Some people think a stolen email address is of little value to a threat actor. The latest sextortion scam shows how useful it can be.
The email address is used to try to convince a victim of the authenticity of a message. The goal is to get the person curious or worried enough to click on an infected attachment, which tries to blackmail them.
And why not if the message comes from the CIA?
According to a blog from Trustwave published this morning, here’s how the con works.
The subject line reads “Your email — and then the victim’s address — has been verified Central Intelligence Agency Case #66616805”
To an unsuspecting person, the fact that their email address is in a subject line may make them think the message is real.
“My name is Gilbert Ginley and I am a technical collection officer working for Central Intelligence Agency,” the message says. “It has come to my attention that your personal details including your email address are listed in case #66616805.”
The case, it goes on to say, is part of a large international operation set to arrest more than 2000 individuals suspected of paedophilia in 27 countries.
The attached document, it says, includes your personal details, home address, work address and list of relatives and their contact information, as well as your ISP web browsing history, online chat room logs and other data.
“The first arrests are scheduled for April 15, 2019,” it adds.
There is a password listed to help the victim open the attached ZIP file.
And if someone is foolish enough to click on the file, it launches a PDF document with a blunt blackmail note: “I read the documentation and I know you are a wealthy person who may be concerned about reputation,” it reads.
It then tells the reader to transfer the bitcoin equivalent of US$5,000 to an address.
“Upon confirming your transfer I will take care of all the files linked to you and you can rest assured no one will bother you.”
There is a hyperlink in the document to a web platform called SatoshiBox where the victim can buy bitcoin. This, says Trustwave, is the new wrinkle in such scams.
Use of an email address or something stolen and included in subject lines or the body of a message to convince victims of authenticity isn’t new. For example, last August security vendor Sophos warned scammers were including the last four digits of your phone number and/or a password in messages to prove authenticity. These would have been obtained from a data theft.
That’s why it’s important that you don’t use a password for access to more than one site, and to enable two-factor authentication for as many sensitive sites (work, bank, email) as possible. That way if an attacker has your password they still can’t get access.