[ajmat]

Disclaimer - The following incident could happen to anyone in a moment of weakness. This is not representative of the culture and behaviour of my organization. This incident has been published to help others confront any potential extortion threat.

This article has been edited and reproduced from here

Recently, I received an urgent call from a colleague who was faced a delicate problem. To cut a long story short, he got lonely with his personal computer, got into some kind of interactive video chat and you can guess the rest! The threat was to expose his compromising pictures on social media and to people within our company. He was being pressured into paying $2000 to make this go away. In such situations, the problems seemed bigger than what they were!

Thankfully, the most important step that he took was to share the problem in confidence. I have a lot of respect for his courage shown in stepping up on this.

Technically, it involved his personal asset, during his personal time so it need not have been my problem, but as an Infosec professional, I have a duty to protect our employees in whatever capacity. This was a bit like the Hippocratic oath.

As I had learnt during my Krav Maga training, it was best to confront and block than to do nothing. However, to respond, we needed to assess and contain the situation. To save him any further embarrassment, I stayed away from too many "How" and "Where" questions. We planned our response as follows:

1: Map out the situation

What do they know?

The extortionists had identified his name and employer (probably from the credit card and Linked in.

What did they want to do?

They planned to expose the pics on social media and write to people within the company.

What did they want?

$2000 wired to a PayPal account. There are no prizes for guessing this would only be a down payment. Once the victim has bitten, the extortionists will focus on further payments and mine more information to reel him in for more.

What was the Extortionist profile

All we had were a couple of emails and a Paypal account. It all pointed to players based in the Philippines. My gut feel was that this was an opportunistic attempt. Just like a petty thief, they would go after a low hanging fruit and not the whole tree. Their resources were the proverbial Honey Trap, a video camera and not much else in terms of social engineering skills (I could have been wrong!)

The victim was getting increasingly distressed as they were pressuring him with frequent emails. This was beginning to be a bit like those timeshare salesmen. I instructed him not to respond.

2: Containing the Situation

1: To block further information mining, I instructed the victim to deactivate his social media. change all passwords, block and change his credit card.

2: The victim was instructed to report the threat with all details to the local authorities and the FBI online. The latter feeds the info into other intelligence agencies. These get fed into various anti-threat protection service provider databases and will be flagged and blocked.

3: Assess the Consequences and Mitigate

1: Social Media Exposure -If the threat of such exposure to social media had been an actual possibility, we would have found a lot of pictures online of our friends, colleagues and the dog next door in flagrant action. (Maybe I move with the wrong sort of friends!). In reality, the social media sites have strong image detection systems to block obscene uploads. Hence, we could call this bluff!

2: Exposure to the Company - The first question that cropped up was how would they be able to do this? Yes, some email addresses could be obtained with time and effort so we needed to address this.

We configured the Mail Server and set up some rules as follows:
1: Extortion Mails originating from the known email addresses would be blocked without notification

2: Mails originating from unknown email addresses needed to be diverted - We made the assumption that our extortionists were barely creative enough to reuse the phrases in their extortion mail. We then created a rule to detect any mail with the key words used in the phrases, the victim's name and any attached pic/video file. Those mails would get directed to me.
That done, we waited with caution. Thankfully, nothing came our way!

Some learnings:
If you are a victim -

• Never give in, be strong and have the courage to face up to the deed
• Speak to someone, you will need someone rational to have your back
• Report with all the facts
• Deactivate social media temporarily to block information mining
• Change all passwords and credit cards. (If they've got to know you too well, they might have extracted info in a moment of weakness)
• Keep your antenna up
• Time bound pressure tactics are a sign of an opportunist
• If they really want to ensnare you, information is gathered in advance
• You might be embarrassed but it is all forgotten when we swing into action with countermeasures
• If you have compromised company assets, always come clean and face the consequences. The chances are that you will get discrete help in containment but it might cost you. It would be the same if you were exposed but with more shame.
  

Remember,

Never give in, Never respond.

Contain and block!

[ajmat]

Thread moved out from the Assembly Line.

Hope this helps people in the long term

[Raghu M]

Great information. Appreciate your responsibility towards your colleague. However, I don't think the problem resolves by itself if we block or deactivate social media accounts. What if the content is really posted online? I thought there would be a permanent fix. These scamsters from Philippines mostly do not have great patience levels, they only try to threaten a few times, if the party gives in, then they try to fleece as much as they can. On the contrary, if they do not budge and delete their account or block emails, they just post the content online. They get details of their family members and are fully prepared before the first extortion email is dropped. Not to scare your friend but in my opinion, this is far from over. Please let me know your thoughts.

[SmartCat]

Quote:

Originally Posted by Raghu M

On the contrary, if they do not budge and delete their account or block emails, they just post the content online.

From the sextortionists' point of view, posting the video/content online is useless. It will not go viral and hence is not a threat. Nobody wants to see a video of dude infront of his laptop.

Quote:

They get details of their family members and are fully prepared before the first extortion email is dropped. Not to scare your friend but in my opinion, this is far from over. Please let me know your thoughts.

This is possible I guess. But to me, stopping all communication with them seems like the best idea. Simply because there is zero upside in responding to their emails. But atleast in his professional life, his reputation & job is protected now.

On a personal level:

- The extortion email specifically talks about leaking video to company, and not friends/relatives
- If video is leaked to friends/family via email, it is likely to end up in spam folder.
- Even if it does not, folks have become smart enough not to open video files from unknown or known senders, because of virus/hacking risk
- If video is sent via whatsapp to his friends/relatives, the risk of exposure is indeed higher
- But because of sensitive nature, the probability of friends/relatives forwarding among eachother or discussing the issues amongst themselves is low
- They might contact him directly. If that happens, he can just confess the same way he did with Ajmat. Case closed.

As a pre-emptive measure, he can probably send a email/whatsapp message to important friends/family saying something like: "my email account/phone has been hacked. do not open any email/whatsapp message with video from unknown sender."

[SideView]

Quote:

Originally Posted by ajmat

Never give in, Never respond.

Contain and block!

I would if he feels that FB/insta they might post. (Usually the clone your profile pic and start sending Friend requests and what not )

Additional I would recommend below: (if you see that pics are getting shared, do not act if nothing is going on)

- Give a status update to your friends that your account is hacked and ignore any FR and links and videos saying it is you.

- Warn your parents (say truth if possible) and relatives who you think might be contacted that a scam attempt(via morphed video) is in progress so ignore.

[ajmat]

Quote:

Originally Posted by Raghu M

, I don't think the problem resolves by itself if we block or deactivate social media accounts. What if the content is really posted online? .

The whole point in deactivating these accounts is to prevent extortionists from mining your information. One you know that you are no longer in their radar - reactivate.

[windrider]

Here is a screenshot of some idiot scammer trying to trap my friend by emailing him saying he was caught watching child p*rn by the Delhi cyber cell and needed to pay 5000 as fine to avoid jail 😂. When he did not reply, they sent another email with some generic details which anyone can find from a person's LinkedIn account and threatened to inform his company. Then they phoned him through some internet calling website and the "Senior Inspector" of the cybercell, who my friend said sounded like some dumb 20 yr old speaking broken English, said if he didn't pay fine immediately he will escalate the matter to ministers office since it was a serious offence. My friend then morphed into desi eminem for a few seconds and started shouting at the scammer in a mix of hindi, English, Tamil and malayalam and the shocked "senior inspector", stunned for a few seconds, dropped the act and started replying in the same manner. After few minutes of ma behen from both sides , my friend cut the call. He hasn't recieved any calls since

[dailydriver]

Quote:

Originally Posted by windrider

Here is a screenshot

Department of Research and Anal!

Well done fraudsters; extremely well done!



That said, this is a banal attempt to trap someone who could or couldn't have been guilty of the act he is being accused of.

However, in the case of ajmat's colleague, he was clearly in the wrong - albeit in a moment of weakness and the perpetrators had some evidence of his indiscretion that they could have used to harm his reputation.

Hence, although they might appear similar at first sight, the cases are quite different.

Here is a list of previous threads that would be helpful in dodging such scams:

1

2

3

4

[rpunwani]

Thanks for sharing !

It happened to me over Instagram. I followed a person who a couple of my friends were following. At this time I had a private Insta account. The extent of my interaction was to like some of her photos.

A few weeks later she started messaging me asking for money as she was hospitalised; I did not give her any. Then suddenly one day she sent me a message stating that she has pictures of me in a compromised way and demanded 30k. She also said that if I don't give her the money within 30 mins she will send the pictures to my family. I just ignored her and blocked the account.

Fortunately nothing happened after that. For a couple of days after the incident my heart was in my mouth waiting to see if any of my family is showing any signs of having received any communication/photos from this person. Two weeks later I was calm as a cucumber

Agree with Ajmat that one needs to block & defend and not give in to any threats.

[scorpian]

Rule No 1.
When you get lonely don't get cosy with your computer!

That said i agree with limiting to minimum of social media sites like FB/Insta. Trust me its much more peaceful without them. The constant urge to check and scroll reels is addictive and wastes time of millions of people.

I have closed down my fb/insta and have better peace of mind.

[am1m]

Quote:

Originally Posted by ajmat

Technically, it involved his personal asset, during his personal time so it need not have been my problem, but as an Infosec professional, I have a duty to protect our employees in whatever capacity.

Thanks for this superb post! I am in awe of both your sense of duty to your employees and your forward-thinking attitude that what an employee does with their personal assets, in their personal time, is their business. Both very, very rare qualities, I would be lucky if I get to work with colleagues/managers like you in the future!

Increased online vigilance and the need for cybersecurity are a fact of life now. I've worked for a cybersecurity firm and the stats are mind-boggling! Even defense establishments and supposedly secure top IT companies are penetrated regularly and with ease. It doesn't require top hacker skills either...people's gullibility and lack of awareness is almost always the weak point into the system. And more often than not, it's the top execs (usually the older, less tech-savvy ones) who are unaware and careless with their considerably more critical laptops, data, and devices!

Banning online activities is not the answer. Just like how we teach children how to cross roads safely, instead of banning them on the streets, and how to be careful of strangers in the physical world, we need to start teaching children about being safe in the online world...where they seem to be spending more time these days anyway!

[rav1up]

Or no matter what video or image is sent to anyone (relatives colleagues etc), why not play dumb and claim that given the advent of AI, all kinds of fake video and image generation is possible. Claim someone is doing it out of spite and it's generated.

[furyrider]

This reminds me of a documentary on catfishing I watched a couple of years ago. Looks like your colleague fell victim for a similar scam. Glad that you were able to help him.

https://youtu.be/himUrOWZUzY?si=a1smd8XoXLPSJ_Px

[charanreddy]

Thanks for Sharing !

These days scams are exploding and all over the place.

My few self imposed rules :

1. Treat office equipment like laptops and phones in a very clean manner. If there is a red line, it pays to stay as far away from that line than dabble with it. Even if one wants to watch explicit content or even legal but somewhat random content , Never use office equipment and spend money to buy your own. Most offices are worried about reputational risk rather than real risk.


2. Share very little information on social media. Limit visibility to immediate family and friends. On personal sites like Facebook, be super careful to accept requests. On professional networking sites, it’s slightly more relaxed where we can accept profiles that appear genuine.

3. In case an incident happens, react slowly and measuredly. Ignoring is the best policy. Immediately block people who send random messages. Recently one well known relative’s profile was created on Facebook and that profile sent me a Facebook message saying to transfer 18 K INR as his bank server was down ( whatever that means ). I knew this relative was super rich, so it was very unlikely he sent me the message. I promptly blocked the message.

4. Just in case things turn serious, completely endorse OP’s approach. Come clean to authorities/ seek help. Once we fall victim to black mail and bite, it keeps escalating to unmanageable proportions. The 2K USD will turn to 10K USD to 50 K USD and there on. I have seen multiple news reports where IT professionals have lost lakhs of rupees. When the amount lost is high it becomes sensational news.

[2TR-FE]

As a security professional myself, I feel appalled at people feeling so comfortable in sharing their everything on the enter-the-net. An average Joe always thinks everyone is safe until we end up in direct contact with some scammer. They comfort themselves that at that instant, the key is just to realize and understand well before you are scammed which can be avoided as I am so technically strong/technologically savvy etc etc.

Ironically, we fail to understand that with the amount of info that we have already posted on social media including Gmaps and LinkedIn, our cyber footprint is too high to be safe. Not to forget, we also have AI assisted data mining apps.

On a lighter note, my procrastinating inner self tells me not to post any long terms reviews of my cars on Team BHP thereby keeping my cyber footprint low.