What just happened? While many cybercriminals use methods such as phishing and ransomware to extract money from victims, another scheme that’s often utilized is sextortion. According to a recent report, a new campaign using this blackmail technique was launched against owners of Google Nest home security cameras.
For those who don’t know, sextortion email scams usually involve someone claiming to have obtained explicit video of a person and threatening to share it unless money is paid—one popular version claims a victim’s webcam was hacked and they were caught watching pornography. In reality, the perpetrator almost never has any of the alleged footage, but some people pay up out of fear.
Computer Weekly writes that researchers at cybersecurity company Mimecast uncovered a sextortion campaign that started early in January and targeted almost 1,700 Nest users—most of whom were based in the US.
Unlike similar scams, this one was slightly more complex. Rather than containing a link to, for example, a bitcoin wallet where the victim can pay the money, the initial email only claims to have the footage and doesn’t explain what the blackmailers want.
The message contains a password for logging into an external email account, which contains an email with a link to a site that features genuine footage downloaded from Google’s Nest site. However, the footage isn’t taken from the victim’s device.
Victims are then directed to another email inbox, where they are warned the footage will be posted within a week unless the blackmail is paid. In one example, the criminals demanded around 500 Euros ($556) in bitcoin, “or gift cards redeemable at retailers including Amazon and iTunes, but also US chain stores Best Buy and Target.”
“The campaign is exploiting the fact people know these [IoT] devices can be hacked very easily and preying on fears of that,” Mimecast’s head of data science overwatch, Kiri Addison, told Computer Weekly.
“It is now widely known that many IoT (Internet of Things) devices lack basic security and are vulnerable to hacking, meaning that victims are more likely to believe the fraudsters’ claims, since the possibility of their device having really been hacked is highly plausible."
As is the case with most sextortion campaigns, the hackers don’t have the claimed compromising footage of victims, and any emails should be ignored. And while the security failings of many IoT devices are genuine, there was no breach in this case.