Many people flirt online. Some even go further and use their webcams for cybersex. It can be exciting meeting an attractive stranger. Unfortunately, on the internet, sometimes these strangers have ulterior motives. They can be cybercriminals who want to extort you through sextortion. Sextortion attacks are different from other cybercriminal attacks. With sextortion attacks, a person’s self-respect can be destroyed in seconds.

As you have already learned, cybercriminals can operate from anywhere. The internet has made it so anyone can be sexually victimised online, from any country.

What is surprising is how these cases impact employees in the workplace. People will go to great lengths not to have their sexually explicit photos or videos distributed at their company. Cybercriminals know this and use it to their advantage, as you will learn in this chapter.

You will learn how to recognise sextortion attacks and defend against them.

ANATOMY OF SEXTORTION

Sextortion falls under the umbrella of cyber extortion. Still, it differs in that cybercriminals threaten to release private images, videos or messages if payment isn’t received. The price is usually financial compensation or to get further personal pics or videos from the victim. Think of sextortion as an abuse of power from a cybercriminal who is in possession of private images, videos or messages of a sexual nature. The victim is then exploited by the threat that the content will be put on the internet or sent to their family, friends or co-workers. Cybercriminals know that victims are often willing to go to great lengths to keep damaging information quiet. They understand that victims are often embarrassed or ashamed. This can be used to extort the victim further.

It’s worth noting that not all online sextortion attempts are made by cybercriminals. As in Jeff Bezos’s case, sometimes it could be another organisation or group who wants to extort the victim to do something, not necessarily for financial reasons. In other cases, an individual will post intimate photos or videos of their former partner online without their consent. This is called revenge porn. Usually, the goal of revenge porn is to blackmail or cause the former partner harm or distress.

LESSONS FROM HISTORY

Using sex to extort people is nothing new. There are many cases throughout history where sex has been used as leverage to get victims to do what the extortionist wanted. Consider the case of Marie Antoinette in the late 18th century.

In the late 1780s, France was beginning a period of deep unrest. It found itself deeply in debt due to the Seven Years’ War and the American Revolution. As a result, the government implemented wildly unpopular regressive taxation schemes. Years of bad harvests worsened by deregulation of the grain industry and environmental problems also inflamed widespread resentment of the privileges enjoyed by the aristocracy and the Catholic clergy of the established church. The public mood was sour.

During this time, Louis XVI, the King of France, began experiencing significant unrest with the various liberal assembly political groups. They were pushing for reforms in the government, something the king was firmly opposed to doing. As the liberal assembly groups began to protest further, the king started to arrest and persecute them. France didn’t have the same level of freedom for its citizens as England, and many of them escaped and flocked to London in fear.

The French exiles in London knew the king was in a precarious situation. Since the exiles had intimate knowledge about the king, they knew his weak points. The exiles also knew the king was sensitive about the reputation of his wife, Marie Antoinette. In recent years, her popularity had declined through a series of controversial political decisions and rumours that she was living an over-the-top, lavish lifestyle. When so many of the general public were suffering and starving, these rumours inflamed them further. The exiles used this to their advantage and plotted their revenge.

They designed and printed a pamphlet of pornographic images and stories about Marie Antoinette. The images were illustrated for maximum shock value. They included Marie having sex with the king’s brother (Count d’Artois) while the king looked on, Marie participating in an orgy, a lesbian love affair and Marie having sex with animals.

They then sent a sample of the pamphlet to the king with a message that the pamphlets would be published en masse and distributed across France unless the king agreed to pay them a ransom. He agreed to their terms; the reputational risk was too great for him.

In the end, it didn’t matter much. A clerk entrusted with the sample pamphlets didn’t destroy them but instead filed them away in the palace’s storage. They were found when the palace was stormed during the French revolutionary war. The pamphlets were so provocative that they were printed en masse anyway and distributed to enrage the public.

Here lies the risk with paying any extortionist – regardless of whether a payment is made or not, there is still a reasonable chance the information will become public anyway. This story illustrates an essential point of extortion: the outcome is often not what you expect or want.

In the king’s case, judging by the public’s reaction, he was right to fear the pamphlets getting out, even though the stories were not true. They contributed to the public’s perception of excess by the king and queen, which eventually led to both of them being beheaded.

SEXTORTION ATTACK METHODS

Sextortion attacks differ from other cyber extortion attacks. Most sextortion attacks either use social engineering to coerce the victim into doing something, or it’s a complete bluff – or both. This section will help you recognise a sextortion attack when you see one.

Threatening email attacks

In these attacks, a victim receives an email saying the sender has incriminating videos or pictures of them. The email likely goes on to say that malware was installed on their computer when they visited a porn site. This then, in turn, triggered the recording of everything they did after that and everything they did while watching the porn site. Considering that around 50 per cent of men and 16 per cent of women watch online porn, at least occasionally (BBC, 2021) in the UK, this email would give many pause for thought. The email often contains elements of truth – enough so that at first appearance, it could be true, such as an authentic password the victim has used in the past, included to try to prove the cybercriminals have access to their computer.

Often, the threat is that cybercriminals will create the greatest hits of the victim’s pics or videos and send them to all the victim’s contacts. Of course, the only thing that will stop this is for Bitcoin, usually of around $1,500–$4,000, to be sent.

This sextortion method is often referred to as the ‘porn scam email’. There are no screenshots or videos. If they did have any of that, the cybercriminals would have included them in the email. This is the least threatening of all the attacks. Still, though, getting an email like this is disturbing.

In January 2021, the cybersecurity company Malwarebytes studied a new version of the sextortion email. Instead of mass targeting, they discovered that cybercriminals were targeting only .org email addresses and senior leadership. This shows that cybercriminals are starting to target their sextortion email attacks; they are going after bigger fish that can pay more and would most likely be more concerned with their reputation.

Another difference is that the cybercriminals had spoofed the victim’s email address, making it appear the email was sent from their email account. This attempts to trick the victim into believing the cybercriminals have taken over their device (Malwarebytes, 2021).

Here is an actual email from December 2020.

Another worrying case was the Ashley Madison data breach in 2015. Ashley Madison is an online dating service for married individuals, or those in a relationship. Very sensitive personal information is on the site. Millions of records were stolen (60 GB worth) in the well-publicised data breach at the company.

In 2020, Ashley Madison data breach victims began receiving sextortion emails personally tailored to them. The email included information like when the victim signed up to Ashley Madison, their username and personal information they would have entered on the website (Fazzini, 2020). Many users signed up to Ashley Madison using their corporate or government email address rather than a personal email. They are at particular risk of paying the ransom due to the reputational damage this information would cause them.

Webcam attacks

In this attack, cybercriminals use the victim’s webcam to record them in a sexual act. Here is how it works. Cybercriminals use photos of attractive men and women on dating websites, social media platforms, video (Skype, Zoom) or messaging (WhatsApp) apps.

Cybercriminals then send the victim a message – a dialogue starts, which quickly escalates to having a video call that is sexual in nature. Cybercriminals will coerce the victim into performing a sex act or revealing something sexual. Usually, the cybercriminal will do this first to encourage the victim. It may be an actual sexual act or cleverly used pre-recorded videos of an attractive person the victim thinks they have connected with that fools the victim into thinking they are talking to that person. Unknown to the victim, their entire encounter is recorded.

Afterwards, the victim is threatened that the sexually explicit videos or photos will be sent to their family and friends unless the cybercriminal’s extortion demand is met. They may go through the friend list on their victim’s social media profile and take screenshots of their friend’s profiles to show who they can send the compromising pictures and videos to, provoking an emotional response. The threat this time isn’t hollow; it’s real. The cybercriminal has leverage on the victim.

Large internet companies have their fair share of security issues. Many people become victims via their platforms. Nevertheless, they tend to have extensive security teams and procedures in place to catch some attacks.

However, the giant internet companies look like security rockstars compared to smaller social media companies. Smaller social media companies don’t have the same security budgets or have limited security controls and are not under the same media scrutiny as the larger internet companies. One glaring example of this is video chat platforms. On some platforms, people can video or voice chat with strangers.

Omegle is one of the leaders for video chat sites. It lets you chat and talk via video to strangers. Omegle has grown from 34 million visits a month in January 2020 to 65 million in January 2021. A total of 3.7 million unique visits occurred in the UK in December 2020 alone (Tidy, 2021).

On Omegle, when users (many of whom are under 18) connect, strangers sometimes engage in sexual acts. In some chat sessions, victims are coerced into some type of sexual activity, and unknown to them, they are recorded. This material is then used to extort the victim or is distributed online.

The BBC did an investigation into Omegle in February 2021. They found, over 10 hours, they were paired with dozens of under-18s, with some users appearing to be as young as eight. There is no age verification on Omegle. They also found many adults doing something sexually (Tidy, 2021).

LinkedIn attacks

LinkedIn is a treasure trove of information for cybercriminals. Through LinkedIn, they can determine a victim’s job, likely salary, location and past employers. Cybercriminals seek out high-worth individuals like company executives, doctors or lawyers. They can then narrow their focus to targets they believe can pay them more or be more susceptible to reputation threats for sextortion attacks.

Any public details on your LinkedIn profile can be used to gather further information. For example, if the email you use is the same as your Facebook account, cybercriminals can use this to find out your Facebook profile and do further reconnaissance. Another thing they will do is query past breach information. If shown publicly on LinkedIn, your phone number and email can be searched, and any data breach information associated with them can be used to add credibility to the attack. This could be old passwords or personal information similar to what was included in the Ashley Madison hack. If cybercriminals have compromising sexual content on you and access to your LinkedIn contacts, they can ruin your reputation (Cuthbertson, 2019).

Mobile malware attacks

In this type of attack, victims are tricked into downloading malware onto their phones, usually by thinking they are downloading a legitimate app. Android and iOS have security controls that allow them to catch most apps with malware attached to them; however, cybercriminals get around this by convincing victims to install the app via sideloading.

They will give excuses to trick you into sideloading their malicious app by saying things like their app is the only way to resolve an existing audio or video issue. If you sideload the app on your phone, the security controls of iOS and Android will be of no use.

Once the malware is installed, phone numbers, contact information, SMS messages, photos and even location information are stolen from the phone. With this information in hand, cybercriminals can begin their sextortion scheme.

An example of this attack was the Goontact spyware targeting Android and iOS users in Asian countries in December 2020. The spyware targeted users of websites offering escort services. Goontact disguised itself as a secure messaging app; it is not available on Google Play or Apple App Store. It is an unauthorised app and can only be downloaded via sideloading.

When victims went to these sites, they were told they needed to download a secure messaging app to communicate with women. Victims are told it is the only way to fix audio or video problems when trying to talk to women. Once downloaded, Goontact can exfiltrate a wide range of data such as contacts, photos and location information. This information is then used to extort the victim (Kumar and Albrecht, 2020).

The risks to everyone, especially business executives or any high-ranking officials, should be apparent. Once cybercriminals have all the information on their phone, they can send compromising information like embarrassing photos or videos to everyone on the executive’s/official’s contact list.

Gaming console attacks

Children are targeted on gaming consoles. Today, gaming systems are connected, and competition is often intense. Children can be offered game credits or codes to further advance in the game in exchange for an explicit image. Once the image is sent, the sextortion attack begins. Threats are made against the child to go further and create worse pictures or videos with the blackmail that their family and friends will be sent the material if they don’t. Threats, gifts, money, flattery, lies and other methods are used to coerce the child into producing explicit images and videos.

Sextortion against children

Adults are not the only ones at risk of sextortion attacks. Children are also targeted. In a study published by the University of Wisconsin-Eau Claire, a national survey found that five per cent of teenagers in the US admitted to being a victim of sextortion (Patchin and Hinduja, 2018). This indicates a serious problem.

Cybercriminals hide their identity and pretend to be of a similar age to their victims. Any online platform children communicate on, like social media or gaming sites, are fair game. The cybercriminals’ persuasion techniques work well against unsuspecting children who believe they are communicating with someone their own age.

Here are some of the techniques used against children in sextortion attacks:

• coerce children by using flattery;
• pretend to have a romantic interest in them;
• offer something of value, like money or gifts such as credits in a video game;
• threaten the child (FBI, no date).

Sometimes the cybercriminals are after money, but many other times, they want them to send explicit content of themselves in images or videos.

Children are particularly attractive to perpetrators. They are at an experimental age and prone to taking risks. Once the initial persuasion techniques have worked in getting explicit content, cybercriminals can then escalate their methods to victimise the child further. Here are some of the ways they do this:

1. Most common are threats to post previously acquired content online – with a specific threat that it will be in a place their family and friends will see.
2. Threatening to physically hurt the child or their family or sexually abuse them further.
3. Threatening to commit suicide themselves if the child doesn’t comply with their requests.
4. Threatening to create sexual content involving the child using digital editing tools.
5. Creating a fake profile of the child then threatening to post sexual content involving the child.
6. Saving sexually explicit conversations with the child and threatening to post them online.

Many victims reported they initially took a revealing photo just to get rid of the person. They mistakenly think that this will satisfy them, and they will go away (Wolak, 2016). They soon discover it is only the start of their problems. To get an idea of some of the tactics cybercriminals use, consider this victim statement:

He was choking a cat [on a video chat site] and told me if I didn’t do as he said, he would kill the cat. So I showed him my breast, and he stopped hurting the cat. He then showed me the video he had of me showing my breast and said that if I leave [the site], he knows where I live and will post it to my Facebook page – Female, 17 years old.

(Wolak, 2016)

If you feel a child could be a sextortion victim, report it to Child Exploitation and Online Protection (CEOP) at the National Crime Agency, https://www.ceop.police.uk/Safety-Centre/ (UK) or the FBI, fbi.gov (US). They can offer further advice and support.

Here are some additional resources:

• https://www.thinkuknow.co.uk – the National Crime Agency’s CEOP Education team provides resources to protect children from online sexual abuse (UK);
• https://www.childnet.com – this is a non-profit international support group for children and parents for staying safe online (UK);
• https://www.saferinternet.org.uk – they have a system for reporting and removing sexual images of children online (UK);
• https://www.fbi.gov/news/stories/stop-sextortion-youth-face-risk-online-090319 – the FBI offers sextortion advice for children and parents (US);
• https://www.stopsextortion.com/get-help/ – the site offers support and a crisis hotline for victims (US).

The resources here offer good advice every parent should know to better prepare their family for sextortion attacks.

HOW ARE PEOPLE IMPACTED?

Victims report a range of emotions they go through when they discover they have been targeted with a sextortion attack.

It is evident from interviews conducted with victims that fear was a central emotion. Victims were fearful, not knowing when or if the attacker would stop or make their next demand. They feared the sexually explicit material would get released (that their family, friends or co-workers would see it). They also feared their reputation would be ruined. All these fears increased anxiety and, therefore, heightened emotional levels in victims.

There can also be a strong sense of helplessness in victims. When discovering a cybercriminal has a sexually explicit video, it can feel hopeless. Another strong emotion is shame. Victims can feel ashamed and embarrassed by what has happened. How will they face their family, friends or co-workers if they see their explicit sexual material?

If cybercriminals carry out their threats and send the sexual material to a victim’s friends or family, it is embarrassing and humiliating for victims. It gets worse when a victim’s co-workers get sent the sexual material. Some victims resign from their jobs because they can’t face their colleagues. In some extreme cases, victims have taken their lives (Stephens, 2021).

What makes this problem worse is that there is no going back. Once the sexually explicit material is on the internet, there is no control over what happens to it. Everyone the victim knows can be exposed to it. In addition, there is the possibility it could be viewed countless times by other internet users, saved and re-uploaded. For the victim, their self-respect can be destroyed in seconds.

WHAT THE FUTURE HOLDS

Current attacks consist of real photos or videos of victims or the threat of a photo or video when the cybercriminal doesn’t have any. This is expected to change in the future.

Deepfake videos are a new kind of video that allows for an individual’s face in the video to be replaced with another person’s face. The transition can be seamless (Beres and Gilmar, 2018). Casual viewers will not likely notice that the video is fake. It will be as if they are watching an authentic video.

Cybercriminals will not need to coerce or social engineer their victims. They will only need the victim’s face and samples of their voice. Once they have that, they will be able to create a convincing deep fake video that shows the victim in an embarrassing sexual act. It will be hard to recognise that the video is fake. Cybercriminals would then extort the victim, threatening to release the video.

DEFENDING AGAINST SEXTORTION ATTACKS

There are basic safeguards to defending against sextortion attacks. Here are some guidelines for you to follow.

Preventive measures for sextortion attacks

If there are no compromising photos or videos in the first place, then there is little cybercriminals can do to carry out their threats. Think twice before creating and sharing any such content.

• Don’t keep embarrassing photos or videos on your devices or in the cloud. If cybercriminals get hold of these, they can use them to extort you.
• Make all of your social media accounts private. None of your details, contact lists or what you post should be viewable by the public. Even if cybercriminals get compromising material on you, limit who they can send it to.
• Buy a webcam blocker for your computer to block anyone from recording you without your consent.
• Consider including sextortion methods in your security awareness programme at your organisation. Teach your employees to recognise these attacks. Give them a safe environment, so they feel comfortable reporting the attacks.

Warning signs

Unlike cyber extortion, there are warning signs for sextortion attacks, such as those here:

• You are asked to send compromising photos or videos of yourself or are asked to engage in a sexual act online. Do not do it – no matter how well you know the requestor or how persuasive they are. You can be recorded without knowing about it.
• Your new online connection starts to send you unsolicited sexual images or videos or engages in sexual activity while doing a video chat. This is to lower your guard and guide the conversation in a sexual direction. It is often a trick to get you to reciprocate.
• Be wary if you are asked to move your conversation from a known social media platform to something like text or app messaging where there are limited security controls.

These are all red flags that something isn’t right.

What to do if you are a victim

Falling victim to a sextortion attack is not easy, but there is support if you do.

• First of all: don’t panic. Recognise you are the victim here.
• Do not pay any money or agree to any further demands. This may cause the cybercriminal to victimise you further.
• Don’t respond to any communications from the cybercriminal and deactivate all social media accounts – but do not delete anything as it could help investigators.
• Screengrab and write down as much information as possible. This will be helpful for any investigations.
• In the UK, report the attack to your local police force. They can provide further support. In the US, report it to the FBI Internet Crime Complain Center (https://www.ic3.gov).
• If you are a revenge porn victim, the following resources can help. In the UK, revengepornhelpline.org.uk ([email protected]); in the US, https://cybercivilrights.org
• In the UK and Ireland, the Samaritans can be contacted on 116 123 or by email at [email protected] or [email protected]. In the US, the National Suicide Prevention Lifeline is 1-800-273-8255.

SUMMARY

Sextortion attacks can be more traumatic to victims than other types of cybercrime. It’s not just about the financial costs, but the shame, embarrassment or humiliation victims can feel. Cybercriminals have no morals – they will target young and old with sextortion attacks. They couldn’t care less about the suffering sextortion victims go through.

The workplace is proving to be a ripe target. It’s especially damaging to a victim’s reputation when embarrassing photos or videos are sent to co-workers. Cybercriminals will continue to target a victim’s workplace. They understand the workplace threat adds to the pressure for victims, which in turn increases the chance of cybercriminals getting their ransom.

However, by following the defence guidelines mentioned, you will have a better chance of preventing a successful sextortion attack. It all starts with not sharing your sexually explicit material with cybercriminals in the first place and understanding that sextortion attacks can occur anywhere people meet and communicate online.

If you do fall victim, don’t be too hard on yourself. Follow the steps provided and contact the necessary support groups to get any help you feel you or a family member needs.

REFERENCES

BBC (2021) Porn: The ‘incredible’ number of UK adults watching content. Available from https://www.bbc.co.uk/news/newsbeat-57428077

Beres, Damon and Gilmar, Marcus (2018) A guide to ‘deepfakes’, the internet’s latest moral crisis. Mashable. Available from https://mashable.com/2018/02/02/what-are-deepfakes/

ControlRisks (2019) Online sextortion: A cybercrime increasingly affecting employees. Available from https://www.controlrisks.com/our-thinking/
insights/online-sextortion-a-cybercrime-increasingly-
affecting-employees

Cuthbertson, Anthony (2019) Cyber criminals trawl LinkedIn to scope out targets in ‘sextortion’ scams. Independent. Available from https://www.independent.co.uk/life-style/gadgets-and-tech/
news/linkedin-cyber-crime-gang-sextortion-email-scam-
pornography-digital-shadows-a8789926.html

Dreyfuss, Emily (2019) Jeff Bezos aside, sextortion is way underreported. Wired. Available from https://www.wired.com/story/jeff-bezos-
sextortion-allegation/

Fazzini, Kate (2020) Ashley Madison cyber-breach: 5 years later, users are being targeted with ‘sextortion’ scams. cnbc.com. Available from https://www.cnbc.com/2020/01/31/ashley-madison-breach-from-
2015-being-used-in-sextortion-scams.html

FBI (no date) Sextortion, an online threat to kids and teens. Available from https://www.fbi.gov/scams-and-safety/common-
scams-and-crimes/sextortion

Kocsír, Tamás and Gallagher, Sean (2020) Following the money in a massive ‘sextortion’ spam scheme. Sophos. Available from https://news.sophos.com/en-us/2020/04/22/following-
the-sextortion-money/

Kumar, Apurva and Albrecht, Justin (2020) Lookout discovers new spyware used by sextortionists to blackmail iOS and Android users. Lookout. Available from https://blog.lookout.com/lookout-discovers-new-
spyware-goontact-used-by-sextortionists-for-blackmail?
utm_source=BL&utm_medium=BL&utm_
campaign=WW-MU-MU-MU-MU-P_NON-Goontact

Kumar, Santosh (2021) Bengaluru: IAS aspirant ends life after sextortion via Facebook. Times of India. Available from https://timesofindia.indiatimes.com/city/bengaluru/
bengaluru-suicide-victims-sister-unravels-facebook-
sextortion/articleshow/81942460.cms

Malwarebytes Lab (2021) ‘I have full control of your device’. Sextortion scam rears its ugly head in time for 2021. Available from https://blog.malwarebytes.com/social-engineering/2021/
01/new-sextortion-scam-in-time-for-the-new-year/

NCSC (2019) Social media: How to use it safely. Available from https://www.ncsc.gov.uk/guidance/social-media-
how-to-use-it-safely

Nield, David (2020) How to install apps from outside your phone’s app store. Wired. Available from https://www.wired.com/story/install-apps-outside-
app-store-sideload/

Patchin, Justin W. and Hinduja, Sameer (2018) ‘Sextortion among adolescents: Results from a national survey of U.S. youth’. Sexual Abuse, 32 (1). 30–54.

Stephens, Max (2021) Overseas ‘sextortion’ gangs targeting the over 40s. The Telegraph. Available from https://www.telegraph.co.uk/news/2021/06/12/overseas-
sextortion-gangs-targeting-40s-revenge-
porn-cases-rise/

Tidy, Joe (2021) Omegle: Children expose themselves on video chat site. BBC. Available from https://www.bbc.com/news/technology-56085499

Wickman, Glenn (2021) Sextortion arrests: Eight people detained in Spain’s Valencia for blackmailing clients with fake prostitution services. The Olive Press. Available from https://www.theolivepress.es/spain-news/2021/07/06/
sextortion-arrests-eight-people-detained-in-
spains-valencia-for-blackmailing-clients-with-
fake-prostitution-services/

Wolak, Janis and Finkelhor, David (2016) Sextortion: Key findings from an online survey of 1,631 victims. unh.edu. Available from https://www.unh.edu/ccrc/pdf/Key%20Findings%20from%
20a%20Survey%20of%20Sextortion%20Victims%
20revised%208-9-2016.pdf