Once seen as a low-tech scam run by jailed Mexican cartel members using social engineering techniques to cold-call victims, virtual kidnappings have become more widespread over the past few years. What’s more, as bogus abductions also become more convincing thanks to innovations such as deepfake technology, analysts believe this insidious breed of threat actor could soon be hunting bigger game.
“I left work to go and pick up my daughter. On the road, I received a phone call from a local number. I answered to a woman, hysterical and in panic, crying. A man took the phone and told me that my fiancée was in the back of his truck, kidnapped. He was a drug dealer, and she was witness to his drug deal. He tells me that he wants to give me a chance to help her. With the screams of a woman in the background, I tell him I’ll do whatever it takes. He tells me he lost $10K in the deal she intervened in, and he needs compensation. I’m not to hang up, text, or call anyone. No cops or she’s dead.”
So goes the recent story from a man claiming to be a victim of a virtual kidnapping scam, cited by infosecurity professional and cybercrime fiction author Greg Scott. Though he was unable to verify this particular instance, many such cases exist, and they are growing in number – leading the FBI to rank faked abductions as the third most prominent form of internet scam in 2020, behind phishing and phony sales calls. Since then, industry observers have pointed to the COVID pandemic as another major driver in the continuing upsurge of virtual kidnappings.
At first glance, the tale related by Scott – horrific as it is – might not seem as though it falls under the remit of cybercrime. But to pull off such a convincing act – a particularly dark form of social engineering that pressures the victim into doing something they would ordinarily never countenance – perpetrators often go to considerable lengths, researching their targets on the internet and using technology to make the “kidnap victim” sound or look more convincing.
“Deepfake for worried family members, maybe using the voice of somebody screaming, and a bit of background checking – you might just score yourself good money,” says Elad Leon, cybersecurity expert at CYE. “But I think there is something else here. We're living in the year 2022 and everybody has a phone. If somebody just called us saying they have our daughter and if we don't pay they'll do something – the first thing we do is to call her up and ask if everything is OK. But a cyber actor can lock her phone so that person doesn't get calls – and then trigger an attack that might actually look very, very real.”
“Your attacker wants you to make dumb choices and fall deeper into their trap,” explains Scott. “It’s easy to do when you’re off-balance. If you say, ‘Jane, it’s OK, I’m coming,’ you just gave your attacker your fiancée’s name. They’ll use that against you.”
In the alleged case cited by Scott, the victim was lucky. On the way to meet the “kidnapper” at a Walmart store as instructed, he received a call from his fiancée. Making the fateful decision to ignore the criminal’s threats, he decided to answer. To his elation, it was his fiancée, alive and well. No one had abducted her.
“Burn this into your brain,” says Scott. “Just because your attacker says they have your fiancée, does not mean they really do. Your attacker expects you to panic. But you need to know if this is real or a con. So, even with adrenaline washing your brain, marshal your acting skills and find out. If your fiancée is Jane, call her Mary. Ask if she’s taken her seizure meds. Feed false information to your attackers and if they try to weave it into their narrative, then you know it’s a con.”
An evolving menace
Unfortunately, this advice, good as it is, may soon be obsolete. Because just as threat actors do in other areas of cybercrime, virtual kidnappers are upping their game, becoming more meticulous and clever in their pre-planning.
The old “business model” – thought by the FBI to have originated out of Mexican prisons about a decade ago – typically involved inmates using burner cell phones to cold-call a hundred or more potential victims a day in the hope of landing one mark. For time-rich, cash-poor criminals, this can prove well worth the effort, with 80 cases investigated by the Bureau several years ago said to have netted a total of $87,000.
But now, Lionel Sigal, who heads up a cybersecurity department at CYE, is warning of an emerging alternate methodology that takes the opposite form – carefully selecting a handful of targets, hacking into their email or other personal accounts, and then monitoring them covertly for up to months.
“I can shoot at a hundred targets a day, but if I'm interested in a specific executive, I will take time,” explains Sigal. “Remember that the attacker always has the advantage – and all the time. Because as a defender, I don't know that I'm under the radar. And once I realize, many times it's too late.”
Rather than simply going after random members of the public, these more sophisticated virtual kidnappers will likely zero in on potentially more lucrative prey – top company executives. The reasoning goes: if a fake kidnapper can convince a panicking relative to make a relatively small payout on the spot, why not apply the same approach to much richer corporate entities? In fact, fears in the business world that this might happen are running so high that CYE has set up its own department dedicated exclusively to protecting senior company staff.
“We’ve seen this trend becoming more and more popular in the past two years,” says Sigal. “We received feedback from the field, our customers are concerned about this possibility.” He also anticipates that in the wake of Russia’s invasion of Ukraine, the risk will be even greater: “We can connect it to what's happening since Russia threatens executives from Western countries. We're dealing today with executives that are afraid – that something will happen to their family, that something will happen to them through their families.”
Blocking this vector of attack between the personal and professional – whereby senior executives might be blackmailed into compromising the companies they work for through a fake kidnapping attempt – will be essential in the fight against this new form of cybercrime, Sigal believes.
“We technologically protect executives, to avoid the jump from attacking them to attacking the corporate,” he says. “Because that's a crucial attack surface. So we are dealing with that before the trend becomes more popular, before there is a story to tell. If we are able to plug that gap between the basic need of a person for interaction on social media and the cyber threat, we can achieve the security that we want.”
Be social but stay safe
What does Sigal recommend potential victims, be they individual or corporate, do to avoid falling victim to such attacks? In the end, he says, it boils down to one faculty: awareness, particularly of the social dimension of such cybercrimes.
“That's one of the most important things,” he says. “Sometimes the awareness is missing in places that you wouldn't imagine it would be. For example, IT people. They should be very aware, but don’t know how to protect their social media. They can handle the technological threat, but the human factor [involved in cybercriminal attacks] is something that they lack.”
On the other hand, cybercriminals, particularly the new breed of fake kidnapper that now appears to be emerging, are all too aware of what they are doing and demonstrate meticulous patience in their illicit work.
“It takes a little bit of time to build the right way to approach you,” says Sigal. “I can send you an email, but most likely, I won't be successful.” On the other hand: “if I build a case, and then I pinpoint you, most likely it’s game over.”
“Time is definitely an investment in terms of cyber attacks,” agrees Leon, citing an example of one threat actor who hacked into an employee’s email account and spent a quarter of a year observing her, unnoticed. That particular instance of cybercrime culminated in a more conventional phishing scam – but there is no reason why a virtual kidnapper couldn’t apply the same espionage techniques to research a staged abduction to perfection.
“Once he got into her account, he stayed there for three months, not doing anything – just observing emails,” says Leon. “He studied what she did, and then after three months, only then did he take action – and that was very lucrative for him.”
At the time of writing, there do not appear to have been any high-profile virtual kidnapping cases involving senior company executives. But given cybercriminals’ capacity for ruthlessness and innovation, and the worsening geopolitical situation with Russia, it would appear that fears of such – expressed by the business community itself – are far from unfounded.
Perhaps one might even say that given the hours high-level cybercriminals seem prepared to invest in their nefarious trade, it is only a matter of time before such attacks become a reality.
More from Cybernews:
Subscribe to our newsletter