Bad guys have come up with a sinister new strain of blackmail/sextortion. Just when you thought things couldn’t get worse, the bad guys sink lower.
Eric Howes, KnowBe4’s Principal Lab Researcher has recently exposed an attack now live out there in the wild. It claims the CIA will bust you for child porn unless you pay $5,000 and only then “your records will be deleted”.
Apart from the very scary and expensive extortion, it also contains a malicious link. What lies behind that link (credentials phish or malware download) we don’t know, as the target web page for that link has been taken down. But it sure looks like the bad guys have two attack vectors and are also trying to infect the workstation.
It gets worse.
KnowBe4 is seeing a rise in this blackmail-type phishing… and it will become more serious. With the capabilities of recent destructive malware and ransomware the following scenario becomes highly probable: If you don’t pay the ransom—but click on the link, worried to death—they will put actual child pornography on the users’ machine, and/or they stuff your users’ search history with fake searches. Then they will anonymously notify the FBI or other Law Enforcement. It’s a setup and the intent is to actually cause the person to get arrested and massively disrupt your organization at the same time.
Unfortunately, technically this is not that difficult to do and we see the potential this develops into highly targeted spear phishing attacks on CEOs, politicians, high-net-worth individuals, celebrities, etc. This could absolutely ruin someone’s life.
Child porn would be a gruesomely effective setup. Law enforcement accepts absolutely no excuses when they encounter it on a device, as malware researchers and investigative journalists have discovered to their horror. Even law enforcement officers who deal with it are monitored and supervised carefully.
What does the future look like?
Now more than ever, there are more opportunities and options that bad guys can leverage. If you’ve compromised the devices/accounts of a high value target, what’s the most productive way to extract value from that target? With so many tools available, bad guys have a critical decision to make between two attack scenarios.
- Lie low and exploit the compromised devices and accounts for long-term gain (information, money, etc.), or
- Go the extortion route, which would inevitably bring scrutiny from law enforcement, IT specialists, and others with a stake/interest in investigating those devices and accounts.
Different cyber crime gangs could even be operating with divergent “business models.” Something similar to this was all over the news recently. The recent dust-up between Jeff Bezos and AMI (parent company of the National Enquirer) comes close to the above attack model if Bezos’ phone would have been compromised. Think of the potential value of getting super-sophisticated backdoor Trojans on the devices of Mr. Bezos.
Going forward it would be important for the cyber criminals to set a precedent like ransomware did: pay the ransom and get your files back. If an example was made from a few famous people with a repulsive attack like this, it would be an easy bet that people would start paying. This could even be developed into a criminal extortion subscription, modeling the old “protection money” the mob used to run.
While we’re seeing a rise in new schemes like this the old rule still stands: THINK before you click!