The new, darker social engineering threat

Need another reason to convince your clients to take a look at cyber insurance?

One good starting point is keeping them informed on the latest cyber threats. One such risk is a new, darker strain of social engineering called “sextortion” that is emerging as an email threat for businesses. It involves cyber criminals engaging in online bribery, attempting to blackmail recipients into paying cryptocurrency ransoms.

Sextortion involves an email from a cyber criminal claiming to have accessed the recipient’s work computer, where they found addresses of pornographic websites the employee has viewed, specialist insurer Beazley said in its February Beazley Breach Insights report, released last week. The sender then says they have simultaneously recorded footage through the computer’s webcam of the recipient watching these sites and threatens to share the recordings with their email contacts if their demands are not met.

The emails often contain a link or zip file they claim contains evidence of the internet or webcam activity, or to a website to pay the cryptocurrency ransom. But if clicked on, the link could spread malware that can steal information and install GandCrab, a common ransomware used by hackers to lock up the computer until the ransom is paid.

“In the cases seen by [Beazley Breach Response] Services, assertions that the sender has compromising information have proven to be hoaxes,” the report said. “There is no sign yet that the targets of sextortion are anything other than random and it often turns out that no data has been compromised.”

However, a small number of emails sent out to thousands of recipients may indeed hit home, Beazley warned. “If these individuals did engage in inappropriate behaviour on their work computer, they could be vulnerable to extortion.”

In the fourth quarter of 2018, BBR Services was notified of these cases by several policyholders involving demands for cryptocurrency worth hundreds or thousands of dollars. To increase the authenticity of the demand, in some cases, the threatening email will include an old password linked to the recipient’s email address. Such information is often obtained via the dark web, where hackers dump and sell user credentials compromised from earlier data breaches.

In one case in the United States, a Midwestern municipality was the victim of sextortion and had GandCrab ransomware installed on a work computer. The ransom note demanded approximately $5,000 in bitcoin. “Fortunately, the municipality was able to recover from recent backups, so it did not need to pay the ransom, and only lost a few days of non-critical data,” the report said. “After a thorough investigation, there was no evidence of access or exfiltration of sensitive personal information, and counsel was able to determine that there was no breach and notification was not required.”

However, business email compromises handled by BBR Services have increased 133% in the U.S. compared to last year. Hack or malware accounted for 47% of incidents by cause, followed by accidental disclosure at 20%.

The financial services sector accounted for 20% of incidents reported to BBR Services. Nearly six in 10 (59%) of those were hack or malware, up 7% from 2017. Unintended disclosure fell by the largest margin, from 23% in 2017 to 15% last year.