zebrocy components.
Container survey shows adoption accelerating while security concerns remain top of mind
The report features insights from over 500 IT professionals.
Google 'will do better' after G Suite passwords exposed since 2005
Fourteen years is a long time for sensitive information like usernames and passwords to be sitting ducks, unencrypted and at risk of theft and corruption.
Fake apps on Google Play scamming users out of cryptocurrency
Fake cryptocurrency apps on Google Play have been discovered to be phishing and scamming users out of cryptocurrency, according to a new report from ESET.