Brian Krebs has a fantastic blog post on how Sextortion scams have upped their game.  Sextortion is a type of attack where bad guys either blackmail you into sharing naked pictures of yourself with them, or they use the threat of naked pictures of you to get what they want (more naked pictures, money, etc).  What makes this new version of sextortion attacks different is the bad guys have added a bit of personalization, which makes it more effective.  It's kind of like CEO Fraud (bad guys do a bit of research on their intended victim), but in this case instead of being work related bad guys find or purchase a list old passwords that have been compromised,  They then send their victims an email claiming they hacked the victim's computer and captured them surfing porn.  They use the old password as 'proof' of their claim.  More details on Brian Kreb's blog. Personal incidents / attacks like these are a great opportunity to teach your workforce both about Social Engineering attacks and reinforce the need for good password/passphrase use.  Below is an example email you can send to your workforce. For SANS Security Awareness customers you already have a selection of training options for the topics of Social Engineering and Passwords.  If you don't have a quick resource handy for either, check out

Example Email:

Folks, we have recently seen reports of a new social engineering attack targeting people at home and at work.  The goal of the attack is to trick or fool you into paying money.  The attack works by cyber attackers purchasing a list of old, hacked passwords from other cyber criminals.  Perhaps one of your old passwords was compromised on an online account many years ago.  The bad guys then email their victims claiming their computer has been hacked and use the old password as 'proof' their computer has indeed been hacked (in reality is not hacked).  The then extort their victim, claiming they have monitored the victim and found them visiting adult websites.  The attacker then claims they will release videos of the victim visiting adult websites to their friends and family, unless they pay the cyber attacker money.  The bad guys are trying to scare you into paying money.  Learn more about this attack here. Two key lessons to protecting yourself.

  • Bad guys are always coming up with new ways to scare you into doing something you should not do.  Anytime someone is creating a tremendous sense of urgency, be very suspicious.
  • Good passwords is key to protecting yourself.  Always use a long, unique passphrase for every account.  Can't remember all your passphrases?  Consider using a password manager.

We are here to help you.  As always, if you have any security related questions please reach out to us at XXXXX.