Earlier this week, Cofense, a National Cyber Security Alliance (NCSA) board member company, announced it had published a database of more than 200 million compromised email accounts targeted by sextortion scams.
The scams involve emails sent via a large “for rent” botnet Cofense discovered in June. The company is sharing the database to help people and employers avoid becoming victims. To learn more about sextortion and the botnet discovery, NCSA spoke with Tonia Dudley, Director, Security Solution Advisor at Cofense and NCSA board member.
- What is sextortion and how does it work?
Sextortion encompasses a broad range of cybercrimes involving non-physical forms of coercion. Typically, sextortion means the threatened release of sexual images or information to extort cryptocurrency. Typically, a victim receives an email from a cybercriminal who threatens to send purported compromising information – such as sexual pictures or videos – to friends and family unless the victim agrees to pay a bitcoin ransom. What makes the email especially believable is that to prove their legitimacy, “sextortionists” begin by showing you a password you once used or currently use.
- What is a botnet and how is the scam distributed?
The term “bot” is short for using the term “robot,” connected to the “net” as in “network.” A botnet is a network of computers infected with software that will wait for instructions from whoever is controlling it. This allows an attacker to control a large number of computers.The good news is we know that this botnet IS NOT infecting computers to acquire new data sets. It’s just recycling email addresses acquired through various means over time.
- Why was it important to publish the list of compromised accounts?
We wanted to help victims avoid the anxiety of trying to figure out whether to pay the requested bitcoin ransom. In the first half of 2019 alone, Cofense Labs, our newly formalized R&D arm, analyzed over 7 million sextortion-related emails. That’s a lot of people potentially impacted by sextortion.The botnet we’ve been monitoring is a “for rent” botnet used expressly for sextortion. If the botnet ingests new email addresses, we can see them and add to the database. We are also monitoring the botnet’s activity to see what malware it is using. We are looking at any new pieces of malware it might be using on a daily basis.
- What should individuals and businesses do if their email accounts are among the 200 million that are compromised?
As an individual, if your email address shows up on the list but you haven’t received a sextortion email, be on the lookout! The sextortionist may well contact you. Don’t be alarmed by the threat in the email. Alarm and panic is precisely the reaction the attacker is hoping for with threats of public shaming if you don’t respond. Sextortion emails normally don’t have common phishing elements like a malicious link or attachment. However, if you see either, don’t click. Just delete the message.For businesses, we recommend you take certain actions, whether your domains are listed or not. We’re always adding more email addresses as the threat evolves.
- Monitor your domains via the cofense.com/sextortion/ website. If the database currently displays no results, you should continue to check back periodically. These attacks are ongoing and dynamic so the results are subject to change
- Create gateway filters to block key terms used in sextortion emails. Stay current on messages being used since attackers will regularly implement new messages. It’s the typical cat and mouse chase
- Write YARA rules to scan your mail servers, looking for Indicators of Compromise (IOCs) related to these campaigns
- Keep in mind that many sextortion emails, like Business Email Compromise (BEC) campaigns, don’t include a link or attachment – they’re just looking for a response they can exploit
- What should users do if they receive a sextortion email?
Whether or not you’re on the list, we always recommend the same actions. Threat actors will use the data available to them to target users with phishing emails for this type of campaign or to gain access to accounts.
- How can users avoid being exposed to sextortion?
Unfortunately, there isn’t anything individuals can do to prevent being exposed, which is why we always recommend using unique usernames and passwords for each of your websites or the apps you download to your mobile device. These types of campaigns are leveraging already exposed lists from previous data breaches. When you receive an email that your account was included in a breach, immediately take action to change your password and implement multi-factor authentication when it’s available.
Tonia Dudley is Director, Security Solution Advisor at Cofense and NCSA board member. In this role, she focuses on phishing defense advocacy while demonstrating how Cofense solutions help organizations across the globe minimize the impact of attacks while reducing the cost of operations.