‘Sextortion’ and the dark side of the web: Beazley Breach Response

Beazley Breach Insights, February 2019

New York, NY (Feb. 21, 2019) – Opportunistic cyber criminals are engaging in a new, darker strain of email compromise by attempting to bribe recipients into paying crypto-currency ransoms using so-called ‘sextortion’ tactics.

A typical case of sextortion investigated by Beazley Breach Response (BBR) Services involves an email from someone claiming to have accessed the recipient’s work computer and found the addresses of pornographic websites they have viewed. The sender says they have simultaneously recorded footage of the recipient as they watched these sites using their webcam, and threatens to share the files with their email contacts if demands are not met.The emails often contain a link or zip file they claim contains evidence of the internet or webcam activity, or to a website to pay the crypto-currency ransom. If clicked on, the link may in fact spread malware that can steal information and install GandCrab, a common ransomware used by hackers to lock-up the computer until the ransom is paid.

In the cases seen by BBR Services, assertions that the sender has compromising information have proved to be hoaxes. There is no sign yet that the targets of sextortion are anything other than random and it often turns out that no data has been compromised.

However, a small number of emails sent out to thousands of recipients may indeed hit home. If these individuals did engage in inappropriate behavior on their work computer, they could be vulnerable to extortion. When the first trickle of sextortion claims were reported to BBR Services in the summer of 2018, they took the form of spam campaigns aimed at credit unions, but since then, policyholders from various industries have been hit.

In the fourth quarter of 2018, BBR Services was notified of these cases by several policyholders involving demands for crypto-currency worth hundreds or thousands of dollars. To increase the authenticity of the demand, in some cases, the threatening email will include an old or current password linked to the recipient’s email address. Such information is often obtained via the dark web where hackers dump and sell user credentials that have been compromised in earlier data breaches.

Messages containing the recipient’s password potentially pose a larger security concern for businesses, especially as passwords are often recycled or only slightly changed by users. The issue can be further complicated if the email appears to come from another email address within the same organization. This can indicate a wider problem than a single, apparently random, phishing attempt. BBR Services has also seen advanced spoofing in connection with sextortion, where the email appears to be from the victim’s own email account and it takes some investigation to determine whether or not the account was actually compromised.

It remains extremely important to scrutinize the source of any such email and to ensure that practical measures are being taken by employees to prevent an incident escalating into a wider issue. At an organizational level, businesses should ensure their domains are locked down to make it harder for external users to spoof domains under their control.

As with any cyber incident, if an employee reports receiving one of these emails, organizations should notify BBR Services and take sensible precautions to protect themselves. These include:

  • Warning employees about this risk, mindful some may be reluctant to report it because of the potentially embarrassing nature of the threat
  • Resetting an employee’s password to minimize any risks from password recycling
  • Enforcing strong password policies and educating employees about the risks of recycling passwords for different applications
  • Setting up a multi-factor authentication process for remote access to email and other applications
  • Regular employee training on how to identify phishing.

Causes of incidents, 2018

Cyber criminals targeted businesses of all sizes across industries in 2018. All sectors saw in increase in hack or malware incidents, largely owing to the 133% increase in business email compromises (BEC). Incidents of unintended disclosure fell across industries, likely due to the increase in hack or malware. Insider-led incidents were either stable or marginally higher in 2018 compared to the previous year.

Healthcare incidents, 2018

At 41%, healthcare entities reported the highest number of incidents of any sector. The most significant related to hack or malware and unintended disclosure – both accounting for 31% of overall reported healthcare incidents. This compares to 20% and 43% respectively in 2017. As with other industries, the increase in hack or malware and decrease in unintended disclosure is directly related to the massive increase in BEC incidents.

For further details, including addition charts and a case study write-up, please visit Beazley’s breach insights – February 2019.

About Beazley’s BBR Services Team

Beazley has managed thousands of data breaches since the launch of Beazley Breach Response in 2009 and is the only insurer with a dedicated in-house team focusing exclusively on helping clients handle data breaches.

The BBR Services team works directly with BBR insureds during all aspects of incident investigation and breach response and coordinates the expert services that BBR insureds need to satisfy legal requirements and maintain customer confidence. In addition to coordinating data breach response, BBR Services maintains and develops Beazley’s suite of risk management services, designed to minimize the risk of a data breach occurring.

About Beazley

Beazley plc (BEZ.L), is the parent company of specialist insurance businesses with operations in Europe, the United States, Canada, Latin America and Asia. Beazley manages seven Lloyd’s syndicates and, in 2017, underwrote gross premiums worldwide of $2,343.8 million. All Lloyd’s syndicates are rated A by A.M. Best. For more information, visit www.beazley.com.

SOURCE: Beazley

Tags: ,