Watch Out For This New Salacious Phishing Scam

For your free ISO 27001 Information Security Management System Gap Analysis Checklist, click here.


There’s a new phishing scam on the block that has proven quite effective in getting users to click a link provided by a hacker- through the leveraging of sex.


It’s known as a ‘sextortion’ hack, whereby hackers attempt to get you to open up an email link filled with malicious software with one simple trick: “purporting to offer nude photos of a friend’s girlfriend,” writes the BBC.


“Instead of threatening to distribute stolen private images, this new attempt claims to have already ‘sextorted’ the recipient’s friend who refused to pay… it tells them it is now emailing nude photos to every contract of the supposed victim - and to check the attachment.”

Security researchers have told the BBC’s technology bureau that the “new take on sextortion is quite remarkable.”


If a user does opt to click the attachment, a word document is opened with a blurred image, followed by instructions on how to ‘enable’ the content. Once this is enabled, a malicious package of software - malware - is downloaded onto that computer, and has the potential to infect a whole organisation’s network if they’re linked.


The scam in question works particularly well to by-pass a device’s security and anti-virus protection when the individual selects ‘enable’ in the hope to see the pixelated image in more detail. “If a user does click the ‘enable content’ button, a piece of malware known as Racoon is downloaded and attempts to steal large amounts of data from dozens of apps, including web browsers and email clients,” writes the BBC.


Professor Alan Woodward from the University of Surrey called the move “a classic”, adding that “the interesting thing about scammers is that they use the same psychology simply repackaged for most scams.”


Woodward said that “I’m afraid scammers and hackers are always adapting.”


“Sadly it works. And, when we educate people about this ruse, the scammers and hackers will adapt again. I regularly receive emails, for example, with old passwords that have been breached in some data breach… and [they] then go on to say, ‘We have compromising material’ or sometimes, appealing to a different frailty, they say they have material on a friend,” Woodward said.


The BBC’s report also quotes IBM’s X-Force Threat Intelligence team who said that “if people do not identify as the victim, they may act much more careless, especially those curious to find out who was actually targetted.” The group said that this attack was similar to a scam that asked a user to enable permissions to sign a digital document, which in turn, launched the malware package.


IBM’s Threat Intelligence team also said that the most recent scam mirrors that of an attack telling the recipient that they have legal action being taken against them, and they must reply in a short time frame.


Exploiting sex is a common ploy for hackers, who most successfully prey on vulnerable victims by claiming they’ve taken control over someone’s webcam, and have a collection of compromising photos and videos stashed away. From here, they demand payment while threatening to upload the material to the internet, and frightened or embarrassed individuals often let their emotions trump their logic, and will pay for reassurance their sensitive moments aren’t immortalized on the internet.

© 2019 by Best Practice

  • White YouTube Icon
  • White LinkedIn Icon
  • White Instagram Icon
  • White Facebook Icon
  • White Twitter Icon