What we all do behind closed doors, is our business, right? This “Aaron Smith” Sextortion Scam suggests otherwise.
Imagine this (or maybe you don’t have to imagine because if you’re a business owner in the triangle area):
You open your inbox, and some guy named Aaron Smith in broken English says something to the effect of,
“Hey, I hacked into your computer while you were on adult website X, I turned on your webcam and recorded you and your screen, and if you don’t pay me $5000, I’m going to post this video on your Facebook feed and show your aunt Martha, your boss’s wife and everyone else in your world.
I have your information, I know your password is Rover050467.”
Yep. This latest scam/internet con/email phishing attack is called “Sextortion” because it’s whole tactic is based around threatening to share what you do in private to all of your peers. This one’s a doozie to say the least.
If you’re not signed up yet – attending our next webinar Tuesday November 13 from 1:00 – 2:00 PM on Cybersecurity: How To Protect Yourself And Your Business From Data Breaches is an absolute must.
Let’s dive into this debacle of a threat so you can learn how to protect yourself from this fantastically embarrassing (and clever!) email phishing attack.
Sextortion Scam: Aaron Smith, The Latest (Most Embarassing) Cybercrime Hacking Technique
Two new research reports are providing details on an ongoing “sextortion” scam in which malicious actors use publicly available lists of breached email addresses and passwords to contact victims and then blackmail them with false claims that they were caught viewing pornographic materials.
Meet Aaron Smith
Researchers have recognized at least two specific scam campaigns, all involving “From:” headers with a variation on the name Aaron Smith.
To date, the operation has already made extortion payments of at least 23.3653711 bitcoins, according to Cisco Systems’ Talos Security Intelligence & Research Group, whose technical leader Jaeson Schultz authored one of the two blog post official statements.
Using Oct. 31, 2018 conversion rates, that’s worth about $147,000.
The Crux Of The Con: Your (Already Compromised) Password
Barracuda Networks, the company behind the second report, explains WHY this email scam is so successful because these threatening emails hinge on referencing your real password.
When you open an email from Aaron Smith saying he knows your password is Buster1234! from your childhood dog and you break out into a sweat – This is the key element which has made this con so successful in tricking you into thinking that your computer was hacked; when in reality it wasn’t.
Wait – So How Did This Aaron Smith Person Get My Password? That’s My Real Password!
Fido123 or whatever your password is was likely lifted from public resources such as the AntiPublic Combo List, which contains hundreds of millions of leaked passwords stolen in various breaches.
Oh okay, so my password was already stolen…What a relief. (Said NO ONE, ever. Here’s a link to our article around what to do if you’ve been hacked.)
A Sextortion Scam Email Might Sound Something (Exactly) Like This:
Jonathan Tanner, senior security researcher from Barracuda explains it here:
“Well, I actually placed a software on the adult video clips (porno) website website and, you know what, you visited this site…” reads one version of the poorly written threat message.
“While you were viewing videos, your browser started out operating as a Remote Desktop with a key logger which gave me accessibility to your display screen and also web cam. Immediately after that, my software gathered your complete contacts from your Messenger, Facebook, as well as email.”
None of this is true.
Nevertheless, the hackers threaten to share an embarrassing video of both you, the victim, and whatever pornographic content you were supposedly viewing (Lord help us) at the time to several of his contacts.
Sextortion Scam Emails Hitting Hard Through Raleigh, Durham, and Charlotte Areas
These emails have hit several business owners here in the Triangle and have been having straight panic attacks as victims read through these emails. “You hacked into my computer, recorded ME AND only God knows what I was watching – and now you’re about to release on my Facebook feed to my great Aunt Patsy and my dentist?!
The email then demands a payment ending in three zeroes, ranging from $1,000 to $7,000 — the exact amount is dynamically generated on a random basis.
We’re inviting business owners all through the triangle area to attend our next Expertise In Business Webinar, focusing specifically on data breaches and cybersecurity and how to protect yourself from email attacks exactly like this one.
The “Aaron Smith” Sextortion Scam Operation: Analytics
The threat launched in July, with the last big push of activity on Oct. 9, when the perpetrators added more people to their list of targets and registered more bitcoin wallet addresses for receiving payments.
Cisco researchers looked at a two-month period from Aug. 30, 2018 to Oct. 26, 2018.
Looking into SpamCop, an email spam recording service, the researchers uncovered 233,236 reported emails sent from 137,606 unique IP addresses involved in the Aaron Smith “sextortion” scam.
“Sextortion” Aaron Smith Scam: Breakdown of where the threats originated:
- Vietnam (15.9%)
- Russia (15.7%)
- India (8.5%)
- Indonesia (4.9%)
- Kazakhstan (4.7%)
Talos speculates Necurs botnet could play a part in the sextortion emails’ distribution, due to the fact that India and Vietnam are known have lots of machines infected by Necurs malware.
Barracuda also separately reports observing approximately 24,000 Aaron Smith emails since September 2018.
The distribution strategy, however, raises some questions. There’s only 15,826 unique victim email addresses actually affected, there appears to be multiple repeat victims. Talos also found that the attackers have generated at least 58,611 unique bitcoin wallet addresses to accept extortion payments, although only 83 had positive balances…So this raises some questions.
Further investigation by Talos was able to link some of the attackers’ bitcoin wallet addresses, Necurs-sending IP infrastructure, and threatening content to additional spam campaigns, suggesting an even larger criminal operation may be in play. One of these campaigns referenced the recipient’s telephone number instead of a password, another was designed to look like a tech support ticket (Oh boy! Tickets are a sensitive subject around here!), and yet another that suggests that recipients have been cheating on their significant others. Another possibly related campaign takes a totally different approach, pretending to be a message from a hit man who’s been hired to kill the recipient, but is willing to forgo the mission in exchange for a payment. Nice.
How Do I Protect Myself From Sextortion Scams?
Well for starters, you could sign up for our webinar on exactly this topic: Cybersecurity: How To Protect Data In Your Business which is right around the corner. Michael DePalma is going to be diving into these exact kind of threats — and how you can set up your email accounts, your back up solutions (that you think are safe), and your internal systems to have the right layers of security in place to block attacks like these.
The best thing to protect your business from phishing sextortion scams? Continuously educating your employees on how to spot a phishing sextortion scam. As we saw in the sad case from a local North Carolina business owner who was liable to triple damages due to an employee falling for a phishing sextortion scam, it only takes 1 click to open up a Pandora’s box of malware and data crawling terrors to crush your data empire.
We hope you found this piece helpful in making sure your business stays secure, you keep your irregular heart palpitations to a minimum due to terrifying emails like these from Aaron Smith, and as always, we’re on the forefront of making sure our clients are protected, educated and aware of the current threats in today’s digital workplace.