Information Stealing and Digital Extortion: Why Criminals Attack for Future Use

From corporate files to compromising personal photos, texts and communications, cybercriminals steal data for digital extortion and financial gain. Michael Orozco, managing director and advisory services leader of cybersecurity practice at MorganFranklin Consulting, breaks down the risks and considerations to help people and organizations protect their most sensitive information. 

Digital information is an asset with value. They can be business documents, engineering designs, product formulations, or financial projections, just to name a few. Personal information, including photographs, location data, social media posts, and text messages are also highly prized by nefarious actors. Opportunity, circumstance, and context can greatly affect the value of personal data when stolen. These fluctuating stolen assets often include a compromising photo, or a photo depicting close association with people harmful to a person’s reputation, social media posts regarding controversial topics they may want to forget or illicit texts that can have a negative impact on their career, marriage, endorsements and the like.

Cybercriminals have a variety of methods for monetizing their attacks and many global markets make data heists a very lucrative endeavor. For example, customer data exposed in a data breach can be used for identity theft or financial fraud. It can also be used for political purposes, extortion, or exploitation. In some cases, cybercriminals also steal data and store it for future use. Certain types of information are the most damaging – and therefore most valuable – at a particular point in time.

Everyone Has a Secret

Everyone has a public life and a private life. A person’s public persona may include representing a brand, holding a public office or a significant role in a company. It can also include representing a social or political cause or the appearance of happily married bliss. Being seen as a professional and good person is essential for brand image and a person’s career prospects. It can also mean complying with endorsement agreements or adhering to social & reputational covenants.

For example, it may be expected that a person’s private life matches their public persona, but that may not always be the case. An athlete with an advertising contract for a workout drink may not actually like that drink. Someone running for public office on a particular platform may have had different views in the past. 

People may also say or do something that could be misinterpreted or seem bad when taken out of context. Everyone has probably said something or written a text or email that came across differently than intended. In another area, the decision to buy or sell a stock may be seen as insider trading if it appears that an individual may have known about an upcoming merger or acquisition.

See More: The Next Steps in Robocall Mitigation

Stealing Data for Later Use

When used for nefarious purposes, technology can pose a significant threat to the privacy of personal life. Personal photos stored on a smartphone may be compromising or embarrassing if released. Emails, text messages, and other communications may sound damning when read out of context or in a court of law. They can also reveal associations, true feelings, and actions that may run contrary to what is publicly presented.

Cybercriminals know the value of these types of data and may attack now to collect data for use in the future. A brief sample of the ways that cybercriminals gain access to personal information include:

• • Phishing attacks: Phishing attacks are a common way for cybercriminals to steal sensitive information and deliver malware. A phishing attack could be used to steal login credentials from a target or to deploy malware on their system to steal photographs and other potentially compromising information.
  • Malicious public WiFi or unsecured home WiFi: Public Wi-Fi networks are convenient, but they can also pose a significant security risk. If a user connects to a malicious Wi-Fi network operated by the attacker, the attacker has visibility into their network traffic and can potentially gain access to their device and the photos and files stored on it.
  • Lost/stolen devices: Smartphones, computers, and other devices can be lost, stolen, or discarded. If these devices are not protected with full-disk encryption and a strong password, then a cybercriminal may be able to extract sensitive data from the device.

Compromised credentials also allow cyber criminals to create embarrassing situations for a victim. For example, an attacker with access to a celebrity’s Twitter account could Tweet embarrassing messages or use Twitter to disseminate photographs stolen from the victim’s computer.

Choosing the Moment and the Amount

Cybercriminals steal information to make money. They are often retained for their craftsmanship to do the dirty work of their employers. When they’ve collected embarrassing information about someone, they may wait to make an extortion attempt until the right moment.

That right moment can depend on the type of information stolen and the target. For embarrassing pictures of a celebrity, the cybercriminal may only wait until they have bids from various media outlets to demand payment not to release the images. If the information is political, on the other hand, the attackers may sit on it for longer, waiting until the target is running for office, and the information is the most damaging and the most valuable.

The amount of the extortion attempt may also depend on various factors. If information is more potentially damaging, then the price tag is likely higher. The attacker may also research their targets, attempting to determine how much they are able or willing to pay before naming a price. For example, a celebrity or a high-ranking politician with large sums of money is a better target than the average person. If the attacker determines that their target can’t pay enough, they may not bother making an extortion attempt.

To Pay or Not to Pay?

Common guidance is not to pay ransom demands, whether for ransomware attacks, the release of embarrassing information, or other attacks. Paying a ransom helps fund the attacker’s operations and demonstrates that you are willing to meet a ransom demand. However, many times consideration is given to weighing out whether the damage that could be done is greater than the ransom requested. “Sometimes the juice is really worth the squeeze.”

Increasingly, there is less “honor among thieves” when it comes to ransomware and other extortion attacks. When paying a ransom, you expect the stolen data to be deleted for good. However, cybercriminals may keep coming around demanding additional payments for as long as they can get away with it. Other times, the threat actor may collect the ransom while also receiving payment from another party that wants the information released. Paying a ransom doesn’t guarantee an end to the problem.

In the end, the decision of whether to pay a ransom should be based on a cost-benefit analysis. If the potential exposure damage is high and the demanded ransom is low, it may be worth paying up. However, if the cost is too high, then refusing may be the better option, along with releasing the information directly to devalue the stolen assets.

Protecting Against Extortion Attacks

The best way to manage an extortion attack is to prevent it from occurring in the first place. If an attacker doesn’t have access to embarrassing information, they can’t attempt to extort a ransom by threatening to reveal it.

Keep in mind that every text, photo, email, and social media post lives on forever somewhere out of reach and control and without consent as to how many copies are stored in cyberspace. The metadata associated with each data asset presents another treasure trove of information revealing the exact location, time, smartphone, PC, network, etc., that was used for its creation. 

Protecting against digital extortion attacks requires implementing many of the same basic security best practices that help protect against other threats. Some examples include:

• • Keep an eye out for phishing attacks by looking carefully at the email address of the sender
  • Be careful with emails that contain attachments from unfamiliar sources
  • Use a strong password and multi-factor authentication (MFA) when possible
  • Use a virtual private network (VPN) when connected to untrusted Wi-Fi networks
  • Protect devices with full-disk encryption and a strong password
  • Keep antivirus software up-to-date and run regular scans
  • Using the latest version of the operating system 
  • Understanding and properly setting the privacy settings for devices and applications

Implementing these best practices can help, but it doesn’t guarantee protection against extortion attacks. A sufficiently well-resourced and motivated attacker can find a way into any organization or system. For that reason, it’s also important to perform a risk assessment and identify what sensitive data may be breached, what additional precautions may be necessary, and how to handle an incident.

How are you protecting your sensitive data against looming threats? Share with us on FacebookOpens a new window , TwitterOpens a new window , and LinkedInOpens a new window .

MORE ON DATA SECURITY

• Viewing Data Security Through the Lens of Human Impact
• Data Resilience Predictions: Using the Economy to Inform Security Strategy
• Five Reasons Why Data Privacy Compliance Must Take Center Stage in 2023