Businesses warned to prepare for cyber security extortion campaigns

Directors, lawyers and doctors are the top extortion targets of cyber criminals, researchers tracking  sextortion attempts reveals.

Directors, lawyers and doctors are the top extortion targets of cyber criminals, researchers tracking  sextortion attempts reveals.

Cyber criminal groups are promising rewards of £276,300 a year on average to accomplices who help them target high-worth individuals with extortion scams research reports.

The reward promises are even higher for accomplices with network management, penetration testing and programming skills, according to researchers at risk protection firm Digital Shadows.

One threat actor, the report said, was offering £600,000 a year, with add-ons and a final salary after the second year of £840,000.

The main method of cyber security extortion where criminals deem potential victims to be particularly vulnerable is so-called “sextortion”.

Digital Shadows tracked a sample of sextortion campaigns and found that from July 2018 to February 2019 over 89,000 unique recipients faced around 792,000 extortion attempts.

An analysis of bitcoin wallets associated with these scams found that sextortionists could be reaping an average of £414 per victim.

The campaigns follow a similar pattern, the researcher found, in which the extortionist provides the target with a known password as “proof” of compromise, then claims to have video footage of the victim watching adult content online, and finally urges them to pay a ransom to a specified bitcoin address.

However, the researchers said other campaigns can be even more sinister, with one spam campaign from December 2018 claiming that recipients will be “killed” if they did not pay.

Extortion is in part being fuelled by the number of ready made extortion materials readily available on criminal forums, the researchers said, adding that these are lowering the barriers to entry for wannabe criminals with sensitive corporate documents, intellectual property and extortion manuals being sold on by more experienced criminals to service aspiring extortionists for less than £10.

In one example, seen by Digital Shadows, the guide specifically focuses on a sextortion tactic whereby the threat actor begins an online relationship with a married man and then threatens to reveal details of the affair to his partner unless a ransom is paid.

The guide claims this extortion method is the easiest for “novice”’ threat actors to start with, suggesting they could earn between £230 and £380 per extortion attempt. Dedicated subsections exist on criminal forums for this type of dating scam.

Even greater levels of sophistication could be around the corner, the researchers warn, if so-called “crowd-funding” schemes take off.

In April 2018, threat actor “thedarkoverlord” stole documents belonging to the insurance provider, Hiscox, including files related to the 9/11 attacks in the US. The threat actor hoped to play on the public’s appetite for 9/11-related controversy and encourages people to raise funds to view the documents. Currently this campaign has amassed around £8,904.

Crowdfunding models such as this, the researchers said, allow extortionists to raise funds from the general public rather than relying on victims giving in to ransom demands. Organisations dealing with inflammatory or sensational information should therefore consider how they would respond if an attacker opts for this course of action, they said.

If you want to save yourself stress, money and a damaged reputation from a cyber incident – for a cyber security incident prevention, protection and training please ring us now on 01242 521967 or email [email protected] or complete the form on our contact page NOWContact Cyber 139