Sextortion scams have been very popular with cybercriminals during 2018. A well written email and an email list are all that is needed for this to be successful. The latter can easily be bought almost nothing via darknet marketplaces and hacking forums. No expertise is required to run sextortion scams and as scammers’ Bitcoin wallets show, they are successful.
Many sextortion scams threaten to reveal a user’s online activities (pornography habits, dating/adultery site usage) to all their contacts and friends/family unless a payment is completed. Some of the recent sextortion scams have increased credibility by claiming to have users’ passwords. However, new sextortion scams have been discovered in the past few days that are using a different tactic to get users to pay the ransome.
The email template used in this scam is very like those in other recent sextortion scams. The scammers say that they have a video of the victim viewing adult content. The footage was captured through the victim’s webcam and has been spliced with screenshots of the content that was being looked at.
In the new campaign the email includes the user’s email account in the copy of the email, a password (most likely an old password accessed in a previous breach), and a hyperlink that the victim is encouraged to click to download the video that has been created and see what will soon be distributed via email and social media networks.
VIsiting the link in the video will trigger the downloading of a zip file. The compressed file includes a document including the text of the email along with the supposed video file. That video file is really an information stealer – the Azorult Trojan.
This sort of the scam is even more likely to be successful than past campaigns. Many individuals who receive a sextortion scam email will see know what it is: A mass email including an empty threat. However, the inclusion of a link to download a video could lead to many individuals download the file to find out if the threat is authentic .
If the zip file is downloaded and opened and the Azorult Trojan executed, it will quietly gather information from the user’s computer – similar information to what the hacker claims to have already obtained: Cookies from websites the user has seen, chat histories, files stored on the computer, and login information entered through browsers such as email account and bank details.
However, it doesn’t stop there. The Azorult Trojan will also install a secondary payload: GandCrab ransomware. Once information has been gathered, the user will have their personal files encrypted: Documents, spreadsheets, digital photos, databases, music, videos, and more. Recovery will depend on those files having been backed up somewhere else and not also encrypted by the ransomware. Aside from permanent file loss, the only other option will be to pay a sizeable ransom to decrypt the hacked files.
If the email was sent to a company email account, or a personal email account that was logged onto at work, files on the victim’s work computer will be encrypted. As a record of the original email will have been extracted on the device, the reason why the malware was downloaded will be made clear to the IT department.
The key to not being tricked is to ignore any threats sent using the email and never click links in the emails nor open unexpected email attachments.
Companies can tackle the threat by using cybersecurity solutions such as spam filters and web filters. The former stops the emails from being sent while the latter blocks access to sites that host malware.