How to defend against, identify, and report cyberextortion

Cybercrime technically predates the internet itself.

The Creeper virus appeared in 1971, three years after the University of Utah became ARPANET’s fourth node and more than two decades before the World Wide Web entered the public domain. Though benign in nature — no data was encrypted or destroyed — Creeper tops CSO magazine’s list of 11 infamous malware attacks because it set the template for cybercrimes that followed.

Cybercrime is any illegal act that involves a computer, networked device, or network. Antivirus software maker Kaspersky has identified more than a dozen kinds of cybercrimes, one of which is cyberextortion — when a criminal demands money to prevent a threatened attack.

“The advice we always give about staying vigilant still applies — don’t open or click links in suspicious emails, don’t open unknown email attachments, and don’t provide usernames and passwords in response to an unsolicited request,” said Jake Johansen, director for  Enterprise Security in the Information Security Office (ISO). “The University of Utah and every other reputable organization will never call, email, or text you for confidential or personal information.”

Cyberextortion most commonly takes the form of ransomware — often deployed via phishing — and distributed denial of service (DDoS) attacks, though email/text/voice-based extortion and cyberblackmail, sometimes referred to as “sextortion,” are becoming increasingly prevalent.

Email/text/voice-based extortion

In a typical email-based extortion scenario, a criminal pretends to be someone else (e.g., a business associate or friend). Lulled into a false sense of security, the victim is urged to transfer money or expose private information, such as login details for a banking app.

“A common theme in electronic-based scams is a sense of urgency,” said Jesse Adams, associate director for the ISO’s Security Operations Center. “If you open an email, for example, and you feel like you’re being pressured to do something just reading it, it’s probably time to take a step back and start thinking critically. They want you to panic and not think clearly.”

In 2022, an email-based extortion scam aimed at students at the U and across the nation centered around a personal assistant job offer with a professor. While the professor’s name was real, the position was fake, and the personal information requested potentially led to lost money and identity theft.

Another recurring email and text scam, aka “smishing” (phishing via SMS text message or a messaging app like Messenger or WhatsApp), involves someone impersonating high-level faculty or staff members who ask employees to purchase gift cards on their behalf.

More recently, on the first day of fall classes on August 21, 2023, the U Department of Public Safety sent an email warning about “fraudulent phone calls attempting to gain student and parents’ financial data …” In this “vishing” scam, the threat actor’s contact method is a voice system, such as phone call, robocall, or voicemail.

Cyberblackmail

Before recent advancements in artificial intelligence (AI), scammers coerced victims into sending explicit images, then demanded payment to keep the images private or delete them from the web. In 2022, law enforcement received 7,000 reports of children and teenagers coerced into sending nude images and then blackmailed for photographs or money.

Today, malicious actors often turn innocuous photos or videos posted on social media and elsewhere online into explicit content. In our age of synthetic media-generated text and images, many of us are aware of convincing examples of AI-generated “deepfakes.” While most news media coverage has focused on how the technology is used by criminals to prey on public figures, security experts and police say cyberextortionists use image-generation tools to manipulate photos of regular people, too. In cases of , images are used to solicit money from people who fear public embarrassment. This is often called a “sextortion” scam, which is increasingly aimed at young people. A recent analysis by the National Center for Missing & Exploited Children (NCMEC) found that as many as 79% of predators seek money rather than additional sexual imagery. 

How do scammers get your information?

Dustin Udy, associate director for the ISO’s Security Assurance team, said cybercriminals collect email addresses and partial passwords that contribute to the believability of the scam by using various means.

“Scammers get personal information from all kinds of sources — spam, websites you’ve given your information to – and we’ve seen far too many people use their university email addresses on questionable websites that later get compromised,” Udy said. “Sometimes you’re the target. Sometimes you’re just a random victim.”

As noted in the IT Security Tip in July’s Node 4 newsletter, Udy urges everyone to occasionally check credible websites like Have I Been Pwned to find out if your email address has been exposed and potentially breached. Knowing what personal information is out there, Udy said, can help you better protect yourself. The ISO also encourages the use of strong, unique passwords for every device and online account, and a password manager to store them securely.

For additional tips on what to do after a data breach, please access this Stay Safe Online article.

What can be done?

Johansen said that because most common cyberextortion schemes are delivered via deceptive emails or texts, cybersecurity training is a good first line of defense, as is general awareness of social engineering, phishing, smishing (phishing via text message), and vishing (phishing via phone calls). For a cybersecurity refresher, try this short Canvas course (login required).

More than anything, Johansen recommends taking a pause if you receive a call, email, or text that doesn’t feel quite right.

“Breathe. Just take a breath,” he said. “Step away from your keyboard, take a minute to think through, is this real? Is this too good to be true? Take that space between stimulus and response to take an intentional, thought-out action, because a fight or flight response suppresses critical thought.”

Tom Whitaker, Tier 2 technical support analyst, urges U community members to report the incident to their respective help desks — UIT Help Desk (801-581-4000) or ITS Service Desk (801-587-6000) — if they believe any of the following have been compromised:

• A computer or device owned by or borrowed from the university, including individual departments or organizations
• An account accessed with university credentials and/or one that provides access to university data
• Any IT system, external or not, that is accessed using university credentials

After contacting the appropriate help desk, U community members who fall victim to a cyberextortion scam are urged to file a police report by calling the University of Utah Police at 801-585-2677. A call log will be created that shows the date, time, and nature of your complaint. After speaking with an officer, you will receive instructions on next steps.

Suspected child sexual exploitation, including sextortion and online enticement, may also be reported using:

• NCMEC’s CyberTipline
• The Federal Bureau of Investigation (FBI) internet crime complaint center
• Salt Lake City FBI field office electronic tip form

Please access this IT Knowledge Base article for more information about cyberextortion.

 

Node 4 Search