Users with online porn habits bitten by wave of sextortion, as sextortionist gets 6 years

News by SC Staff

Contradictory reports about current sextortion scamming include claims of an upsurge in scams, & that scammers are making less money, plus in a major NCA investigation one player gets six years prison.

There are contradictory reports about the current state of play in sextortion scamming - so while its claimed that there’s an upsurge in scams, the scammers are actually said to be making less money.

The record upturn in fraudulent e-mail messages that seek to extort money, especially from people watching online pornographic videos, is being reported by ESET. In an email the attacker claims they have hacked the intended victim's device and recorded the person while watching pornographic content, including the user's behaviour in front of the webcam, and which videos were played.

"In order to conceal the compromising materials, the attacker asks for a sum of around 0.43-0.45 Bitcoin (apx £1,500), however we've already seen other messages asking for other amounts," explains Ondrej Kubovic, ESET security awareness specialist. "The victim is directed to pay within 48 hours of opening the email or the cyber-criminal threatens to send the incriminating video to all the contacts he/she has managed to steal from the infected device," adds Kubovic.

Previous sextortion scam email waves detected by ESET were mostly in English, but recent localised versions have focused on Australia, United States, United Kingdom, Germany, France, Spain, Czech Republic and Russia.

The attackers do not really have any video of the victim and users can avoid similar threats through antispam technology. Sextortion can also happen when an attacker has real photographs of a victim, for example, from an intimate conversation via a fake profile. It is particularly dangerous if the victim is a child.

Effective social engineering mainly focusses on users who secretly watch pornography on their devices. Some of the previous versions even made the (scam) email appear as if it came "from the victim’s own email address", which supported the attacker’s claims about the hacking of the device. In an even older version of this scam, the attacker claimed to know the victim's password, including it in the body of an email as evidence. In this case, the attacker probably obtained the data from some of the large data leaks which included billions of authentic login names and passwords. If a user has ever actually used the password mentioned in the scam, they can be scared into making a hasty payment.

Users need to know that if they find such an email in their mailbox, they should "...act slowly, deliberately and avoid rash steps. First of all, do not reply to the scam, do not download its attachments, do not click on embedded lines, and certainly do not send money to attackers."

Kubovic adds that if an attacker lists your actual password, "I recommend changing it and activating two-factor authentication on that service. Indeed, in many cases, attackers actually test the login information and use the hacked account at least to spread their messages. Also, scan your device with reliable security software that can detect real infections and other issues, such as the misuse of the built-in webcam. This can be done, for example, by simply adding tape over its lens," Kubovic advises users.

In contrast, in an email to SC Media UK, Steve Peake, Pre Sales Engineer at Barracuda Networks, noted how according to a Bleeping Computer and a Talos blog, sextortion scammers have made a lot less money in the first few months of 2019 compared to 2018, and that as a result they’ve resorted to new tricks to try and restore their previous revenue stream.

"They’re now using complex underlying code, mixing plain text letters with HTML characters, to get through spam filters. This is another example of where attackers’ sophistication is becoming increasingly harder to spot by the naked eye.

"While it’s an old tactic that we’ve seen before, traditional gateway email defences are often only designed to detect malicious payloads or attacks originating from low reputation platforms. Businesses can protect themselves from this form of attack by leveraging a multi layered approach to email security. The traditional gateway security is still a requirement, however leveraging inbox-based defences and artificial intelligence technologies can allow for great success in detecting sneaky spear phishing attacks.

"Staff engagement with training and simulation will also significantly raise awareness of both the risk and how to identify this form of attack. While training might be delivered within a business environment, it can also be applied to home life.

But the sextortionists are having it all their own way and this week the UK media has been reporting the jailing for six years of 24-year-old Zain Qaiser, a computer science student from Barking in Essex, who was a member of an international, Russian-speaking organised crime group that has been for spreading malware onto users’ computers via malvertising on ponographic sites.

A National Crime Agency investigation found he had targeted hundreds of millions of computers in more than 20 countries with locking ransomware.

The NCA reports that its investigation identified that Qaiser received more than £700,000 through his financial accounts for his role in this global campaign of malware and blackmail, but they believe the total is likely to have been very much higher.

The NCA says he bought advertising traffic from pornographic websites, using the online name K!NG, on behalf of the crime group, using fraudulent identities and bogus companies to pose as legitimate online advertising agencies in a process of social engineering. Once advertising space was secured, the crime group would host and post malware-laden advertisements.

When users clicked on the ads they were redirected to another website, hosting malware including the Angler Exploit Kit (AEK). Users with any vulnerabilities would subsequently be infected with a malicious payload.

One payloads Reveton – a type of malware that would lock a user’s browser. Once locked, the infected device would display a message purporting to be from a law enforcement or a government agency, which claimed an offence had been committed and the victim had to pay a fine of anything between US$ 300- US$ 1,000 (£200 to £700) to unlock their device.

The campaign is reported to have infected millions of computers worldwide across multiple jurisdictions.

Ransom demands were made by Qaiser through a complex process of virtual and crypto-currency money laundering.

For example, one of Qaiser’s international accomplices in the US transferred ransom payments onto pre-loaded credit cards in fraudulent identities, withdrew that cash at locations throughout the US, converted it into crypto-currency, and transferred it to Qaiser.
Some online advertising agencies that sold Qaiser the advertising traffic realised what he was doing and tried to stop him. He responded by blackmailing them and their businesses, hitting at least two agencies with DDoS attacks. Qaiser told one company director: "I’ll first kill your server, then send child porn spam abuses." These attacks resulted in the companies losing at least £500,000 through lost revenue and mitigation costs.

Qaiser’s offending is thought to have started in at least September 2012 and lasted until he was remanded in custody in December 2018. He was first arrested in July 2014 and was charged in February 2017. Qaiser was subsequently arrested in December 2018 on suspicion of money laundering, whilst on bail for the previous offences.

Qaiser admitted 11 offences, including blackmail, fraud, money laundering and computer misuse, and was jailed at Kingston Crown Court.

Nigel Leary, NCA Senior Investigating Officer, said: "This was one of the most sophisticated, serious and organised cyber-crime groups the National Crime Agency has ever investigated.

"The group owned and operated the Angler Exploit Kit – one of the most successful and closely guarded pieces of malicious software ever developed by the cyber crime community.

"Zain Qaiser was an integral part of this organised crime group generating millions of pounds in ransom payments by blackmailing countless victims and threatening them with bogus police investigations.

"In addition, when Qaiser’s criminal enterprise was frustrated by diligent members of the online advertising community, he retaliated causing misery and hundreds of thousands of pounds in financial losses.

"This was an extremely long-running, complex cyber-crime investigation in which we worked with partners in the US, Canada, Europe and the Crown Prosecution Service. The FBI and the US Secret Service have both arrested people in relation to this global malware campaign.

"The investigation demonstrates that cyber-criminals cannot operate from behind a veil of anonymity, and that the NCA has the tenacity and specialist skills to catch them and bring them to justice. The international law enforcement community will continue to work together to counter the threat of borderless cyber-crime."

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Upcoming event