Sextortion Rears Its Ugly Head Again

Attackers are sending email blasts with malware links in embedded PDFs as a way to evade email filters, lying about having fictional "video evidence."

A new French-language sextortion campaign is making the rounds, researchers warn.

As noted by Sophos researchers in a Monday report, sextortion is one of the oldest tricks in the book, but its popularity has waned in recent years due to effective cybersecurity, law enforcement crackdowns and the rise of ransomware.

This new campaign is one signal of what may be a resurgence, they said.

Webinar Promo

Click to Register for FREE

Threats Sandwich Malware Links

The new French-language attack entails a blind email blast, shown below, with unsubstantiated claims of video evidence and so on. It cites France’s legal penalties for watching illegal pornography, then tells the reader: “If you wish, you may reply to the address below to explain away your actions, so that we can evaluate your explanation and determine if charges should be brought. You have a strict deadline of 72 hours.”

Should the reader not comply, “we will are [sic] obliged to send our report to the Public Prosecutor to issue an arrest warrant against you. We will proceed to have you arrested by the police closest to your place of residence.”

Notably, the malicious email contains no plaintext or hyperlinks. Instead, its text is displayed in an image file.

French-language sextortion threat email. Source: Sophos.

Attackers use hyperlinks to trick unwitting victims into downloading malware or visiting malicious webpages. As Sophos explains, “Adding an image that holds the call-to-action text obviously makes it harder for a recipient to reply, because a plain image can’t contain clickable links, or even text that can be copied and pasted.”

But, as Mike Parkin – senior technical engineer at Vulcan Cyber – told Threatpost via email, “The fact that most scams end up in our junk mail folder shows how effective email filters have become, which is why they look to alternative methods like embedded PDFs or images rather than raw text or HTML that is easy for the filters to analyze.”

What is Sextortion?

Sextortion is a form of blackmail in which a malicious actor claims to possess evidence of sexual misbehavior from their victim. The attacker demands payment in exchange for not spreading the compromising information or images.

Sometimes, these campaigns can combine with botnets, ransomware and other methods of cyber attack to form a potent cocktail. However, as prior attacks have shown, sextortion tends to be rudimentary: Such attacks aren’t targeted. Rather, they entail blind email blasts that prey on victims’ fear, without any actual evidence of sexual impropriety to back them up.

Sextortion is on the Rise Again

“Scams seem to run in cycles,” notes Parkin. “Whether it’s a Prince from Nigeria, uncollected assets, scam victim compensation, extortion over adult websites you didn’t visit, or whatever. Scammers will use one for a while, then shift to something else when they stop getting responses. Eventually, they’ll circle back to an old scam that may have been updated with new text or a new graphic.”

Lionel Sigal, CTI at CYE, told Threatpost via email that sextortion has recently been skyrocketing; “Sextortion attempts (real and fake) targeting executives of organizations have increased by 800% in the last 4 months,” he said.

Campaigns targeting ordinary individuals are also spiking: The FBI’s Internet Crime Complaint Center received more than 16,000 sextortion complaints in only the first seven months of 2021.

Will this old-hat method of cyber attack prove effective? “It’s too early to tell what the hit rate is on this technique,” Casey Ellis, Founder and CTO of Bugcrowd, told Threatpost via email, “but it feels to me like a pivot that people would fall for. If a scam has a take of $500 and it costs 1 cent to send an email, you only have to connect 1 in 50,000 times for the scam to break even.”

To Parkin, “the best defense is solid user education. No matter how successful an attacker is at getting past the filters, their attack can only succeed if the target falls for it and takes the bait.”

Join Threatpost on Wed. Feb 23 at 2 PM ET for a LIVE roundtable discussion “The Secret to Keeping Secrets,” sponsored by Keeper Security, focused on how to locate and lock down your organization’s most sensitive data. Zane Bond with Keeper Security will join Threatpost’s Becky Bracken to offer concrete steps to protect your organization’s critical information in the cloud, in transit and in storage. REGISTER NOW and please Tweet us your questions ahead of time @Threatpost so they can be included in the discussion.

Suggested articles