How sextortion scam emails sneak past security filters

Scammers use text-based images, QR codes, and other tricks to evade spam filters, says email security provider Vade Secure.

Phishing: Leading targets, breaking myths, and educating users

Sextortion scams are a favorite tactic of many cybercriminals. In this particular type of attack, the scammer claims to possess photos or video recordings of the recipient watching pornography and potentially engaging in certain sex acts. Unless the unsuspecting victim pays the requested bitcoin ransom, the attacker vows to share this recording with people in the person's contact list. Normally, such emails would contain enough trigger words to be blocked by spam filters. But scammers are finding unique ways to get through security, as detailed in a blog post published Thursday by Vade Secure.

SEE: 10 ways to minimize fileless malware infections (free PDF) (TechRepublic) 

For 2019, the FBI reported 43,101 reports of digital extortion in the US alone, leading to losses of more than $100 million. How many of those are sextortion scams is not recorded, but this particular type of scam has advanced from low-tech campaigns to more sophisticated and targeted attacks, according to Vade Secure.

In the past, most of these sextortion emails were sent in high numbers with links to Bitcoin sites, specific URLs, and other details that raised a red flag with security filters. But since these emails were frequently blocked by the filters, scammers were forced to devise more creative ways to reach user inboxes.

Using text-based images

In this type of email, cybercriminals use images filled with text rather than straight text. Since email filters only scan for straight text, scammers can still use certain keywords by including them in the images. They can also send the same message hundreds of times. If the message starts to get caught by security filters, the scammers simply distort the image slightly to obscure the threat.

The reliance on text-based images points out the need for image detection on the part of security filters and scanners. Machine Learning algorithms can analyze text, but Deep Learning algorithms with computer vision can scan images as well.

Hiding URLs and QR codes in attachments

The bitcoin URLs used by scammers to grab the ransom can easily be detected by security filters. That's why many sextortion emails have switched to using QR codes, which many filters can't detect. In this case, the URLs and QR codes are hidden in PDF file attachments that are seemingly harmless. These types of scams also use attachments to deploy malware that can take control of a computer, including a webcam, potentially capturing any activity that can be used to blackmail the recipient.

ashley-madison-phishing-email-vade-secure.jpg

 Ashley Madison sextortion email

Image: Vade Secure

Capitalizing on current events

Beyond finding ways to evade email filters, scammers will reference current events for sextortion campaigns and regular phishing attacks. In many cases, the attacker reveals a password used by the recipient for an online account. Typically, these leaked passwords come from old website data breaches. In one example found by Vade Secure, the scammer teases the victim's password and vows to infect the person's entire family with the coronavirus unless the ransom is paid. To get past any email filters, the attack uses Cyrillic characters throughout the message.

corona-virus-sextortion-email-vade-secure.jpg

Coronavirus sextortion email

Image: Vade Secure

Hacking IoT products

In a sextortion campaign analyzed by Vade Secure in 2018, scammers sent sextortion emails via hacked Internet of Things (IoT) products. By working at the command line accessible in the Linux operating system used by these products, the attackers were able to deploy emails without using a web-based client.

"Hackers are well educated on the systems they're trying to breach," Vade Secure said in its blog post. "More than ever, they adapt their campaigns to bypass the email filters trying to stop them. Both sextortion and phishing campaigns tend to be sent in waves--when one fails, another emerges. Each time a threat is blocked, hackers develop new methods of bypassing the filters that blocked them."

Since traditional email filters can't detect these types of threats, Machine Learning and Deep Learning technology must play more of a role.

"To keep up with the latest threats, technology must also adapt," Vade Secure said. "The emergence of artificial intelligence in email security has opened new possibilities in threat detection. With a combination of Machine Learning and Deep Learning algorithms, AI-based email security can detect the signature-bypassing methods hackers use to deliver sextortion emails."

Also see

Sextortion key on keyboard

Image: Getty Images/iStockphoto