Last week on Malwarebytes Labs:

• Google will start deleting location history
• Advance Auto Parts customer data posted for sale
• Husband stalked ex-wife with seven AirTags, indictment says
• Microsoft Recall snapshots can be easily grabbed with TotalRecall tool
• Financial sextortion scams on the rise
• Say hello to the fifth generation of Malwarebytes
• Big name TikTok accounts hijacked after opening DM
• US residents targeted by utility scammers on Google
• Debt collection agency FBCS leaks information of 3 million US citizens
• 800 arrests, 40 tons of drugs, and one backdoor, or what a phone startup gave the FBI, with Joseph Cox: Lock and Code S05E12
• WhatsApp cryptocurrency scam goes for the cash prize

Last week on ThreatDown:

• Ransomware drives healthcare provider into administration
• FBI has 7,000 LockBit decryption keys available
• Microsoft calls time on NTLM, so should you
• Why complexity has become a security issue
• Azure Service Tags vulnerability could allow attackers to access private data
• ClearFake walkthrough

Stay safe!

“Hey there!” messaged Savannah, someone 16-year-old Charlie had never met before, but looked cute in her profile picture. She had long blonde hair, blue eyes, and an adorable smile, so he decided to DM with her on Instagram. Soon their flirty exchanges grew heated, and Savannah was sending Charlie explicit photos. When she asked him for some in return, he thought nothing of taking a quick snap of himself naked and sending it her way.

Within seconds, “Savannah” morphed from vixen to vice, threatening Charlie with posting his nude picture all over social media—unless he sent $500. Then she gave Charlie three days to get her the money, otherwise she’d share the compromising photos with his friends and family.

While the above scene is fictional, it’s indicative of what the FBI and Department of Homeland Security agree is the fastest-growing cybercrime of the last three years. It’s called financially motivated sextortion, or financial sextortion, and its victims are mainly teenage boys between the ages of 14 and 17.

Financial sextortion happens when adult criminals create fake accounts posing as young women on social media, gaming platforms, or messaging apps, and coerce victims into sending explicit photos. Scammers then threaten victims into sending payment, usually in the form of cryptocurrency, wire transfer, or gift cards, otherwise they’ll post the images online for all to see.

In an emerging trend, some sextortion scammers are now using artificial intelligence to manipulate photos from victims’ social media accounts into sexually graphic content. The predators then threaten to share the content on public forums and pornographic websites, as well as report victims to the police, claiming they’re in possession of child pornography. Demands for money immediately follow.

In 2023 alone, the National Center for Missing and Exploited Children (NCMEC) received 26,718 reports of financial sextortion of minors, more than double the 10,731 incidents reported in 2022. Sadly, these figures are likely far understated, since they rely on kids or their parents calling in the crime. A January 2024 threat intelligence report from Network Contagion Research Institute (NCRI) found children in the United States, Canada, and Australia are being targeted at an alarming rate, with a massive 1,000 percent surge in financial sextortion incidents in the last 18 months.

To illustrate how quickly the digital landscape has changed, a 2018 national survey found just 5 percent of US teens reported being victims of sextortion. Fast forward to June 2023, and 51 percent of Generation Z respondents said they or their friends were catfished in sextortion scams—47 percent in the last three months.

The Yahoo Boys

Financial sextortion has been linked to scammers in West Africa, particularly Nigeria and the Ivory Coast, as well as the Philippines. However, NCRI notes virtually all sextortion scams targeting minors can be directly linked to a distributed West African gang known as the Yahoo Boys. The Yahoo Boys mainly go after English-speaking minors and young adults on Instagram, Snapchat, and Wizz, an online dating platform for teens. They’re the original Nigerian Princes, but have changed tactics in recent years to elder fraud, romance scams, fake job scams—and now the sexual extortion of children for profit.

NCRI credits the tenfold increase in financial sextortion cases directly to the Yahoo Boys’ distribution of instructional videos and scripts on TikTok, YouTube, and Scribd, which are encouraging and enabling other threat actors to engage in financial sextortion as well. The videos have been viewed more than half a million times, and comments are filled with cybercriminals eager to download the scripts and get started.

The sextortion guides provide step-by-step instructions on how to create convincing fake social media profiles and “bomb” high schools, universities, and youth sports teams. The Yahoo Boys use this term to describe friending/following as many kids in a school or other location as possible to convince victims they could be an unknown classmate or peer from a nearby town.

While the payment amounts requested by the Yahoo Boys vary, they can range from as little as a couple hundred dollars to a few thousand. But predators employ ruthless tactics to intimidate their victims into paying, which can inflict lasting trauma and immense distress on children. Offenders often continue demanding more money after receiving the initial sum and may release victims’ sexually explicit images regardless of whether or not they were paid.

Indeed, the financial fallout may not be as daunting as the millions demanded by ransomware actors, but the emotional cost to teenage boys can be devastating. Anxiety. Humiliation. Shame. Despair. Feeling completely alone and afraid to ask for help. According to the FBI, financial sextortion has even been linked to fatalities. To their knowledge, at least 20 teens between January 2021 and July 2023 committed suicide when faced with the threat of nude photos that could ruin their lives.

What to do if you or your child is financially sextorted

Parents of teenage boys—or all teens for that matter—should have a conversation with their child about the pitfalls of financial sextortion. Remind them to be selective about what they share online and who they connect with, and if a stranger reaches out to them demanding payment or sexually explicit images, they should speak to a trusted adult before sending anything, be it money, photos, or more messages. In fact, open lines of communication can be the difference between life or death, so if your child doesn’t feel comfortable going to you, ask that they bookmark this article or one of the references listed below.

If you or your child are a victim of financially motivated sextortion, the most important advice to remember is this: You are not alone. You are not in trouble. Your child should not be in trouble. There is a way forward after this.

There are several resources you or your child can access to report the crime to law enforcement, speak to a caring counselor or peer, and request that harmful images be taken down. Here’s what we suggest:

• Block the scammer from contacting you again, but save all chats and profile information because that will help law enforcement identify them.
• Report the scammer’s account on the platform where the crime took place. Facebook and Instagram parent company Meta unveiled new tools last month to combat financial sextortion, and Snapchat has a reporting feature for nudity or sexual content, which now includes the option: “They leaked/are threatening to leak my nudes.”
• Report the crime to NCMEC at Cybertipline.org or directly to the FBI at tips.fbi.gov or the FBI’s Internet Crime Complaint Center (IC3) at ic3.gov. FBI Victim Services also has a Child Exploitation Notification Program. Canadian victims can access the Canadian Centre for Child Protection for resources, and report crimes to Cybertip.ca.
• Seek emotional support, whether from a trusted adult, friend, or through professional services. NCMEC offers assistance for sextortion victims and their families, such as crisis intervention and referrals to local counseling professionals, and their Team Hope volunteer program connects victims to other who’ve experienced financial sextortion.
• If you prefer a more anonymous support experience, the moderated Reddit forum r/Sextortion is a safe haven for victims to share their experiences and get advice from those who’ve already been through it.
• Victims looking to remove sexually explicit images from the internet can go to Take It Down for help or Project Arachnid, which uses automated detection methods along with a team of analysts to quickly send removal notices to electronic service providers.
• Ask for help. Problems from financial sextortion can be complex and require assistance from adults and professionals. If you don’t feel you have adults who can help, reach out to NCMEC at gethelp@ncmec.org or call 1-800-THE-LOST.

For more information and resources, visit the FBI’s page on financially motivated sextortion.

Borrowing from the playbook of ransomware purveyors, the darknet narcotics bazaar Incognito Market has begun extorting all of its vendors and buyers, threatening to publish cryptocurrency transaction and chat records of users who refuse to pay a fee ranging from $100 to $20,000. The bold mass extortion attempt comes just days after Incognito Market administrators reportedly pulled an “exit scam” that left users unable to withdraw millions of dollars worth of funds from the platform.

In the past 24 hours, the homepage for the Incognito Market was updated to include a blackmail message from its owners, saying they will soon release purchase records of vendors who refuse to pay to keep the records confidential.

“We got one final little nasty surprise for y’all,” reads the message to Incognito Market users. “We have accumulated a list of private messages, transaction info and order details over the years. You’ll be surprised at the number of people that relied on our ‘auto-encrypt’ functionality. And by the way, your messages and transaction IDs were never actually deleted after the ‘expiry’….SURPRISE SURPRISE!!! Anyway, if anything were to leak to law enforcement, I guess nobody never slipped up.”

Incognito Market says it plans to publish the entire dump of 557,000 orders and 862,000 cryptocurrency transaction IDs at the end of May.

“Whether or not you and your customers’ info is on that list is totally up to you,” the Incognito administrators advised. “And yes, this is an extortion!!!!”

The extortion message includes a “Payment Status” page that lists the darknet market’s top vendors by their handles, saying at the top that “you can see which vendors care about their customers below.” The names in green supposedly correspond to users who have already opted to pay.

We’ll be publishing the entire dump of 557k orders and 862k crypto transaction IDs at the end of May, whether or not you and your customers’ info is on that list is totally up to you. And yes, this is an extortion!!!!

Incognito Market said it plans to open up a “whitelist portal” for buyers to remove their transaction records “in a few weeks.”

The mass-extortion of Incognito Market users comes just days after a large number of users reported they were no longer able to withdraw funds from their buyer or seller accounts. The cryptocurrency-focused publication Cointelegraph.com reported Mar. 6 that Incognito was exit-scamming its users out of their bitcoins and Monero deposits.

CoinTelegraph notes that Incognito Market administrators initially lied about the situation, and blamed users’ difficulties in withdrawing funds on recent changes to Incognito’s withdrawal systems.

Incognito Market deals primarily in narcotics, so it’s likely many users are now worried about being outed as drug dealers. Creating a new account on Incognito Market presents one with an ad for 5 grams of heroin selling for $450.

The double whammy now hitting Incognito Market users is somewhat akin to the double extortion techniques employed by many modern ransomware groups, wherein victim organizations are hacked, relieved of sensitive information and then presented with two separate ransom demands: One in exchange for a digital key needed to unlock infected systems, and another to secure a promise that any stolen data will not be published or sold, and will be destroyed.

Incognito Market has priced its extortion for vendors based on their status or “level” within the marketplace. Level 1 vendors can supposedly have their information removed by paying a $100 fee. However, larger “Level 5” vendors are asked to cough up $20,000 payments.

The past is replete with examples of similar darknet market exit scams, which tend to happen eventually to all darknet markets that aren’t seized and shut down by federal investigators, said Brett Johnson, a convicted and reformed cybercriminal who built the organized cybercrime community Shadowcrew many years ago.

“Shadowcrew was the precursor to today’s Darknet Markets and laid the foundation for the way modern cybercrime channels still operate today,” Johnson said. “The Truth of Darknet Markets? ALL of them are Exit Scams. The only question is whether law enforcement can shut down the market and arrest its operators before the exit scam takes place.”