Sextortion phishing attacks up by 334%

by Jack Chapman
Published on 16th Jun 2022

Our threat intelligence have shared several threats they’ve uncovered through monitoring our B2B platform, in our recent report: Keeping pace with emerging threats. One of the standout threats to keep your users aware of is a rise in sextortion emails using fake threats to blackmail people into paying cryptocurrency ransoms.

Quick summary of these attacks

  • Vector and type: Sextortion phishing email
  • Technique: Social engineering
  • Payload: Cryptocurrency address
  • Targets: Individuals and organizations across the US and the UK
  • Platform: Microsoft 365
  • Bypassed secure email gateway: Yes

We saw a 334% increase in sextortion phishing emails across the UK and the US since March 2022. Across April, we discovered that 53% of these attacks were sent from compromised legitimate email accounts. All of the attacks contained cryptocurrency addresses, rather than traditional phishing payloads such as malicious links or attachments.

These tactics were likely the reason they bypassed SEGs, as they’re linguistic in nature and harder for traditional solutions to identify.

What the attacks look like

The attacks feature a variety of subject lines. Some are closely affiliated to the topic of the email in the hope that people panic and click through for more information, such as:

  • “All your data has been hacked and copied to my servers. Instructions inside”
  • “Here is the last warning! Your entire information has been copied. The entry in system is completed.”

We’ve also seen financial subject lines, for example:

  • “You have an unpaid bill.”
  • “You have to pay a debt.”

These might appear bland but they can be more effective. Some people will instantly delete a message with an alarmist subject line like the first examples. Plainer subject lines can catch people off guard and make them click, as well as avoid detection from solutions looking for keywords such as ‘HACKED.’

The emails use emotive and threatening language to socially engineer the target to extort payment, such as ‘I could ruin your life forever’ and ‘I don’t think this kind of content would be very good for your reputation’ (figure 1). The emails we analyzed followed a similar format, stating the problem, the threat, the ‘solution’, the deadline to comply by, and the futility of reporting the incident.

Figure 1: Ransom demand within a sextortion email

After analyzing a segment of the recipients of these sextortion emails, we discovered they were all part of either the Apollo and/or the Data Enrichment data breaches (figure 2). It is possible the cybercriminal(s) used email addresses from these breaches to build their target list(s).