Nefarious individuals have used extortion as a means of making money for as long as crime has existed. However, past schemes generally involved harm to expensive objects or even the victim himself. While these kinds of scams are still very prevalent in today's world, they certainly aren't the only ways criminals are making money.
These days, hackers have created a new way to steal what's rightfully yours: cyber extortion. While this term can be applied to a multitude of crimes, they all basically boil down to using deception and fear in order to receive payment. Of course, the loss of any amount of money is going to aggravate the victim, which is why cyber criminals are intensely focused on anonymity.
For this, there are few tools better than email. This service is widely used, and quite literally anyone can create an account. What's more, easy-to-learn hacking techniques allow hacker to not only hide their true intentions in attachments, but they can also often masquerade as someone that they aren't. An email account is just a name on a screen for the recipient, making this a perfect attack vector for those that wish to keep their real identities a secret.
Trend Micro researchers expected 2016 to be The Year of Online Extortion, and recent developments have proven this to be true. To that end, what do users need to be on the lookout for, and what can they do to avoid an issue altogether?
Ransomware is a big problem
It would be impossible to discuss cyber extortion without first mentioning ransomware. This infamous form of malware allows the hacker to encrypt all the files contained on a computer or network. Once this is accomplished, the criminals can simply send a message to the victim demanding payment. If the person pays, he or can receive instructions on how to decrypt the files. If not, the victim effectively has to wipe the machine and start from scratch.
Such a crime is tantamount to a criminal stealing a car and saying he'll burn it to the ground if the owner doesn't pay up, only ransomware often attacks things that have no monetary value, such as irreplaceable photographs of a deceased relative. As such, people are often quick to pay the attacker.
This crime model has become so successful that hackers have begun to develop new forms of the malware all the time. Trend Micro research revealed that in the entire year of 2015, around 50 new types of ransomware were created. In just the first six months of 2016, we've observed 79.
Clearly, hackers have decided that one of the best ways to make money is to hold files hostage, but exactly how they do this varies. CSO's Paul Gillin described a strain of ransomware called RAA that not only encrypts your files, but also installs something called Pony. This malware skims all of your passwords and then uses a network connection to infect other PCs, making this the scourge of large offices.
Due to the fact that ransomware is very often distributed via phishing email campaigns, this last example is especially frightening and shows exactly why this form of malware is so effective. An email sent to an office of 100 people can be skipped over 99 times, but all it takes is one person clicking on a malicious link and every computer on the network can be encrypted.
Email's anonymity allows hackers to extort
The reason that hackers can get away with these ransomware scams is that they can hide behind the anonymity of the internet. Not only are email accounts hard to track, but the bitcoin payment these criminals demand can't be followed back to one single individual. However, this namelessness can allow hackers to do a lot more than hold files for ransom.
Computerworld's Lucian Constantin detailed a specific scam where hackers extorted thousands of dollars out of companies by threatening to hit them with a distributed denial-of-service attack. This is where the cyber criminal sends an enormous amount of internet traffic to a server in order to force it to crash. This particular scam was levied by the Armada Collective, and their requests were sent out via email.
But, here's the kicker: The companies being threatened were never in any danger. No one who refused to pay ever got hit with a DDoS attack, and CEO of CloudFlare Mathew Price was quoted as saying that the hackers wouldn't have even been able to track who sent in money and who didn't.
Regardless, the anonymity of this attack certainly frightened some organizations, as the Armada Collective made off with more than $100,000. Although there was no malware actually distributed via the messages, this incident shows the extent to which hackers can use email to their advantage.
What can you do to avoid getting extorted?
At the end of the day, the only way to sidestep cyber extortion is to stay vigilant about what you do online. Users should always read the addresses from which these messages are coming from and they absolutely need to be suspicious of every single one. A trick that a lot of hackers use is to employ a phishing attack by making an email look a lot like a message someone would receive from a reputable company. The email itself will look legit, but the address might be misspelled. You should always be on the lookout for these.
On top of this, it's imperative that you never click on a link without first checking it out. Most email features allow you to preview what the link will take you to, and Gmail simply allows you to hover over something in order to see what the real URL is.
BEC can be addressed through better email security
Although it technically isn't extortion, the threat of business email compromise can be mitigated through similar security best practices. This scam has risen in popularity among hackers recently, and for good reason. Many people aren't very mindful when it comes to the messages they receive online.
Of course, this isn't the victim's fault. The Radicati Group has estimated that the average business email receives 122 messages every single day. It certainly isn't surprising that some people, overworked and stressed, wouldn't be as cautious as they should be.
As the name suggests, BEC is basically where a hacker gains access to an important executive's email account through nefarious means. Simple spear phishing attacks are often favored, but sometimes cyber criminals will infect the computer of the victim's child or spouse and leap frog their way to their intended target.
Once the hacker has control, all he has to do is email someone with the proper authority to make a money transfer to one of his accounts. Employees often aren't used to questioning their bosses, and as such many will simply move the money without a second thought. It's a simple scam that's intensely effective.
Aside from the other security tips mentioned above, employees can mitigate the risks of such an attack by staying vigilant. Any transfer that is of significant value or simply seems out of the ordinary should be confirmed in person or over the phone.
Due to the service's widespread use, people often take email security for granted. Simply staying mindful of how hackers could possibly attack could save you from a lot of trouble.
