In what appears to be a fairly new online scam, employees have been blackmailed after child pornography was downloaded to their computers without their knowledge.
The scam joins a long list of Internet extortion techniques that have become almost commonplace, but is notable for the fact that it uses illegal material, which could conceivably land the victim in hot water.
The scam, first reported in the February edition of the American CSO Magazine, kicks off with an unsolicited e-mail containing a link to a seemingly innocuous site, in this case about the Summer Olympics in Greece. When the target visits the site, a file transfer from a site in Bulgaria is initiated in the background and pornography is downloaded to the machine, without the user`s knowledge or consent.
A few days later the target receives an e-mail threatening to inform his company that he has been surfing pornography at work. The target is given directions on how to find the surreptitiously downloaded files, the "evidence" that will be presented to management unless he provides his credit card details.
According to the magazine`s account, as related by an anonymous chief security officer, more than a dozen employees of a single company were targeted in the scam. Only one reported it, while three provided their credit card details, fearing for their jobs.
Local security experts say the scam is plausible although there have been no reported cases in SA, and few reports of similar extortion attempts overseas.
"There is actually a couple of ways to initiate such a download," says Stieler van Eeden, a former cracker employed by Ernst & Young`s information security services division. "There are vulnerabilities in IE [Internet Explorer] that would allow it."
Van Eeden believes it likely that a malicious Java application on the innocuous site, combined with a known browser vulnerability, allowed the perpetrators to use reverse tunnelling to bypass firewall security and download the pornography.
Roelof Temmingh, technical director at IT security company Sensepost, says the scenario is not impossible but that actually downloading material without the user`s knowledge could be difficult.
"In SA downloads are slow so you`d expect people to notice it. On a fast link in the US it might be quick enough that you wouldn`t see it, but in SA it would take a while unless you are sitting in a high bandwidth site or if the download is local."
Temmingh believes that instead of going to the trouble of downloading files surreptitiously, it is easier to trick tech-unsavvy users into believing the material is stored locally while it`s really hosted elsewhere, he says.
The experts say there are a number of ways of preventing a similar scam. Making sure that all available security patches are applied to browsers is a start, says Van Eeden, and a properly configured firewall should also help in prevention.
Temmingh says plain old common sense goes a long way.
"If you receive any unsolicited e-mail, just chuck it. Make sure the security settings on your browser are tight and correctly configured. Use a personal firewall. Don`t give out your details to any site you don`t know and never give out your real e-mail address unless you absolutely have to."
He also warns that posting to newsgroups or mailing lists could be dangerous, with archives of such lists now easily available. "When your posting contains personal information, scammers could use this information to further their social engineering attempts," he says.
The scam list grows
Extortion on the Internet is hardly a new pastime and pornography is also often used as a threat.
Last year three American men was arrested for extorting money via e-mail from people who had, in this case knowingly, visited child pornography sites. More than 20 people were threatened after visiting a chat room aimed at those with an interest in pornography and trying to download files. They were told to pay up or be reported to the police.
In a variation, an American man was last year arrested after threatening to release the transcript of an online conversation, described as "sexual in nature", to the victim`s co-workers.
Another popular form of online extortion has seen hackers steal client databases from online companies, including banks, and threatening to make the details public unless paid. The scam was so widespread as early as 2001 that businesses were warned to be on the alert for attacks, often originating from the former Soviet Union. At least one man has also been arrested after threatening to release information that would allow people to use a valuable piece of proprietary software without paying for it.
Related stories:
Hacker accesses 2m credit cards
Share