Today, personal communication is greatly enabled and enhanced by various messaging apps that provide text messaging, voice calls, photo sharing, and even video chat. These apps are often found in smartphones—devices that have all the features of a desktop computer, plus Wi-Fi, cellular, GPS, and data connectivity.
Cybercriminals have taken advantage of the convergence of the power of the smartphone and the features of chat apps to lure victims into compromising situations and blackmail them. Our latest paper, Sextortion in the Far East, talks at length about the latest developments concerning online blackmail.
Sextortion, Old and New
Sextortion is a form of online blackmail involving persuading a victim into performing sexual acts that are secretly recorded. The attacker then forces the victim to give in to the attacker’s demands by threatening to release the previously recorded acts publicly.
Previous sextortion incidents had demands that were sexual in nature. Perpetrators would use chat programs to record their victims’ activities and ask for more sexual material as “hush money.” Should victims comply, attackers would often demand more from the victim.
Our researchers have found that certain gangs in East Asia have improved on the sextortion modus operandi, creating a far more damaging effect on the victims. The new modus operandi involves Android malware that can steal the victims’ contact list and send them to the attackers. Attackers are then able to contact the victims’ families and friends directly—making for a more intimidating threat.
Figure 1. Comparison of old sextortion scheme to the new one
(Click to enlarge)
The techniques aren’t the only things that have changed in the modus operandi. Cybercriminals are now asking for money as payment in lieu of sexual favors. Monetization might seem like a more attractive motive for cybercrooks looking to make bank with this type of blackmail.
Using Data Stealers
The Android data stealer’s primary purpose is to retrieve and send victims’ contact lists to the cybercriminals, allowing them to make more effective threats.
Our investigation revealed the use of four Android data stealer families for sextortion. The malware were classified according to package name. Differences in code and functionality were seen from variant to variant, which suggests ongoing malware development.
The four variants all contained aggressive techniques. For example, they can intercept and log the victims’ incoming text messages. They can also monitor changes in the infected device’s SMS inbox and prevent victims from receiving new text messages unless they pay up. They can also prevent victims from receiving calls.
Sextortion in the Far East and Beyond
In-depth investigation on various sextortion scams led us to developers in China tasked to create malicious apps and sites using Chinese and Korean. But the incidents weren’t limited to these countries. Our investigation also led us to Japan, where we found victims and bank accounts associated with sextortion scams.
The sextortion schemes we uncovered are complex operations that involve people across cultures and nations working together to effectively run a very lucrative business. These once again prove that cybercriminals are not just becoming more technologically advanced— creating stealthier mobile data stealers, using complex stolen data drop zone infrastructures, and outsmarting banks to better evade detection—they are also improving their social engineering tactics, specifically targeting those who would be most vulnerable because of their culture.
For an in-depth look at our investigations in sextortion, you may read our paper, Sextortion in the Far East.