Online sextortion scammers have upped their game using personalized phishing attacks to lure victims and pressure them to pay up – some even using photos of the victim’s own homes and threatening to show up if demands are not met.
The newly minted 'We know where you live” sextortion tactic aims to leverage a victim’s personal data, including full names, telephone numbers, and addresses, all to make an attack appear more ominous and convincing than it actually is.
That’s according to a new research blog released earlier this week by cybersecurity solutions firm Barracuda Networks.
Targeted phishing attacks are not only more convincing, but further designed to make it more likely a victim will fork over the money to keep the bad guys at bay, the threat researchers said.
Personalizing the content of phishing emails (usually sent out by the scammers en mass) also makes it more difficult for spam filters to detect and stop them from hitting a victim's inbox, Barracuda noted.
Sextortion is a type of online blackmail where the criminal threatens to expose explicit sexual images or videos of the victim unless its demands are met, which are often monetary.
In some cases, sextortion happens when scammers pretend to be someone else, usually a woman, and trick the person into sending them naked pictures or videos.
In the instances examined by Barracuda, the sextortionists were found simply gathering sensitive information about the victims using stolen usernames and passwords bought off the dark web.
Once compromised, the criminals would contact the victim using personalized social engineering attacks and claim to possess compromising content that they will share publicly unless a payment is made, the Barracuda research blog found.
Additionally, threat researchers said evolving tactics included the use of scannable QR codes to make it easier for targeted victims to pay the sextortionist’s demands, which have risen “from hundreds to thousands of dollars” over the past year.
Ever-evolving and personalized attacks
Researchers have found that the scammers have begun to craft their phishing emails using detailed personal information gleaned about the victim – a tactic known as spear phishing.
Emails are being addressed directly using the victim’s first and last names, with the body of the emails often containing even more targeted information such as the victim’s telephone number, street address, and city.
Barracuda provided examples of copy used by the scammers – copy that would often insinuate the cyber thief was located in or near the victim’s hometown.
“I know that calling [telephone number] or visiting [street address] would be a better way to have a chat with you in case you don’t cooperate. Don’t even try to escape from this. You have no idea what I’m capable of in [city],” the sample reads.
Frequently placed inside the emails are images from Google Maps street view depicting the victim’s exact location, often showing the victim's home address or workplace, the researchers found.
Finally, the criminals are said to be using several variations of copy to go along with the Google Maps street images that are attached to the emails, including the following:
- See you here?
- Can you notice something here?
- Is this the right place to meet?
To “make it faster and easier” for victims to send crypto payment demands, the savvy criminals are now embedding quick response (QR) code technology inside the extortion emails, placing the QR codes directly under the criminal's Bitcoin address, according to the report.
Sextortion often targets vulnerable teenagers
Teenagers in the US have been found highly susceptible to these types of sextortion scams due to the heavy emotional factors involved, such as embarrassment and shame.
In 2023, there were close to 27,000 confirmed sextortion cases in the US, more than double from the previous year. Sadly, those cases have led to the suicides of close to 30 victims, the BBC reported in June.
In September two Nigerian men were convicted and sent to US prison for running a sextortion scam that led to the death of a 17-year-old boy in Michigan.
And over the summer Meta Platforms announced the removal of more than 65,000 sextortion accounts said to be part of the ‘Yahoo Boys’ cybercriminal ring, also operating out of Nigeria.
Social media site snapchat has followed suit with its own anti-sextortion campaign for its majority teen users.
Barracuda says there are several ways to help prevent becoming a victim of sextortion scams including the use of AI-based phishing protection and account-takeover protections, as well as proactive investigations, security-awareness training, and system maintenance.
Your email address will not be published. Required fields are markedmarked