A recent analysis of spear phishing attacks targeted at Barracuda customers found that 1 in 10 were blackmail or sextortion attacks. In fact, employees are twice as likely to be targeted in a sextortion scam than a business email compromise attack.
Sextortion scams are under-reported due to the intentionally-embarrassing and sensitive nature of the threats. IT teams are often unaware of these attacks because employees don’t report the emails, regardless of whether they pay the ransom.
Barracuda’s research identifies education as the industry most frequently targeted by sextortion and blackmail, making up the majority of attacks. Government employees are the second largest targets of sextortion. Business services organizations were the third-most-targeted industry.
The overwhelming focus on education is a calculated move by attackers. Educational organizations usually have a lot of users, some with a very diverse and young user base that may be less informed about security awareness and that may be less aware of where to seek help and advice. Given their lack of training and experience with the nature of these types of threats, students and young people can be more likely to fall victim in these attack scenarios.
We saw the rise of these recently that included real passwords of employees. We were wondering how they were getting the passwords (although real passwords they were older passwords and not new ones). Then I heard on a podcast (Social-engineer.org) that these hackers were buying password dumps and trying to convince the users that they had hacked their accounts by presenting a real password, thereby giving some credence to the rest of the fake phish (that they had hacked the machine, were capturing all passwords since the one they provided, installed some video capture software that captured them going to XXX websites and then made a video that they would send to their contacts if an amount under $1000 was not deposited in their bitcoin wallet by the next day).
Have you seen ACTUAL sextortion or just implied sextortion? I am curious to know if they are getting better or just sending fake phishes.
> CISOScott (Advocate I) posted a new reply in Industry News on 03-04-2019 01:12
> Have you seen ACTUAL sextortion or just implied sextortion? I am curious to
> know if they are getting better or just sending fake phishes.
So far, the ones I've seen are not only fake sextortion, but only implied passwords, as well. (I'm feeling left out. They don't even think I'm worth putting some effort into the fraud ...)
We've seen a lot of these messages too. A useful article, which I've circulated around the business for awareness, can be found on the Business Insider website, by using this Google search term "new-email-scam-uses-old-password-fake". (I can't copy the link because it doesn't like the 'P' word).
A number of our employees have approached me, worried about their passwords being presented to them in the mail. It's been a good opportunity to discuss the rules around not using the same passwords for different sites, not using the same passwords at home and at work and using a password manager if possible. We've also talked about the Have I Been Pwned site which re-enforces the message.
I have noticed that when we have employees get this at work and then I go to the "HaveIBeenPwned" website, yep their email address was involved in a previous breach.
For those of you that don't know this the website mentioned above, is great for checking if someone's email address has been involved in a PUBLICY known and distributed breach. You can also sign up for domain notices so that when you have one of your company's email address show up in a breach you will be notified.
I have been notified of about 10 breaches this year that involved some of my employees. This helped me show/prove that employees were using their company email address for things like MyHeritage, MyFitnessPal, etc. I then speak with them and their management about proper use of company email accounts.