Affecting nearly 1,700 Google Nest users (mainly in the US), the scam was uncovered by email cyber security company, Mimecast, which said that the campaign started in early January.
A sextortion email scam is when perpetrators claim to have compromising footage of the victim – which they’ll then surrender once they have been paid. Usually, this initial email contains a link that allows the victim to pay the perpetrator (a Bitcoin wallet, for example), but in this case, victims were not initially directed to pay a ransom for the footage.
Instead, victims were given the login details to an email account, in which they would find an email containing a link to a site – this site hosted genuine footage downloaded from the Google Nest site, but crucially, the footage was not taken from the victim’s camera.
Once there, victims were “directed to another email inbox, where they [were] told the footage [would] be posted within a week”, unless they paid the scammers.
Mimecast’s head of data science overwatch, Kiri Addison told Computer Weekly that by creating multiple steps, the scammers are “trying to make it harder for people to detect what’s happening”.
In an example seen by Computer Weekly, the scammers reportedly asked for €500 (about $550 / £430 / AU$800) in Bitcoin, or gift cards or the likes of Amazon, iTunes, Best Buy, and Target.
According to Addison, these emails can be safely ignored. She explained: “The campaign is exploiting the fact people know these devices can be hacked very easily and preying on fears of that.”
“It is now widely known that many IoT (Internet of Things) devices lack basic security and are vulnerable to hacking, meaning that victims are more likely to believe the fraudsters’ claims, since the possibility of their device having really been hacked is highly plausible.”
It’s important to note that the scam wasn’t the result of an IoT breach (that is, the cameras themselves were not hacked). While the footage was taken from the Google Nest site, it didn’t actually belong to any of the victims targeted in sextortion campaign.
“The vulnerabilities are real. It is quite possible to hack a lot of these devices, but I think at the same time education around these extortion campaigns is really important so that people know not to fall for them,” Addison says.
The potential for our smart home gadgets to be hacked and used against us as blackmail fodder does raise questions about whether they offer enough security for their users.
Jake Moore, cybersecurity specialist at internet security company ESET explains: “Anything connected to the internet from your home has the potential of being viewed by cyber criminals, so we have to put as many extra layers of protection in place to reduce this risk.”
Whether that’s enough to make you swap out your smart security camera for a regular ‘dumb’ camera comes down to how concerned you are about the possibility of hackers gaining access to that footage in the future – and that does seem unlikely.
What’s certain is that you should always exercise caution if you receive a suspicious email, particularly if you are being asked to send money or open an attachment that you weren’t expecting.
Via Computer Weekly