Cyberattacks that involve blackmailing with sexually motivated content (also known as sextortion attacks) are nothing new. However, over the past 18-20 months, we have seen these attacks continue to pose major risks to individuals and companies alike. With the hype around generative artificial intelligence (GenAI) and its public availability, these attacks are becoming more widespread and convincing.
Between H1 2022 and H1 2023, security researchers detected a 178% increase in sextortion attacks, meaning it ranked third among all email threats in H1 2023. Since the pandemic hit and CEOs of the largest companies in the world began working from home, these attacks targeting large corporations have become more common. Now, with the rise of GenAI, the dangers are even more substantial.
The Evolution Of Sextortion Attacks
Typically, sextortion attacks go like this: a teenager is contacted by a malicious actor who threatens to either release sensitive photos or videos or reveal the teenager’s hidden sexuality. They request a large sum of money (which the teenager does not have) and offer an alternative form of “payment”—for the teenager to provide them access to their home network, set up a forwarding rule on a parent’s email account, install malware, etc.—to access sensitive information from a parent’s company.
This is still the typical attack pattern, but what we’re discovering now is that these attacks are increasingly becoming “patient zero” or the root cause of harm when investigating compromised environments. These findings point to the failure of many organizations’ threat detection and remediation processes as well as the threat actors’ ability to sneak through defenses and instruct even non-technically savvy individuals to do the same.
Initial compromises are going undetected for months or even years at a time, which was common far before the pandemic. However, the switch to remote or hybrid work environments can instill a false sense of security in executives that their devices are only accessible to those who live under their roof. In reality, someone just a bedroom over may have given attackers access to the device or even the entire home network.
Another interesting pattern is that these attacks were mostly localized to the European region. Now, we’re seeing them everywhere. In addition to work-from-home environments adding complexity and these attacks spreading worldwide, we would be remiss to not discuss the hype around AI and the role it plays in these attacks.
GenAI And The Sextortion Problem
Despite what many people with non-technical backgrounds may think, AI has been around for a long time. What’s new is the availability of GenAI to the general public for free and the intense fixation on the technology that’s spurring companies worldwide to speedily adopt its capabilities. Whether it’s with the introduction of chatbots, new capabilities or funding, everyone wants to be able to claim they use GenAI, and hackers are bound to follow suit.
We’ve seen for decades that as an emerging technology rises to the public forefront, threat actors look to take advantage of it and use it for malicious purposes wherever possible. Using GenAI for sextortion attacks is a perfect example.
With the availability of GenAI, creating unique images can be done with little effort. Unfortunately, this means that generating sexually explicit content has become simpler as well, often only requiring a completely innocent photo of someone’s face. Without even doing anything compromising, you could be faced with a decision to pay up or have fake explicit images of you shared online.
Fear tactics and blackmail are the name of the game when it comes to sextortion attacks, and the focus and use of GenAI make it so these attacks can be executed much faster and more frequently.
So how can the fraudsters be stopped and whose responsibility is it to stop them? Many people point the finger at the developers of these major GenAI tools. Yes, they can instill some limits in their own technology (and are arguably responsible for doing so), but it’s impossible to stop hackers from creating their own GenAI tools that have no ethical limits.
As I see it, the ideal option is for company executives to be aware of these threats, take them into account when calculating their organization’s cyber risk and have a strong executive protection program in place.
Awareness And Defense
Aside from educating CEOs on what sextortion attacks are and how to detect and report them, in today’s work-from-home world, it’s vitally important to train the executive’s entire family (or whoever has access to their same home network) on what these attacks look like and how to deal with them.
One necessary defense is an executive protection program that includes the aforementioned awareness training, fortifiable technical defenses and clear processes for detection and remediation. However, not all defenses have to be extensive programs or super complex. As with many other cyber threats, the best defenses are often cyber hygiene basics:
•Don’t click on any suspicious email links or attachments.
•Use strong passwords and multifactor authentication.
•Don’t send any compromising information (including sexual content) to strangers.
•Implement a strong security awareness training program that includes education on all of the above as well as what a sextortion attack may look like and how GenAI can play a role.
•Install appropriate spyware blockers and email security defenses to detect attack attempts, even if the device/user is not on a corporate network.
Sextortion attacks are bound to become more common with the rise of GenAI and as many organizations settle into a permanent work-from-home or hybrid work model, particularly in the U.S. It’s time for the cybersecurity industry to raise CEOs’ awareness about these attacks and extend training and protection to friends or family who could be equally as impacted.