Affecting 1,700 people (mainly in the US), the scam was uncovered by email cyber security company, Mimecast, which said that the campaign started in early January.
The company clarified that, while Google Nest users weren’t targeted exclusively, footage from Nest cameras was used as part of the campaign.
A sextortion email scam is when perpetrators claim to have compromising footage of the victim – which they’ll then surrender once they have been paid. Usually, this initial email contains a link that allows the victim to pay the perpetrator (a Bitcoin wallet, for example), but in this case, victims were not initially directed to pay a ransom for the footage.
Instead, victims were given the login details to an email account, in which they would find an email containing a link to a site – this site hosted genuine footage downloaded from the Google Nest site, but crucially, the footage was not taken from the victim’s camera.
Once there, victims were “directed to another email inbox, where they [were] told the footage [would] be posted within a week”, unless they paid the scammers.
Mimecast’s head of data science overwatch, Kiri Addison told Computer Weekly that by creating multiple steps, the scammers are “trying to make it harder for people to detect what’s happening”.
In an example seen by Computer Weekly, the scammers reportedly asked for €500 (about $550 / £430 / AU$800) in Bitcoin, or gift cards or the likes of Amazon, iTunes, Best Buy, and Target.
According to Addison, these emails can be safely ignored. She explained: “The campaign is exploiting the fact people know these devices can be hacked very easily and preying on fears of that.”
“It is now widely known that many IoT (Internet of Things) devices lack basic security and are vulnerable to hacking, meaning that victims are more likely to believe the fraudsters’ claims, since the possibility of their device having really been hacked is highly plausible.”
How the scammers gained access to the victims’ email addresses or the Google Nest footage is unclear; we’ve reached out to Google for comment and will update this article as soon as we have a response.
It’s important to note that the scam wasn’t the result of an IoT breach (that is, the victims’ own security cameras were not actually hacked). While the footage was taken from the Google Nest site, it didn’t actually belong to any of the victims targeted in sextortion campaign.
“The vulnerabilities are real. It is quite possible to hack a lot of these devices, but I think at the same time education around these extortion campaigns is really important so that people know not to fall for them,” Addison says.
How can we protect ourselves?
The potential for our smart home gadgets to be hacked and used against us as blackmail fodder does raise questions about whether they offer enough security for their users.
Jake Moore, cybersecurity specialist at internet security company ESET explains: “Anything connected to the internet from your home has the potential of being viewed by cyber criminals, so we have to put as many extra layers of protection in place to reduce this risk.”
Whether that’s enough to make you swap out your smart security camera for a regular ‘dumb’ camera comes down to how concerned you are about the possibility of hackers gaining access to that footage in the future – and that does seem unlikely.
So, how can we protect ourselves if we do choose to use smart devices? To start with, Moore says that, “Nest users should always enable two factor authentication on their device to help protect their account and data”.
It’s also important to keep an eye out for suspicious emails, “even when they purport to be from a platform they may have an account with”, he says.
He continues: “People should be reminded not to click on links in emails even when they are from companies who they deal with, especially when they are requesting log in details to gain further access. It may be tempting to click away for ease of use or saving time, but it can be far more damaging if a cyber criminal gets access to your account.”
Via Computer Weekly