What are some common strategies cybercriminals employ in extortion schemes and how can you mitigate the chances of falling victim to a cyber-shakedown?
When it comes to coercing people into parting with their money, cybercriminals seem to have an endless bag of tricks to choose from. There are some tricks, that they favor more than others, one of which is extortion. According to the FBI’s latest Internet Crime Report, US victims of extortion lost some US$107.5 million to these crimes last year.
One thing to keep in mind is that blackmailers won’t just stick to one trick but will employ multiple flavors of extortion to try to force their victims into doing their bidding – be it paying them a handsome sum or even performing tasks on their behalf.
Ransomware is by far one of the best-known examples of extortion employed by hackers around the globe, with targets ranging from companies, through governments to individuals. The basic premise is that your device will be infested by ransomware using one of the various tactics hackers employ, such as duping you into clicking on a malicious link found in an email or posted on social media or shared with you through a direct instant message.
After the malware makes its way into your device: it will either encrypt your files and won’t allow you to access them, or it will lock you out of your computer altogether, until you pay the ransom. It is also worth mentioning that some ransomware groups have added a new functionality; a form of doxing wherein they traverse your files looking for sensitive information, which they will threaten to release unless you pay them an additional fee. This could be considered a form of double extortion.
Before wondering whetherto pay or not, you should check if a decryption tool has been released for the ransomware strain that has infested your device; also, the answer is: don’t pay. For additional advice on protecting against ransomware attacks, you can check out our excellent, in-depth articleRansomware:Expert advice on how to keep safe and secure.
Hack and extort
The title is pretty much self-explanatory, but to make things abundantly clear, the extortionist will infiltrate your device or online accounts, go through your files looking for any sensitive or valuable data,and steal it. Although it may echo ransomware in some respects, in this case, the breaking-and-entering of your device is done manually and the cybercriminal will have to invest time and resources into doing so. Well, unless your password was part of alarge-scale data breach, in which case the effort put insignificantly drops. The successfully targeted individual then receives an email in which the criminal tries to coerce the intended victim into paying by threatening to expose this data, listing examples for added effect.
To protect yourself, you should considerencrypting your data and adequately securing all your accounts using astrong passphrase, as well as activatingtwo-factor authentication whenever it is available.
Sextortion is exactly what it sounds like: extortion via some kind of threat of exposure of sexual material about the target. Extortionists who take part in sextortion can go about it in several ways. It can start as an apparent romantic dalliance through a dating platform, until the criminal gains their victim’s trust,convincing them to leave the platform for a regular messaging service. This is done to avoid triggering the security mechanisms dating apps use to detect potential scammers. Once off the dating platform,they will try to coax the target into sharing some risqué or intimate photos or even videos, which will then be used to blackmail the victim. Alternatively, hackers can opt for hacking a victim’s computer and hijack their webcam to secretly watch and even take salacious snapshots or voyeuristic videos of them;American model and formerMiss Teen USA Cassidy Wolf fell victim to such sextortionists.
Sending any kind of risqué photos to anyone is ill-advised. That applies even to someone you trust, since you can’t rule out that their devices or accounts aren’t compromised, and the sensitive photos leaked or that your current level of trust in them might change or is otherwise misplaced. As for mitigating the chances of being hacked, you should keep your devices patched and up-to-date as well as use a reputable security solution.
While not sextortion per se, scammers also like to engage in scams that consist of bluffing, rather than having any damning evidence, to scare you into paying. The scam isn’t very sophisticated and consists of an email accusing you of visiting a pornographic website, with the fraudsters claiming that they have both a screen-recording of the material you watched and a webcam recording of you while watching it.Unless you want them to release the material you have to pay up.
One of the ways you can protect yourself is by enabling a spam filter that will make short work of any such spammy and scammy emails. ESET Security Researcher Bruce P. Burrell has dedicated aseries of articles to the topic and has some nifty advice on how to spot and deal with these scams.
Distributed denial of service attacks (DDoS) against businesses are not uncommon and are often deployed by cybercriminals to cripple their target’s ability to provide services. Often, to boost their illegal income, they offer their services on DDoS-for-hire marketplaces. During these attacks, threat actors employ a large number of machines organized into a botnet to flood a target with requests,which leads to their systems crumbling under the onslaught, effectively taking them offline. Attacker scan keep this up for days at a time, which could for some businesses mean hundreds of thousands of dollars lost in revenue. For example, recently a cybercrime collective taking up the guise of notorious shacking groups threatened various organizations with DDoS attacks unless they paid them ransoms ranging from US$57,000 to US$227,000 in Bitcoin.
Setting up a firewall that will block access to all unauthorized IP addresses and registering with a DDoS mitigation service are just some of the steps you can take to protect yourself from DDoS extortion schemes.
There are multiple steps you can take to lower the risks of ending up in the crosshairs of cyber-extortionists. For starters, you should always implement cybersecurity practices both in your work and personal lives, which include some of the advice we already mentioned such as using two-factor authentication and keeping all your devices patched and up to date. You should also avoid recycling passwords– since those are responsible for many account compromises – use strong passwords or passphrases, and avoid oversharing information that could be used against you.
written by Amer Owaida, ESET We Live Security