Cybercrime

When we look at ‘sextortion’ and ’email based extortion’ tactics used by threat actors we see a common pattern, one that leverages shame & fear. I’ve worked with some victims of this and it’s really not nice for them, the impacts are not just financial, they are emotional and sometimes more. It’s fortunately (for me) don’t however deal with this in volume, however I wanted to highlight something, the similarities between extortion and what I would describe as ‘Security Scanning’ shame scamming. Now you might think, that’s a massive leap… but bear with me, I’ve been looking at this (CTI/OSINT) plus working with ‘victims’ for years…

I’ll be posting about some research I’ve done on DNSSEC shortly too, I’ve kind of figured this topic was over years ago, but it’s recently come back on my radar, you know sometimes ‘duty calls’. But let’s look at shame based extortion patterns for now:

Email-Based Extortion/Sextortion Flow

Here’s the typical progression:

1. Initial Contact & False Claims

  • Attacker sends bulk emails claiming they’ve compromised the target’s device/accounts
  • Common claim pattern: “I’ve been watching you via your webcam for months,” “I have videos of you visiting adult sites,” “I have your password”
  • Sometimes they include a real or old password (harvested from previous breaches) to create false credibility
  • Volume matters: send 100,000 emails, even 0.1% response rate generates revenue

2. Artificial Urgency & Shame Leverage

  • Frame the demand around something socially embarrassing (real or fabricated)
  • “I’ll send these videos to your contacts unless you pay”
  • Set a tight deadline (24-48 hours typical)
  • Bitcoin/untraceable payment demanded
  • The shame component is the psychological weapon—victims often pay before telling anyone

3. Technical Reality Check

  • Most campaigns are low-effort: attacker doesn’t actually have footage or deep device access
  • They’re banking on:
    • Webcams people already feel insecure about
    • Guilt/paranoia overriding rational thought
    • Social fear preventing victims from discussing it
    • Plausible deniability (many people visit adult content, password reuse is widespread)

4. Why It Works at Scale

  • Cost per email: negligible
  • Conversion rate only needs to be ~0.01-0.1% for profitability
  • Most targets won’t verify claims or seek help
  • No need for sophisticated malware—pure social engineering
  • Bitcoin payments are traceable at blockchain level but harder to attribute operationally

5. Common Variations

  • Business targeting: “I’ve hacked your company’s servers, paying me is cheaper than a breach disclosure”
  • CEO fraud hybrid: fake executive authority + extortion threat
  • Credential harvesting: Follow-up phishing link if victim clicks anything
  • Ransomware precursor: Some campaigns are reconnaissance for actual hands-on ransomware

6. Operational Indicators

  • Mass mail infrastructure (often compromised or bulletproof hosting)
  • Bulk payment wallets (clustering on blockchain)
  • Language patterns (template-driven, often with translation artifacts)
  • Timing: waves often coordinated with known breach dumps

Defense/Response Angles

  • Detection: Email filtering on threat indicators (known extortion phrases, payment demands, urgency language)
  • User awareness: Teaching people these are bluffs—actual adversaries with evidence don’t announce it
  • Incident response: If real footage exists, it points to actual compromise (malware, account access, physical surveillance)
  • Blocking: Bitcoin wallet monitoring, payment gateway flags

The core scam mechanic: Exploit the gap between what attackers claim and what victims believe is possible, using shame to bypass rational skepticism. It’s low-friction, high-volume fraud that preys on privacy anxiety more than actual technical compromise.

What if we didn’t use ‘SEX’ but used DNSSEC and TLS shaming?

The Attack Flow

Phase 1: Low-Effort Enumeration

  • Run standard domain scanners (Shodan, SecurityTrails, crt.sh, shodan.io)
  • Check for missing DNSSEC, weak TLS configs, self-signed certs, expired certificates
  • No actual compromise needed—just public DNS/certificate data
  • Cost: negligible, fully automated

Phase 2: Amplified Credibility Claims

  • LinkedIn reconnaissance identifies board members, security officers, customers
  • Craft personalized emails claiming “critical infrastructure vulnerabilities discovered”
  • Language: “Your domain lacks DNSSEC protection,” “We detected TLS misconfigurations allowing MITM attacks”
  • Sound technical but wildly overstated (DNSSEC absence ≠ “totally compromised”)

Phase 3: Multi-Vector Pressure

  • Email the organization’s security/board contacts
  • Email their customers: “We’ve discovered your vendor has critical DNS weaknesses”
  • Email regulators/sector bodies: “Organization X lacks industry standard DNSSEC implementation”
  • Creates perceived urgency from multiple directions

Phase 4: Monetization

  • “We offer comprehensive DNS/TLS security scanning and remediation”
  • Service fees: $5k–$50k depending on org size
  • Or: “vulnerability disclosure” angle → demand payment to not publicize findings

Structural Parallels to Extortion

DimensionSextortionDNS/TLS Scam
False claim“I have your videos”“Your DNS is critically vulnerable”
Authority exploitationFake technical knowledgeReal but exaggerated technical claims
Shame/reputation threat“I’ll send to your contacts”“I’ll email your customers/regulators”
Urgency mechanism24-48 hour deadline“Immediate remediation required”
Multi-stakeholder pressureContact list spamBoard + customers + regulators
MonetizationDirect payment (crypto)“Security service” fee (legitimate appearance)
Actual compromiseNone (usually)None (public data only)
Low cost to attackerEmail + templateAutomated scanning

Why This Is Harder to Dismiss

Compared to sextortion, this variant has higher success rates because:

  1. Legitimate technical basis: DNSSEC/TLS configs ARE real security controls. The claims aren’t completely fabricated—they’re exaggerated truths
    • Missing DNSSEC is a thing, but it’s not “total compromise”
    • Weak TLS can be problematic, but public scanning findings ≠ active exploitation
  2. Regulatory pressure amplification:
    • Regulators (NCSC, sector regulators) do care about DNS security
    • Email from “security researcher” to regulator creates perceived legitimacy
    • Organization now fears regulatory scrutiny more than the actual vulnerability
  3. Multi-layer consensus illusion:
    • Board gets an email
    • Customer gets an email
    • Regulator gets an email
    • Organization thinks “multiple independent parties are concerned”
    • Actually one actor, different email addresses
  4. Professional veneer:
    • Not asking for Bitcoin (looks less scammy)
    • Offering actual service (security scanning legitimately exists)
    • Can point to real configuration findings
    • Creates plausible deniability: “We’re just providing legitimate security services”

Operational Reality Check

What’s actually happening:

  • Actor: “Your DNSSEC is missing”
  • Reality: DNSSEC is optional, not required; most orgs don’t use it
  • Actor: “Your TLS has weak ciphers”
  • Reality: Public cert data shows config info, but doesn’t prove active exploitation
  • Actor: “We can fix this for $X”
  • Reality: Organization can fix it themselves; paying for the service doesn’t actually improve security posture vs. internal remediation

What makes it effective:

  • Security officers are under pressure to improve posture
  • Regulators do have frameworks that mention DNS security
  • The technical claims have just enough truth to not be instantly dismissed
  • Multiple contact points create perceived convergence of threat signals

Detection / Attribution Angles

Threat indicators:

  • Identical scanner signatures across emails (same scanning tool output)
  • Generic personalization (templates filled in from OSINT)
  • Regulatory bodies reporting similar contact patterns
  • Service pricing suspiciously quick (implies pre-built offering, not custom assessment)
  • Follow-up emails if org doesn’t respond (sales funnel behavior)

Blockchain angle (if crypto payment):

  • Clustering of payment wallets
  • Timing correlation with mass email campaigns
  • Bitcoin tumbling patterns

Email forensics:

  • Mass mail infrastructure footprints
  • Sender reputation (new domains, bulletproof hosting patterns)
  • Content analysis: template variations across targets

Why This Matters More Than Sextortion

This attack variant:

  • Works on security-aware orgs (because it uses legitimate security terminology)
  • Scales to entire sectors (vertical targeting: finance, healthcare, critical infrastructure)
  • Creates secondary supply chain pressure (customers pressure vendors)
  • Weaponizes regulators (org gets formal inquiries, amplifying perceived legitimacy of threat)
  • Has plausible deniability (legitimate security services exist; hard to prove intent was fraud)

It’s extortion (or as near to it as possible) that looks like a security audit, which makes it far more dangerous operationally.

The core scam mechanic: Exploit the gap between public weakness detection and actual exploitability, using regulatory/customer pressure instead of shame, then monetize through a legitimate-appearing security service.

Using images to shame

Now I’m clearly not going to post someone naked, but I am going to show some examples of what people might do if they want to try and publicly shame you over your DNSSEC config (or lack of it), expect lots of RED boxes and highlighting of ‘INSECRE’ etc using tools like dns viz:

I’ve shown the UK NCSC (part of GCHQ) domain here, where they have explicitly chosen to not enable DNSSEC. We can see my own company domain as well:

I have with my domain got total control, and I’ve chosen to not deploy it, the security ‘gains’ I get by signing are outweighed by the risks that come with it, I’ve got other controls in place, and if people think I’m using email as ‘secure comms’ they probably need a lesson in secure comms, but that’s another topic.

Summary

The world of ‘security’ is a complex one, we have forever seen people abuse FUD and shame to ‘sell’. There’s a fine line between things being legal but morally questionable and being illegal. Hopefully this post helps people understand a bit about shame based scamming and questionable ‘sales techniques’ which use very similar techniques to ‘sextortion’ scammers.

Proving intent is difficult, but I’m not a court of law, I am however not terrible at this digital security game! Also shout out to all the amazing security community members who don’t lead with FUD and use science, education, communication and understanding to help friends, family and organisations be safer both IRL and in cyberspace!

Copyright (c) Xservus Limited