Researchers at the email cybersecurity firm Mimecast have identified a brand new sextortion campaign, which is somewhat unconventional. Unlike the typical scams as it is targeting Google Nest home security camera owners and exploiting the common perception that IoT devices are generally unsecured.

Detected in the early half of January 2020, Mimecast revealed that a majority of the victims of this campaign are based in the USA and the footage that Nest cameras capture is used to blackmail the victim. The scammers force the victim to access different email accounts and URLs to get instructions after they demand a ransom.

Don’t fall for this Google Nest sextortion scam

Although sextortion scams are not new, they have evolved drastically in the past few years. Historically, victims of such scams were usually young women, typically targeted by someone they dated in real life or met online and who was in possession of private or sexual images of them. More recently, criminals started targeting teens and children and coercing them to send explicit images of themselves, which are traded by criminals. Additionally, there are also sextortion emails sent to private individuals, who have never had any prior contact with their perpetrator. Most ask for payment in cryptocurrency, usually bitcoin. This is a convenient payment option for cybercriminals because bitcoin, as virtual money, has little or no legal regulation across different countries. This makes it a perfect choice for criminal activities.

These threats are specifically designed to evoke fear, which is a powerful primal drive that can severely compromise rational thinking and careful decision making. Additionally, some people experience fear more intensely than others and will therefore be more fear-averse, wanting to comply to make it go away quickly. People who are fear-averse will be particularly vulnerable to this type of scam.

Many scammers rely on social norms to execute scams. We shape our behavior according to societal norms; therefore, a potential victim may feel that the society would judge their conduct if this got out, and they then pay the ransom to avoid shame and humiliation.

Many people think they would never fall for something like this, but realistically, many people succumb to such phishing attacks because the story may sound plausible to them. They oftentimes also have no way of investigating if an explanation given to them by the scammer is credible. The fear will do the rest, leading to irrational decisions fueled by shame.

Authorities and cybersecurity experts have issued a fresh warning about the so-called sextortion scam that is making a comeback with new variations. Webcam porn scams have been on the rise for more than a year now, but people are still falling into the trap.

The Hook The most unnerving part of this email is that it references an actual piece of information about you, such as a password you currently use, a password you have used, or even a license plate number. That seems to give the perpetrators some credibility, but don't fall for it. In reality, the scammers have gained a list of usernames, passwords, and other personal details that were compromised in a website data breach, and they've now created a script based on that information.

The Scam This type of scam is called sextortion, a serious crime that occurs when someone threatens to distribute your private and sensitive material if you don't provide them sexual favours, images of a sexual nature, or money.

Fortunately, the scammers behind this sextortion attempt do not actually have any private or sensitive material to threaten you with. As alarming as this email seems, it's still a phishing attempt, and recipients should not reply to it or give in to the scammers' demands.

Tens of thousands of Americans fall victim to online romance-related scams each year, according to the Federal Trade Commission. In 2018, more than 21,000 romance scams were reported to the FTC, up from 8,500 in 2015. People targeted by these scams reported a median loss of $2,600n or a collective loss of $143 million in 2018.

Almost every week, I will get contacted by readers who have received an email from a hacker who not only claims to have access to their computer but has the password to prove it. These online extortion scams have surged during the COVID-19 pandemic, and scams are precisely what they are, coming in many flavors. Perhaps the most common being the sextortion email that demands money to prevent compromising sexual material being sent to friends, family and work colleagues. The perpetrator will suggest that they are a successful hacker who has not only gained access to your computer but installed malware to record your activity, including taking control of your webcam. What's more, to validate their hacking credentials, they will present you with a username and password that you will likely recognize as being one that you use. This is the point at which the recipient panics and sends me an email asking what they can do. I'll share the answer here, so if you experience this, you can skip sending me an email.

The hacker will likely have got this by merely searching any of the numerous data breach databases available on criminal forums. Please go take a look at the excellent Have I Been Pwned service where you can search across multiple data breaches to see where your email and passwords have been compromised and exposed. Your panic is a knee-jerk reaction, a gut-wrenching one that the scammer is relying on to make you throw common sense out of the window and do whatever it is they ask. Which brings me to the next thing to do.

ITS is aware of an influx of sextortion scam emails received by members of the Middlebury community. These are indeed scams, identified as such by online security sources (see below) and making the rounds on the Internet once again. Recent samples have been personalized with older passwords stolen from breaches of third-party websites, such as Linkedin, Adobe, etc..

The best way to protect yourself from falling victim to this scam is by understanding how and why people fall for them. The following are a few examples of the types of sextortion cases that have occurred, according to the FBI.

One of the fastest-growing forms of sextortion is email phishing scams. According to Symantec, from January through May of 2019, Symantec blocked almost 289 million of these emails from landing in the email inboxes of potential victims.

Some of the previous sextortion scams Trend Micro researchers saw also employed techniques to avoid being tagged as spam, such as using misleading subject lines, obfuscating the content (by adding characters) or sending it as an image.

Joe Carrigan: [00:01:38] Dave, this week, I found a really interesting article from Sophos. What Sophos did was they worked with a company called CipherTrace to track sextortion emails from September 1 of last year to January 31 of this year, 2020. And what CipherTrace does is they are a cryptocurrency tracking company. Their mission is to help banks with anti-money laundering operations because one of the big fears is that cryptocurrency can be used as money laundering. But CipherTrace takes a look at the block chain. And actually, one of the drawbacks of cryptocurrencies like Bitcoin is that it is a public ledger. So everybody can see where everything goes on the bitcoin blockchain. And CipherTrace capitalizes on that and helps banks make sure they're not helping criminals launder money.

Joe Carrigan: [00:02:23] Sophos was tracking a - this sextortion scam. This is the scam where somebody says, hey, I got video of you while you were looking at this illicit site here, you know, and I've got some video of you doing some unsavory activities. And, oh, you have some weird tastes, they'll say.

Joe Carrigan: [00:02:47] But these messages were so prolific that, at points in time during this campaign, from September to January, they were making up 4% to 20% of all spam traffic on the internet, right? It would range and it would peak in the percentage of spam traffic. And they have some great graphs in the article that you should go look at, and you can see how these spikes happen over time, and you can see when these scammers are sending out emails. Now, these emails themselves were actually very well-crafted to get by the spam filters. They did things like breaking up words with invisible random strings because a lot of email is done over HTML now. Almost all email is done with some kind of HTML.

Joe Carrigan: [00:04:51] This is a lot of money, right. These addresses would only be used briefly, about a 2.6-day average for a bitcoin address. So they were creating addresses and then deleting addresses or creating addresses and then not using them again. The article says that, as far as scams go and cyber operations go, malicious criminal cyber operations, this is a small payout of $473,000. But I don't take that stance. I agree with what you just said.

Joe Carrigan: [00:05:49] Now, on Twitter yesterday - and this is just anecdotal - but I noticed that there were a lot more of these sextortion emails going around. I was looking for the Catch of the Day and I see, like, sextortion email after sextortion email tweet yesterday, and they're all from yesterday. And I'm sitting there thinking myself, did somebody else read this article and go, huh, those guys made half-a-million dollars.

Dave Bittner: [00:11:11] But, again, this person being savvy, being someone who actually knows a thing or two about security, logged on to his online bank account ledger and found that, sure enough, there were some small charges that were on his card that he had not done - withdrawals from his debit card, under a hundred bucks each. But there were also a couple of withdrawals - a few hundred dollars - from a ATM in Florida. Now, one of the things that this person thought was that if this was someone who was trying to commit fraud, they would likely ask for personal information, and the person on the phone did not ask for any personal information. This person just said that the bank was going to reverse the charges and they would be sending a new debit card via express mail. And so this - the person who was being scammed thanked the customer service person on the other line and hung up. 2ff7e9595c