Researchers at the email cybersecurity firm Mimecast have identified a brand new sextortion campaign, which is somewhat unconventional. Unlike the typical scams as it is targeting Google Nest home security camera owners and exploiting the common perception that IoT devices are generally unsecured.
Detected in the early half of January 2020, Mimecast revealed that a majority of the victims of this campaign are based in the USA and the footage that Nest cameras capture is used to blackmail the victim. The scammers force the victim to access different email accounts and URLs to get instructions after they demand a ransom.
Mimecast’s data science overwatch head Kiri Addison states that this time around scammers are using quite a complex methodology for hiding the origin of the scam emails and conceal their identities. Researchers claim that so far the around 1,700 emails (mostly in the US) have sent by scammers.
In this campaign, attackers claim to have obtained compromising footages of the victim and if they didn’t pay the ransom, the footages will be released online. The difference between conventional sextortion campaigns and this one is that the victim has to go through a series of emails until they get to know how to pay for the ransom.
The victim is provided a password to access an external web email account. Once there, they receive another email containing the link of a website containing authentic footage, however, this isn’t the footage that has been hacked from the victim’s device, as per the scammer’s claim. Then, the victim is asked to access another email inbox where scammers claim to upload the footage within a week unless the ransom is paid.
Computer Weekly reports that in one of the samples they examined, the attacker demanded €500 ($550 – £429) in Bitcoin or else redeemable gift cards from renowned retailers such as Amazon, Best Buy, Target, and iTunes.
Addison, on the other hand, said that since it is a common perception that IoT devices aren’t as secure and are vulnerable to hacking, victims are quite likely to believe the claims of the attackers.
“Ensuring that users are aware of sextortion as a phishing technique is a key part of the defense against these campaigns,” added Addison.
She further stated that it is hard to believe that the campaign is a targeted one, as scammers most likely got access to a large database of emails, which they are using to try their luck. The IoT devices haven’t been hijacked or compromised in this campaign.
The blackmailers may have access to certain video footages but it isn’t genuine recording but random videos downloaded from the internet. Therefore, such emails should be ignored. Addison, however, feels that IoT devices’ security remains a debatable issue:
“The vulnerabilities are real. It is quite possible to hack a lot of these devices, but I think at the same time education around these extortion campaigns is important so that people know not to fall for them” Addison said.
Responding to the report, Google Nest’s spokesperson stated that this is indeed an unfortunate incident where scammers are making people feel unsafe in their homes. The company already offers multiple protection features including 2FA authentication and the option of switching to another Google Account.
“Privacy and security are the foundation of our mission. Incidents like this campaign typically occur when a bad actor tries their luck with email addresses from databases of stolen information. Nest users who are contacted by these actors should not respond and we encourage them to contact Nest support if needed,” the spokesperson stated.