Cybercriminals seeking sensitive data on high net-worth individuals will pay aspiring extortionists an average of $360,000 per year to target executives, lawyers, doctors, and other prominent figures, researchers discovered.
The Digital Shadows Photon Research Team today published "A Tale of Epic Extortions," a deep dive into the ways cybercriminals prey on individuals' online exposure. Extortionists take advantage of compromised credentials, sensitive data (documents, intellectual property), and technical vulnerabilities on Internet-facing applications to convince their victims to pay up.
"The extortion landscape is broader and more diverse than any of us thought before we started," says Rafael Amado, senior strategy and research analyst with Digital Shadows.
Oftentimes, he continues, the technical news that resonates with the infosec community is considered esoteric to everyone else. "Extortion has the human element," says Amado. "Attacks on organizations have real-world impact for everyday humans on the street."
It wasn't long ago when online extortion meant blackmailers composing threatening emails to threaten victims with exposure of their personal data. Some warned their targets of a potential cyberattack – for example, a denial-of-service attempt – if demands were ignored. Ransomware emerged in the 2010s, bringing a viable means of coercion and culminating in WannaCry (2017).
Sextortion, SamSam, and Scaled Funding
Today's extortionists are getting creative and finding new ways to earn cash. They're after details of victims' personal lives and/or sensitive corporate data. Sextortion scams, in which criminals claim to have evidence of targets watching sexually explicit content, have skyrocketed. Between July 2018 and Feb. 2019, Digital Shadows collected and analyzed 792,000 sextortion attempts targeting 89,000 recipients. Criminals amassed $332,000 USD in payments; analysis of Bitcoin wallets linked to attacks shows they could earn $540 per victim, on average.
Even suspicious-looking sextortion emails have the power to sway recipients. Many follow a similar pattern: an attacker shows their target a known password as proof of compromise, claims to have footage of them viewing adult content online, and demands ransom paid to a Bitcoin address. Later versions involve the attacker further proving their credibility with another email referring to a Cisco ASA router bug, which they say let them access the victim's device.
"The research shows that cybercriminal groups are increasing their targeting of high net worth individuals and/or those that hold positions of power within companies," said Rick Holland, CISO and head of the Photon Research Team at Digital Shadows, in a statement on the report.
Still, other attackers use technical vulnerabilities to exploit victims. The SamSam group used public-facing applications, and abuse of valid account for remote access systems, to extort. Its actors relied on businesses not patching their software against known vulnerabilities, and once inside they used their access to extort organizations.
Researchers warn companies are still giving groups like SamSam this level of access. At the time of writing, they say, there were over 3.6M RDP servers available on the public Internet.
Some groups, like extortionists thedarkoverlord (TDO), choose not to extort victims directly. Instead, TDO has begun using online crowdfunding campaigns to sell stolen data in batches. In Sept. 2018 it appeared on the hacking forum KickAss, where it sought accomplices and sold valuable databases, source code, and intellectual property. They demand ransom to prevent the information's release, and threaten to expose more data with each financial milestone.
Criminal Groups Hunt for Talent
Many cybercriminals are looking for members to collaborate with so they can grow their operations. There are many ways to jump into the game, and you don't have to be technically savvy: aspiring extortionists with weak skillsets can find tutorials on the Dark Web. Some experienced attackers sell DoS and ransomware-as-a-service models to novice hackers.
"Extortion campaigns aren't the most sophisticated from a technical perspective, but you still need people to create spoof emails, to mine for personal data like compromised credentials," says Amado. "You need someone to manage Bitcoin transactions, someone to launder money."
The extortion skillset is broad. Researchers found admin panels, network and website access, and sensitive data being sold on the "accesses" sections of top-tier criminal forums. For these, extortionists would need technical skills to move laterally inside target networks and find data. On the other end of the spectrum are entry-level buyers and sellers of data trading credentials.
Researchers found message boards and forums where experts are willing to pay new recruits $30,000 or more for cyber extortion scams targeting high net-worth individuals. Those with network management, penetration testing, and programming skills are in higher demand, and can earn $64,000 per month, with add-ons and a final salary of $90,000 per month after their second year. Recruits who can speak Chinese, Arabic, or German get a 5% bump on their salaries.
Is Your Business at Risk?
Extortion can affect any organization, says Amado, but the type of threat you're likely to encounter depends on the type of business you are. Are you a financial firm processing confidential documents? Or a healthcare company, handling personal health data? Law and insurance firms are also at risk due to the nature of sensitive files they have on their clients.
"These types of organizations are particularly attractive to extortionists," Amado explains, adding that large public bodies and municipal organizations are also top of mind for attackers.
Sometimes extortionists don't go after an organization because they're in a particular industry, but because a scan of public facing infrastructure showed they were vulnerable. All businesses should be asking themselves: Do I have public-facing infrastructure? Should it be public-facing? If it does need to be open to the public, are there vulnerabilities?
"If so, [you] need to patch those as soon as possible," Amado says.
There is an element of control for users and businesses to protect themselves, he continues. Researchers recommend treating sextortion emails as spam, discovering breached accounts and passwords on HaveIBeenPwned, and securing email end-users, developing a ransomware playbook, and applying best practices for user permissions: remove local admin rights, restrict execution privileges on temporary data folders, and implement whitelists application lists.
Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry's most knowledgeable IT security experts. Check out the Interop agenda here.