Story image

Sextortion attacks targeting education orgs - Barracuda

04 Mar 2019

Sextortion scams have increased in frequency and scope since Barracuda first highlighted this type of attack in its October Threat Spotlight.

Previously, sextortion scams were used as part of large-scale spam campaigns, but now many of these attacks are getting more sophisticated and bypassing email gateways.  

Barracuda analysed spear phishing attacks targeted at its customers and found that 1 in 10 were blackmail or sextortion attacks.

In fact, employees are more likely to receive a sextortion scam than an employee impersonation or business email compromise attack.

Highlighted Threat:

Sextortion Scam – Attackers use passwords stolen in past data breaches to trick users into paying Bitcoin to avoid having a compromising video, which attacker claim to have recorded on the victim’s computer, shared with all their contacts.

The Details:

The basic approach of sextortion scams remains the same.

Attackers are harvesting email addresses and passwords and using them in the threatening email to add to the victim’s fears.

Often, attackers will spoof their victim’s email address and pretend to have access to it to make the attack even more convincing.

Payment demands usually ask for Bitcoin, and Bitcoin wallet details are included in the message.

Most sextortion scams are sent as part of larger spam campaigns to thousands of people at a time, so most get caught in spam filters.

But, like with many other types of email fraud, scammers are evolving their techniques using social engineering tactics to bypass traditional email security gateways.

Many sextortion emails end up in users’ inboxes because they originate from high-reputation senders and IPs.

In fact, hackers will use already compromised Office 365 or Gmail accounts in their campaigns. Emails from these legitimate, high-reputation-score accounts will pass through gateways and land in their victims’ mailboxes.  

These emails don’t usually contain any malicious links or attachments that traditional gateways will look for.

Attackers have also started to vary and personalise the content of the emails, making it difficult for spam filters don’t stop them.

Sextortion scams are also under-reported due to the intentionally embarrassing or sensitive nature of the threats.

As a result, IT teams are often unaware of these attacks because employees either choose to pay a ransom or are simply too embarrassed to report the email.

Most common sextortion subject lines

In Barracuda’s study of sextortion and blackmail attacks, we looked at the 30 most common subject lines, which represent over 60% of all the sextortion emails analysed.

Barracuda noticed patterns in the subject lines used by attackers.

The two most common subject lines are security alerts and requests to change passwords. Attackers will often include either the victim’s email address or their password in the subject line to get them to open and read the email.

Here are some examples of security alert subject lines seen in the research:

  • name@emailaddress.com was under attack change you access data

  • Your account has been hacked you need to unlock

  • Your account is being used by another person

Here are some examples of password change subject lines we saw:

  • Change your password [password] immediately your account has been hacked

  • Hackers know your password [password] password much be changed now

We found that almost every subject line on a sextortion email will contain some form of security warning, with more than a third requesting a password change.

Other common subject lines that we saw include references to a customer service ticket number or incident report.

Occasionally, attackers are more straightforward with the subject line, using threats like:

  • You are my victim

  • Better listen to me

  • You don’t have much time

  • You can avoid problems

  • This is my last warning name@emailaddress.com

Industries most likely to be targeted by sextortion

In the research, Barracuda found education was the industry targeted most frequently by sextortion and blackmail, making up 55% of attacks.

A full 14% of attacks targeted government employees, and 11% went after business services organisations.

The overwhelming focus on education is a calculated move by attackers.

Educational organisations usually have a lot of users, with a very diverse and young user base that is less informed about security awareness and may be less aware of where to seek help and advice.

Students and young people are also more likely to be scared into wiring the money, given the nature of the threat.

4 ways to protect against sextortion scams

1. Spear phishing protection — Because attackers are adapting sextortion emails to bypass email gateways and spam filters, a good spear phishing solution that protects against blackmail and sextortion is a must.

2. Account takeover protection — Many sextortion attacks originate from compromised accounts, so make sure scammers aren’t using your organisation as a base camp to launch these attacks. Deploy technology that uses artificial intelligence to recognise when accounts have been compromised.

3. Proactive investigations — Given the nature of sextortion scams, employees might be less willing than usual to report these attacks, so you should conduct regular searches on delivered mail to detect emails related to password changes and other content we discussed above. Many of sextortion emails originate from outside North America or Western Europe. Evaluate where your delivered mail is coming from, review any that are of suspicious origin, and remediate.

4. Security awareness training —  Educate users about sextortion fraud, especially if you have a large and diverse user base, like the education sector.  Make it part of your security awareness training program. Ensure your staff can recognise these attacks, understand their fraudulent nature, and feel comfortable reporting them.

The silver lining in Australia’s Government cloud strategy
Cloud has been a huge part of the ‘digital transformation’ conversation within Australian government during recent years.
Aerohive achieves ISO/IEC 27001 cloud platform certification
Aerohive is the first cloud-managed networking vendor recognized by a global standard for commitment to information security management systems.
Is Google’s Stadia feasible with today’s data centres?
To get a better idea of the sheer audacity behind Google’s latest move, we spoke to Unitas Global chief technical officer Grant Kirkwood.
Survey: IT pros nostalgic over on-prem data centre visibility
There are significant security and monitoring challenges faced by IT staff responsible for managing public and private cloud deployments.
61% of CIOs believe employees leak data maliciously
Egress conducted a survey to examine the root causes of employee-driven data breaches, their frequency, and impact.
VMware allures APJ channel veteran to take the reins
Balasingam will take on the role of vice president for VMware’s partner business in Asia Pacific and Japan (APJ).
Security top priority for Filipinos when choosing a bank - Unisys
Filipinos have greatest appetite in Asia Pacific to use biometrics to access banking services
Opinion: Modular data centers mitigate colocation construction risks
Schneider's Matthew Tavares believes modular data centers are key for colocation providers seeking a competitive advantage with rapid deployment.