Support 416-591-6711 option 1 or Email Us

Sextortion and Cybersecurity: Phishing Targeting Minors

Fri, 19 Jul 2019

As Canadians, we are especially aware of the vicious nature of sextortion; and the terrible after effects these malicious phishing campaigns leave in their wake. The tragic suicide attempt and later death of Amanda Todd, 17, of British Columbia in 2013, and the suicide of Rehteah Parsons, 15, of Nova Scotia in 2012, shocked us as a nation. Both girls were victims of sextortion. Sextortion is cybercrime and form of phishing scam. Phishing is communication via email or text that attempts to obtain data and personal information from the user or trick the user into downloading malware. 

Sextortion annd Cybersecurity: Phishing Targeting Minors

Sextortion “occurs when offenders use personal information – often images stolen from a computer or obtained by hacking into a webcam – to force victims to engage in some form of sexual activity. Offenders frequently target multiple victims, a majority of whom are children under the age of 18.”[1] The Brookings Institute found that 71% of reported sextortion  cases involved only victims under the age of eighteen, while an additional 14% of reported sextortion cases involved a mix of adults and minors. Of those reported sextortion cases, all adult victims were women; however, when children were targeted, it was both boys and girls.[2] When teaching minors about cybersecurity, it is essential that all genders are  taught necessary personal cybersecurity measures, how to both identify phishing attempts and avoid phishing scams. 

Often, sextortion phishing scams arrive as an email that is usually ignored. You may have received phishing emails with subject lines like “I have naked pics of you” or “I have videos of you watching pornography.” If you opened and read the email (which we at ISA do not advise), you would likely find a demand. If you have the correct cybersecurity measures in place, the sextortion email went directly to your spam folder. Sextortion emails are phishing campaigns; if they appear very specific, they are an extension of an earlier phishing attempt wherein the perpetrator garnered some personal data (or images). If they are vague, then they are an early phishing attempt to get the victim to bite or click on a link that will lead to the download of malware.

Sextortion, like phishing, isn’t new, but it seems to be on the increase as reported by the Brookings Institute,[3] The Guardian[4] and Barracuda Networks.[5] Barracuda Networks stated in a recent report that sextortion scams are gaining sophistication, bypassing email gateways and that one in ten spear phishing attacks are blackmail or sextortion.[6] Barracuda Network’s report detailed that company employees were “twice as likely to be targeted in a sextortion scam than a business email compromise attack.”[7] Sophisticated sextortion campaigns, like socially-engineered phishing campaigns, have vastly destructive potential. Part of the issue with sextortion is that sextortion attacks are often undisclosed for fear of victim-blaming or out of embarrassment.

The reality of an actual sextortion scheme:

Sextortion often begins with a phishing email from an unknown sender. In the 2011 court proceedings of the United States v. Mijangos, that’s how it started for the victim – with an email from that said, “Read this and be smart.”[8] The phishing email message contained sexually explicit photographs of the victim and personal information about where she worked, her husband and her three children. Her family’s safety appeared compromised. There was also a demand contained in the phishing email. Extortion is usually a demand for money. This demand was for pornography. The cyber threat actor wanted a pornographic video of the victim and threatened, that if he didn't receive the request, he would publish the pictures he already possessed. He also threatened that if she notified the police, then he would post the pictures.[9] The cyber-attacker was a 32-year-old from Santa Ana, California named Luis Mijangos. In 2009, he’d had sent another phishing email to another victim; the subject line read “who hacked your account READ it!!!” That email also contained a naked photo of the victim, and the message said "im [sic] in control of your computers right now."[10] 

These phishing and sextortion emails were discovered to be part of an extended series of crimes. It turned out that Mijangos had duped many teenage girls and adult women into downloading malicious software. The malware gave him access to files, photos and videos, and a keylogger tool allowed him to see all of their keystrokes, so he knew if they notified anyone from their computer. The malware also gave him control over any attached webcams and microphones, which he used to cyber-stalk and record his victims. He collected data on his victims, sometimes for weeks or months, and used it to blackmail, manipulate and sextort. To worsen the situation, Mijangos used the malware-controlled computers to spread his malicious software further, circulating it by phishing via instant messages to the victims’ contacts. The phishing messages were effective as they appeared to come from a legitimate connection.

Mijangos was frighteningly good in his role as sextortionist; the malware he wrote was complex and designed to be undetectable to antivirus software. In some cases, he deceived victims into creating sexually-explicit pictures and videos by simulating the online presence of their boyfriends. Mijangos then “used [those] intimate images or videos of female victims he stole or captured to ‘sextort’ those victims, threatening to post those images or videos on the Internet unless the victims provided more.”[11] He followed up with his sextortion threats. In one case, when a victim refused to give in to his demands, Mijangos posted naked photos of her on the social media account of a friend, an account that Mijangos had also hacked.

When the investigation into Mijangos’ sextortion and phishing scams was all said and done, "investigators found more than 15,000 webcam-video captures, 900 audio recordings, and 13,000 screen captures on his computers. Mijangos possessed files associated with 129 computers and roughly 230 people. Of those, 44 of his victims were determined to be minors.”[12] Minors who largely didn’t have an understanding of cybersecurity, or of what phishing and sextortion were.

Sextortion and exploiting the vulnerable

Sadly, the concept of sexual menace isn't new, nor is the exploitation of the young and vulnerable. However, in our digitally inundated world, our globalized connectedness means that sexual threats, phishing campaigns and sextortion, can come from anywhere. Often cybersecurity concerns are considered worries for the government, companies and institutions. Individuals who shop and bank online have cybersecurity concerns about personal data, digital footprints and identity theft. 

Teenagers don't usually factor into cybersecurity concerns. They rarely consider themselves vulnerable and care little about their cybersecurity. Few teenagers have robust passwords, and most avoid two-step verification. Also, there are times when some teenagers don’t use the soundest judgement, even recording inappropriate pictures and videos of themselves, sometimes “sexting” them to other teenagers who also aren’t concerned with cybersecurity. Poor judgement, insecurities and fear combined with lax cybersecurity make teenage communications a target-rich environment for sextortion to occur. It’s not surprising that Barracuda found education was the industry most targeted by sextortion and blackmail phishing campaigns, with 55% of all attacks being directed at educational organizations.[13] 

Sextortion and Cybersecurity: Phishing Targeting Minors

Cybersecurity for young adults

Teenagers are glued to their smartphones both day and night, not wanting to miss out on anything. They need to be taught good cybersecurity practices and how to protect themselves from phishing and sextortion attacks.

Help your teenager practice good cybersecurity:

  •  Set up strong passwords for their mobile devices and each of their accounts (including all of their social media).
  •  Ensure they update and patch operating systems and apps frequently.
  •  Ensure that they understand what phishing schemes and sextortion are. Knowing is half the battle so if they receive a phishing message, they realize what it is and what to do.
  •  Teenagers are often impetuous. They occasionally need to be reminded of what a digital footprint is and how pictures, videos and “sexts” can spread, remaining even after they are deleted.
  •  If they receive a sextortion email that directly targets them:
    • Do not panic.
    • Contact (Canada’s national tip line for reporting the online exploitation of children). Sextortion predators rarely target just one person so reporting it benefits the victim, as well as others who may be experiencing the same sextortion threats.
    • Stop all communication. Deactivate the accounts where the phishing or sextortion messaging was received, but do not delete the phishing or sextortion messages (they are evidence). 
    • Do not do what they ask in the phishing or sextortion messaging. If the predator has asked for videos or pictures, giving them what they want will not make it stop, it will most likely magnify the victim’s problem.

Sextortion fraud isn’t just a problem for teenagers, although they are the most vulnerable. If you run an organization, talk to your employees about sextortion as part of a phishing and malware education program for your organization’s cybersecurity, especially if your organization falls inside the education sector. Ensure your staff understand their role in cybersecurity - can recognize sextortion and phishing attacks, understand their fraudulent nature, and feel comfortable reporting them. 

Remember, almost every cyber attack starts with a phishing scheme. Spear phishing and sextortion are growing more specific and therefore more effective. The more the phishermen know, the more they can target a victim, and through them an organization. Teaching employees how to identify and deal with phishing and sextortion attempts is a solid frontline defence in cybersecurity. 


‹ Back