Threatpost reports that X-rated phishing campaigns have increased by 974 percent. These explicit emails are a form of social engineering BEC attack designed to shock users into clicking a link. The emails are typically sent to male-sounding names within a company.
How Does it Work?
Threat researchers at GreatHorn first discovered the spike in lurid emails being sent to U.S. businessmen. They call the tactic "dynamite phishing." Because these emails come into the workplace, the user panics and often makes the reckless decision to click to make sure their information is not out there, or they could be connected to the sender, and the content traced back to them.
In a report published by GreatHorn, they said,
"It doesn't always involve explicit material, but the goal is to put the user off balance, frightened – any excited, emotional state – to decrease the brain's ability to make rational decisions."
What is the Intention of These Emails?
As with most phishing campaigns, the hacker's goal is to infect the user's computer with malware designed to either steal credentials, gain access to the network, steal other information, or blackmail the victim into paying a ransom.
If the user clicks the link and signs up on the bogus dating website providing payment data, the fraudsters will use that to steal funds. These cybercriminals use a sophisticated technique called email pass-through to track victims who click. In some cases, the goal is to spy on the user and follow up with a later attack.
GreatHorn explains: "The same technology enables legitimate email senders to auto-populate an unsubscribe field with a user email address," the report said. "Once a user clicks on a link in the email, their email address is automatically passed to the linked site. In these attacks, the cybercriminal leverages the information they gleaned in order to set up a second stage."
Their report shared a sample email that lures in victims by promising an actual in-person date with a stranger. The email uses the phrase "your place or mine" and a link to images of the lady in question.
GreatHorn warns that
"User data gleaned in this way will be transmitted to cybercriminals, who will use it for various malicious purposes, such as money withdrawal, blackmailing or committing further frauds.”
Historically, these attacks occurred at home, where individuals might be less exposed. However, it is now becoming commonplace at work, and due to the embarrassment of being caught, users are less careful.
Phishing Attacks and Ransomware Rule
Threat researchers and government intelligence agencies have been warning companies about the extreme dangers of ransomware. These attacks often originate through phishing attacks. The most critical warning to heed is never click a link in an email that arrives unsolicited. Some other tips include:
- Always verify the sender of the email before taking any action.
- Pause and do not react to any scare tactics.
- Never, ever share personal information, passwords, or account credentials with anyone.
- Use long, strong passwords always.
- Install good antivirus/anti-malware software on all your devices.
- Audit your network for any vulnerabilities.
- Train employees on social engineering and phishing tactics best practices.
- Never click links or download attachments in email.
- Report all incidents of fraud, ransomware, and extortion to the FTC and local law enforcement.
Threatpost interviewed Hank Schless of Lookout, who said, "They need to understand the scope of the attackable surface," he explained. "An organization cannot protect assets and connections to their environment if they are not aware of the amount of exposure they are facing. Unfortunately, the attackers who are well organized and funded have the time and resources to identify the weaknesses."