Do Not Be Tricked by a Sextortion Scam Claiming That Your Nest Camera Was Hijacked

We all know about the security shortcomings plaguing the ever-increasing number of IoT devices, and you probably won't be too surprised to learn that cybercriminals are taking advantage of this. Not in the way you might expect, though. Indeed, IoT gear gets hacked every day, but criminals have developed other, cheaper and cleverer ways of exploiting the security holes of smart gadgets. Recently, for example, email security company Mimecast told us that crooks are now using IoT's lack of security as a social engineering tool during a relatively large sextortion campaign.

According to Computer Weekly, the emails started flying around in early January, and in a matter of mere days, Mimecast detected no fewer than 1,700 copies of the scam messages, most of which were aimed at US citizens. It's not the biggest campaign the world has ever seen, but the potential victim count is not exactly insignificant, either. When you see how the attack unfolds, you'll notice that the crooks who organized it put some thought into it as well.

An unusually convoluted attack

Previous sextortion scams involved a single message sent through the email, which tried to convince targets that their computers had been hacked and that the extortionists had embarrassing footage of the recipient watching adult videos. The email would say that if the victim doesn't pay up, the clip would be released for the whole world to see. In 2019, the criminals started using victims' passwords (which they obtained from publicly available leaked databases) to make the "I hacked your computer" scenario that much more believable.

The more recent campaign is a bit different. While traditional sextortion attacks reveal the crooks' demands straight away, the current messages don't actually tell victims that they are about to be blackmailed. Instead, the message simply claims that the cybercriminals have hacked the recipient's Google Nest camera and have obtained some nude pictures of the owner. The victims are given login credentials, which they need to use to log into a ProtonMail email account. In it, they find alleged proof of the hacking incident.

There's a link that leads to a landing page and a video that was indeed filmed with a Nest camera, but not one that belongs to the victim. People who fail to notice that they are watching a random clip are warned that if they don't pay an extortion fee, the compromising photos and videos will be published on a porn website. Computer Weekly said that the demand is €500 or $555 and can be paid in either cryptocurrency or gift cards.

Unusual tactics and trivial motives

Some of you may be a bit perplexed by what looks like an unnecessarily complex setup. You might even say that the hoops users are forced to go through could tip them off to the real nature of the message they're reading. There is sound reasoning behind the decisions the crooks have taken, though.

By involving another email account and a landing page, the crooks are making it harder for email security companies to trace the source of the attack, and even regularly updated spam lists might fail to stop some of the scam messages. At the same time, although the victim's involvement in the whole operation is greater than usual, the crooks are hoping that with all the warnings about the less than ideal state of IoT security, people would be too panicked to notice some of the tell-tale signs that they are being conned.

Indeed, internet-connected cameras can be hacked, and the vulnerabilities found in some of them are nothing short of terrifying. But how likely are you to be a victim exactly?

If you think about it, such an attack would involve a hacker picking your camera among a sea of similar devices and hacking into it. Then, the criminal would need to wait for you to stand in front of your camera naked, and after that, they would need to establish the blackmail operation without getting caught. You have to agree that quite a few complex tasks would need to be completed, and the potential payout would be less than $600. Suddenly, you start to realize that the crooks' claims don't really hold much water.

As you can see, taking everything you see in your inbox with a suitable amount of salt could make all the difference.