October 7, 2024 issue
A new wave of widespread scam emails has been observed using target's personal information and photographs of their homes to pressure them into complying with demands. The threat actors behind the scam claim to be in possession of footage implicating the recipient in a private moment while visiting adult sites, threatening to release the footage unless the recipient makes a payment. This scam has been mass distributed to many email addresses, including those belonging to Albertans.
Scams like this one are known as sextortion and have been circulating for years. Previous versions of this scam have been much more generic, often containing no personal information and relying solely on fear. The addition of personal information and images of the recipient's home signifies a more calculated attempt to blackmail targets.
The threat actor responsible for distributing these scam emails has likely gathered the target’s personal information from previous data breaches circulating on cybercriminal forums. Additionally, they obtain images of the target’s home using online mapping tools, such as Google Maps, and leverage the remaining information available, such as a name or a phone number, to implicitly threaten a visit in person should they not comply.
While the addition of images of the target’s homes is the latest tactic to be adopted in sextortion emails, many of the tactics commonly seen in previous versions are still present. The threat actors behind sextortion emails will still:
| Attempt to convey they have total control of their target. | “You do not know anything about me however I know EVERYTHING about you and you must be wondering how, right?” |
|---|---|
| Use of technical jargon to confuse the target and give the impression that they are an advanced threat actor. | “I actually placed a Spyware called “Pegasus” on a app you frequently use… While you were busy watching videos, your device initiated operating as a RDP (Remote Control) which provided me complete access to your system.” |
| Present themselves as a generous way out of the situation. | “Honestly, I am ready to wipe the slate clean, and let you get on with your regular life.” |
The scams will also attempt to increase pressure on their targets by giving them a deadline of one day before they release the footage. Luckily for the targets, the footage does not exist, and the threat actors cannot harm the recipients.
Any sextortion emails of this kind must not be complied with, and should instead be reported to any security contacts within your organizations and the Canadian Anti-Fraud Centre. The CyberAlberta website also contains further information on active phishing campaigns which pose a threat to Albertans.
Read more: Sextortion Scam Email Uses Pictures of Your Home - Trend Micro
On August 13, 2024, AutoCanada, a multi-brand car dealership based in Edmonton, publicly reported a cyber-incident affecting its internal systems, the full impact of which was uncertain. This incident comes on the heels of the supply chain attack in June that targeted CDK Global, a software provider for auto dealers, leading to financial losses for AutoCanada. On September 17, the ransomware group Hunters International claimed responsibility for the recent breach, listing AutoCanada on their Data Leak Site (DLS). The breach includes a staggering 3 terabytes of records, including but not limited to:
Hunters International was suspected to be a rebranding of the notorious Hive ransomware group that was dismantled in January 2023 through a coordinated effort by the FBI and other law enforcement agencies. This speculation is based on similarities in the code used in the payloads of both groups. However, Hunters International issued a statement asserting that they are a new entity that has acquired the original source code. Unlike many ransomware groups that focus on encryption, Hunters International is unique in its emphasis on data exfiltration.
Ransomware groups are akin to the mythical hydra: cut off one head and two more take its place. The resilience of the ransomware ecosystem cannot be overstated, and neither can their impact. The Canadian Center for Cybersecurity has assessed that ransomware actors pose the most impactful cyber threat to Canadians and Canadian organizations. This threat is not going away anytime soon, making it crucial that organizations of all sizes be aware of the ransomware groups operating within their shared threat space. It is advised that organizations also take adequate preventative measures such as:
Further guidance on what organizations can do to minimize this threat and their impact can be found across various sources, including CyberAlberta:
Read more: AutoCanada says ransomware attack "may" impact employee data - BleepingComputer
Last month, Israel allegedly executed a highly sophisticated operation targeting Hezbollah. This covert mission involved hiding explosives within the batteries of various communication devices, such as pagers and walkie-talkies, which were then smuggled into Lebanon.
On September 17th, 2024, a series of controlled explosions rocked multiple locations as these devices were remotely detonated via electronic messages. Lebanese security officials described the technology used as "virtually undetectable." Tragically, the blasts resulted in at least 37 fatalities and nearly 3,000 injuries, including civilians.
Initial reports about the attack led to widespread misinformation, with some speculating that new technology allowed for the remote detonation of lithium batteries without explosives. However, investigations later revealed that the pagers appeared to be manufactured by Gold Apollo, a Taiwanese company, and subsequently tampered with by Israeli intelligence using shell companies to conceal their identities. This operation showcases a modern twist on an old wartime tactic: weaponizing communication tools.
The implications of this attack are profound for both cybersecurity and supply chains. Using everyday communication devices as weapons introduces a new threat vector, complicating the efforts of security professionals to predict and counteract such risks. The sophistication of the attack is reminiscent of Advanced Persistent Threats, where intruders infiltrate networks and remain undetected for extended periods.
Moreover, the attack exposes significant vulnerabilities in the supply chain, particularly in the production and distribution of communication devices. Compromised devices can be inserted at any stage of the manufacturing and shipping process, underscoring the need for stringent security measures throughout the supply chain. The resulting disruptions, including casualties and infrastructure damage, have led to delays and increased costs as companies scramble to recover and enhance their security protocols. The involvement of legitimate companies in the distribution of compromised devices also threatens trust and reputation, highlighting the necessity for transparency and robust security in supply chains to maintain customer confidence.
The investigation into this attack spans multiple countries, emphasizing the critical role of international cooperation in addressing such incidents. This includes not only cyber and supply chain attacks but also the broader need for collaborative efforts to trace and mitigate threats across borders.
Read more: Israel concealed explosives inside batteries of pagers sold to Hezbollah, Lebanese officials say - CBCNEWS