18 Aug 2013

Online blackmail: who does it and how to avoid them

After a teenager killed himself when blackmailers threatened to show an explicit video of him to his family, we look at who is behind online blackmail, and how can you avoid it.

Blackmail and extortion are a common way for hackers to make money out of their victims, says a computer security expert. But the tragic case of the Scottish teenager who committed suicide after being blackmailed with explicit video of himself, is not the work of a classic cyber-criminal says Rik Ferguson, VP of security at Trend Micro.

“This is someone who wants to bully or exploit a teenager. And then thinks I might as well monetise this too.”

Daniel Perry, 17, who lived in Dumferline believed he was having explicit webcam calls with an American girl his own age, but police are investigating claims that criminals intercepted the video and then used it to blackmail him. Mr Perry jumped off the Forth Bridge an hour after receiving a demand for money that threatened to send the video to his friends and family.

This week saw a similar scandal in the US, where the reigning Miss Teen USA was victimised by a hacker who stole explicit photos from her webcam.

Pretending to be a 16-year-old girl is not the work of a traditional cyber-criminal

Money was involved in Daniel Perry’s case, but it wouldn’t have been the primary motivation, Mr Ferguson said.

“Blackmail is something that has been done by criminals for sometime. But pretending to be a 16-year-old girl and getting a kid to do something that’s compromising to them: I don’t think that’s something that a traditional cyber criminal would do.

“It’s too labour intensive and they don’t have a lot of money.

“And if you’re going after teenagers with something as embarrassing as that, then you’re not even going after their parents’ money either.

“It’s not scalable. What criminals are interested in, is being able to target lots of people, very quickly.”

In a much more common extortion exploit, hackers will use bugs called ransomware to encrypt all the contents of their victim’s computer. That effectively locks up all the user’s content so they can’t get back into it. A message will instruct the victim to pay a certain amount into an untraceable bank account in return for access to the computer again.

Still, elements of blackmail are creeping into more traditional extortion: Mr Ferguson described how child abuse images can be used to exert extra emotional pressure on victims. He described ransomware his team has seen recently for the first time, that will lock up a computer and display a message including graphic images of child exploitation saying – “here are some examples of what we found on your machine and we have to pay this fine”.

“That’s easily automated and eminently scalable. It’s not actually there, it’s just a way to get them to part with their cash.”

Read more: Blackmailed online: teen's suicide over webcam plot

Never comply

Anyone threatened with online blackmail should never comply with it, said Mr Ferguson.

“If you know someone has digital content which will be compromising for you, then you are a fool to pay them money – no matter how much damage you think it will do.

“It’s not like the bad old days of the spy thrillers where you’d meet somebody in a carpark and they’d hand you back the negatives. There aren’t any negatives. You have no guarantees that the person you are paying money to isn’t going to keep hold of that stuff – and will know from this point on that you’re an easy mark because you’ve already paid up once.

“They can simply say a few months later, remember that stuff I had? Well I’ve still got it.”

Consider everything online as public domain

Mr Ferguson has even more comprehensive advice about what to put online in the first place.

“There’s a rule of thumb: if you’re not happy to shout it out in a crowded shopping mall then don’t post it on the internet.”

And not just in a public forum but in private email or anywhere else. He says:

“That’s regardless of whether you’re sharing it publically or with just one other person. As soon as something digital has left your possession then you must consider that that information is public domain.

“Even if you just share it with one person you have no way of controlling who they share it with.”