A Recipe for Extortion: Just Add Salt

  • January 28 2019

By Stuart Virgili

If you’ve been using email for more than 35 seconds, you are probably familiar with spam. If you’ve been using it longer, you are probably familiar with phishing attempts. The latest trend in malicious email is taking a more fear-reliant approach which utilizes extortion and ransom like attributes. These emails claim to have hacked into your accounts and collected personal information about you. They then ask you to pay some amount of money to keep this information private, under the threat of release.

Not the usual spam email

Traditional spam emails leverage convincing or urgent wording to get you to open, install or simply just click on something which usually leads to a compromise, through credential stealing or other malware. Traditional ransomware attacks lock your files behind forced encryption with a payment requirement to release the decryption key and has been a relatively successful “business”. Extortion emails just want your money. These emails, like spam emails, contain the usual clues such as incorrect grammar, bad spelling, and an overall threatening prose; typically, they are a combination of the two concepts with some key differences.

The main feature these email attacks leverage is credibility. They claim to have hacked your account and show proof of this by displaying a password which is (or was at some point) potentially correct and valid. They send the email from “your email address” to yourself, which may lead you to believe that they actually do have the access they claim to have. The reality is that they probably have neither and are leveraging a combination of data leaked during various breaches to establish this credibility.

Where is this data coming from?

There have been recent breaches from data aggregators which include data that can be used to target you. These exposed data points provide the attacker with enough knowledge to know who to attack and where to focus their efforts. Previous breaches of passwords, and the frequency through which people reuse common passwords or have “bad” passwords has increased the chance that a breach at one company will expose a password you use elsewhere. All of this lends credibility to the attack. The more important the target, the more likely they may choose to pay under this threat of information release.

How you can guard yourself

Although extortion emails are scary, they are usually nothing to fear. Using different password across services and websites is step one in guarding yourself from these emails, and if you’re already doing this then you’re ahead of the game. If you use two factor authentication, that’s even better; two factor authentication negates the ability of the attacker to have the access they claim to have. If the password provided by the attacker is valid (or is reused across multiple services), you should change that password everywhere it was used, and never use it again. Never.

Stay Calm

Take a moment to realize that it is generally not in the best interest of an attacker to announce that they have access to your accounts. Usually, that kind of access is best kept in secret, and maintained as long as possible. Any such announcement these extortion emails make is likely a bluff and a call-to-action, usually to instill fear so that you comply with their demands. However, if you have any concern that actual access was made, change the affected password first, then work with your provider to review access logs for malicious activity. Most email providers are able to invalidate all previous sessions to “kick out” unauthorized users, and many can also provide the logs which can ease your mind.

Stay calm. Think critically. And use two factor authentication and different passwords for everything.

About the Author

Synoptek is an established firm that provides information systems consulting and IT management services. Synoptek and its predecessors have been providing these services for 23 years.