Sextortion scams are when an attacker sends emails to people stating that their computer is hacked and that the attackers have been recording the screen and webcam as the user visits adult sites. The scammers then blackmail the recipients by stating they will release the videos if they do not receive a payment in bitcoins.
In the past, the sextortion emails would just include a target’s password that the attackers found from a data breach dump in order to scare the victim into thinking that the threats were real. Now the scammers are also pretending to have access to the target’s email account by spoofing the sender of the scam email to be the same email as the victim.
These scams have become very profitable, with scammers making over €50K in one week, and this new variant is no different. This new variant was first seen targeting victims in the Netherlands where the scammers made €40,000.
After learning about this new campaign, a security researcher has been monitoring these scams and found that the subject of these emails is “[email address] + 48 hours to pay”.
For example, if my email address was firstname.lastname@example.org, the subject of the sextortion email would read “email@example.com 48 hours to pay” and sender of the email would be my own email account. You can see an image example of the English sextortion scam below.
Many victims have been falling for this scam and sending payments to the attacker.
It is important for users to learn about these new scams as they have been very successful in scaring recipients into making payments. Therefore, if you receive an email like this, do not freak out and simply delete the email and then perform a thorough scan of your computer using an antivirus program.
Mail providers can protect their domains using SPF and DMARC records
Sending spoofed emails so that they appear to be from someone else is nothing new. Phishers, scammers, and jokesters have been doing this for many years. With that said, mail providers can do a better making it harder for attackers to spoof email addresses using the domains they manage.
By using DNS records like Sender Policy Framework (SPF) and Domain-based Message Authentication, Reporting and Conformance (DMARC), domain owners can lock down their domains to make it harder for external users to spoof domains under their control.
These frameworks are free to generate and when used properly can make a huge dent in preventing email abuse and spam. DMARC can also be configured so that you receive reports of spam campaigns utilizing your domain so that you can monitor what malicious activity is being performed.
1. To prevent sending spoofed email:
- Create an SPF-All(hard fail) record with only the mail servers that are allowed to send mail on behalf of your domain.
- Configure DKIM on your mail servers and publish the key in a DKIM Selector record in DNS.
- Create a DMARC record with value p=reject.
- Create SPF records for each subdomain.
- Create SPF records for mailserver HELO names.
- Create SPF hard fail(-all) and DMARC p=reject records for al non-mail and unused domains.
2. To prevent receiving spoofed email:
- Check SPF results on incoming mailservers (hard fail = reject, soft fail = spam).
- Whitelists SMTP servers that are allowed to mail on behalf of their domain, block the rest.
- Check DKIM results on incoming mailservers (failure = reject).
- Check DMARC results on incoming mailservers (use P= policy published in DNS).