Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Sextortion to The Next Level SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms: https://isctv.sans.edu

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Sextortion to The Next Level

For a long time, our mailboxes are flooded with emails from “hackers” (note the quotes) who pretend to have infected our computers with malware. The scenario is always the same: They successfully collected sensitive pieces of evidence about us (usually, men visiting adult websites) and request some money to be paid in Bitcoins or they will disclose everything. We already reported this kind of malicious activity for the first time in 2018[1]. Attacks evolved with time and they improved their communication by adding sensitive information like a real password (grabbed from major data leaks) or mobile phones.

Now, they are going one step further and use more nasty ways to collect information about their victims. They use social engineering techniques in a bad way. We are been notified by one of our readers of a Ukrainian forum containing information about people looking for "good times". How do they work?

The bad guys create fake accounts on dating websites pretending to be young women looking for new contacts and probably more. It's clear that it does not take a while before being contacted by people looking for extramarital relations. They initiate contact and grab interesting information about the victim.  In such a scenario, collected pieces of evidence are totally legit: name, mobile phone, location, sexual preferences, etc. Details are published on the forum, as well as conversations and pictures. To be "unlisted", they have to register on the forum and pay some money to "help the project". 

Here is a screenshot of the forum's main page. As you can see it is quite active:

Notes:

  • The forum has been visited through Google Translate
  • The way it works is based in translated pages, some details might be wrong
  • I tried to remove all offensive words from the screenshots, apologize if some remain

Once they caught a potential victim, they start cheating and collect as much information as possible. Everything is posted on the forum.

They provide information about the process to be unlisted (once the victim paid):

The forum seems to be online for a while but is still filled with new data. The problem is that, even if the victim pays, the forum is indexed by Google and other search engines (like the very popular yandex.ru). This makes the process to be unlisted very difficult, if not impossible!

People are free to act as they want on the Internet, our goal is not to blame anybody but, at least, we must warn you. Be very careful when you browse dating websites looking for new contacts. This reminds me of the story of the Ashley Madison breach[2] when high-profile people were found in the leaked database and they registered with their corporate email addresses...

[1] https://isc.sans.edu/forums/diary/Sextortion+Follow+the+Money/23922
[2] https://en.wikipedia.org/wiki/Ashley_Madison_data_breach

Xavier Mertens (@xme)
Senior ISC Handler - Freelance Cyber Security Consultant
PGP Key

I will be teaching next: Reverse-Engineering Malware: Malware Analysis Tools and Techniques - SANS Frankfurt November 2020

Xme

563 Posts
ISC Handler
Jun 16th 2020

Sign Up for Free or Log In to start participating in the conversation!