Warning: Victims’ faces placed on explicit images in sextortion scam

The FBI has issued a warning about criminals digitally manipulating people’s faces on to pornographic images—known as deepfaking—and then using those images to harass or extort money out of their victim in a practice known as sextortion.

The FBI said the victims include children. From the release:

The FBI continues to receive reports from victims, including minor children and non-consenting adults, whose photos or videos were altered into explicit content. The photos or videos are then publicly circulated on social media or pornographic websites, for the purpose of harassing victims or sextortion schemes.

To hear that children are now being inserted into deepfake creations is horrifying, though perhaps unsurprising. The way these attacks work is that potential victims are contacted through a variety of methods, most commonly by instant messaging apps. Here’s how the FBI describes sextortion:

Sextortion, which may violate several federal criminal statutes, involves coercing victims into providing sexually explicit photos or videos of themselves, then threatening to share them publicly or with the victim’s family and friends. The key motivators for this are a desire for more illicit content, financial gain, or to bully and harass others. Malicious actors have used manipulated photos or videos with the purpose of extorting victims for ransom or to gain compliance for other demands (e.g., sending nude photos).

There’s a few different ways sextortion attacks can play out. One of the most basic forms is sending emails to people whose login details have been exposed in a password breach. The email claims to have nude photographs of the recipient, and threaten to release the photos unless the recipient pays up. There are no images, it’s all a lie. 

The more traditional form of sextortion is where a fraudster convinces the person they’re speaking to that they’re interested in romance, obtains revealing images of the victim, and then uses those images for blackmail. The victim is asked to pay money, often wired or through digital currency, or else the images will be sent to the victim’s friends and family. As it’s usually easy to build up a picture of someone’s network on social media like Facebook and Twitter, the pressure may well be too much for the person on the receiving end of such a scam.

That’s how it usually works. With deepfakes on the scene, a lot of the pre-scam work can simply be discarded. Now fraudsters go and grab some photos of their target, and feed those images into their faking tool of choice. All of that social engineering, the possibility of the victim not falling for it and sending revealing images is completely done away with. Why bother, when you can just swipe a photograph and press a few buttons?

The end result is the same. In fact, it’s arguably much worse as the pornographic movie creations thrown together by these tools are almost always a lot more graphic than anything a target would probably come up with. The pressure to pay up is going to be immense, and realistically non-internet savvy relatives or friends may not have even heard the word “deepfake” before. What are the chances of them knowing a file landing in their mailbox is fraudulent?

There are several general pieces of advice we can give when talking about the different sextortion tactics which exist:

  • Don’t engage: report. If you’re shown evidence of stolen images, report to your local authorities and the FBI as soon as you can. Never engage with the sextortionist.
  • Be cautious about what you say to someone online. When asked certain questions, be vague and never give specifics.
  • Remember that online, people can pretend to be someone they’re not, and can even look and sound like a different person with today’s technology.
  • Personalize your security and privacy settings. Lock down your accounts as much as you can, and keep as much hidden from public view as possible.
  • Data is typically forever. Remember that once you send something to someone—whether they’re a stranger, a romantic partner, relative, or friend—you have no control over where it goes next.

Malwarebytes EDR and MDR removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.