Owners of Google’s Nest smart home camera are being targeted in a ‘sextortion’ campaign that threatens to leak compromising footage if a ransom is not paid.
The perpetrators claim to have footage of the victim having sex, obtained through Google’s indoor camera, which lets homeowners keep tabs on their houses remotely via their smartphones.
The scammers then threaten to upload the footage to porn sites within a week if the victim doesn’t pay 500 euros (£428) in Bitcoin.
The campaign was detected by cyber security company Mimecast, which has gone on to trace almost 1,700 sextortion emails, mainly directed at people in the US.
Mimecast told MailOnline that scammers don’t have any compromising footage obtained from Nest devices, and that they are merely ‘praying on people’s fears’ about the vulnerability of smart devices to steal money.
Google’s nest camera was found to contain several vulnerabilities that opened the camera up to attack and ‘complete takeover.’
HOW DOES THE GOOGLE NEST ‘SEXTORTION’ SCAM WORK?
Victims receive an initial email saying ‘we have nude videos of you’.
It then gives an email username and password for the victim to log in to and tells then to open an email with subject tagged READ ME.
In that email, a bright red screen appears with dummy shots of the interior of a house, obtained from a Nest camera.
Text below says: ‘We have pornographic type home videos of you already recorded and we intend publishing them all over the internet.’
At the bottom of this message, victims are told to send an email to a hacked Gmail account.
A reply to that email instructs victims to log in to yet another email account.
Inside this account, in an email under the subject ‘Instructions’, victims are told how to pay the Bitcoin ransom.
The convoluted method is to help the perpetrators cover their tracks.
The scam email could initially enter the inbox of someone who doesn’t even own a Nest camera.
‘We’re not saying that they’ve hacked Nest cameras; it’s not really about Nest – they’re just making use of that,’ Mimecast head of data science overwatch Kiri Addison told MailOnline.
‘It could have been any IoT camera-type device that they’ve used.’
The scammers claim that they will release the footage unless the victim pays a ransom demand, in an unusual process that involves logging into two separate email accounts.
The whole process is an attempt to obscure the origin of the scam emails and other details that could possibly identify those responsible.
‘Sextortion campaigns are nothing new – we see numerous email based campaigns claiming to have hacked a victim’s laptop and recorded them through their webcam, usually they demand a ransom to be paid in bitcoin and contain a link to a bitcoin wallet,’ said Addison.
‘This campaign was more complex, featuring a number of additional steps and elements.
‘The additional steps make it harder to detect and track the campaign.’
Usually, a scammer email will link to payment options, such as a Bitcoin wallet.
But in this case, the first email does not say what the hackers want – just that they have the footage.
The scamming process starts by telling email recipients to log in to another email entirely
‘Imagine what we have seen you do,’ the scam message warns, which comes with a still of a random home to ‘scare’ the recipient
Victims are then given an email address and password to log in to an external email account
Inside this separate account is an email with a link to a site that contains footage downloaded from the Nest site – although this is not footage taken from the device of the victim in question and is just random shots of a home’s interior.
Victims are then directed to another email inbox entirely, where they are told the footage will be posted on public porn websites within one week if the ransom demand of 500 euros is not paid via Bitcoin.
‘You will have only ONE WEEK to load your Bitcoin wallet and to submit your Bitcoin wallet access information and then you can get on with your life,’ the email says.
In another option as stipulated by the scammers, victims must buy $600-worth of gift cards redeemable on Amazon, iTunes, Google Play, eBay and others, including US retail stores Best Buy and Target.
In the final part of the process, the last scam message email says supposed videos of victims will be viewable publicly on ‘iStripper XXX Porn’ if they do not pay up with Bitcoin or gift cards
They are then told to type out all the gift card PIN numbers and send them by email with photos of the back of each gift card – suggesting these particular scammers may be happy with funds for their weekly shop.
Addison emphasised that blackmailers do not have genuine footage of their victims, and that such emails can be safely ignored.
1,687 of these emails were sent to recipients in the US between January 2 to January 3 last year. Mimecast can’t estimate the number of successful attempts, however.
‘We think it’s highly likely that these could have been sent to more people, so we can’t say if those sent to people outside of Mimecast were successful or not,’ said Addison.
She added that the public’s fears about the vulnerability of smart devices are actually working to the advantage of scammers of this particular campaign.
This fear tends to make them believe the criminals could have accessed camera footage of them, making them more likely to follow the steps and pay the ransom.
However, smart home device owners are advised to keep pressure on manufacturers to install stronger security on their devices, which can be accessed due to vulnerabilities.
‘Anything connected to the internet from your home has the potential of being viewed by cyber criminals, so we have to put as many extra layers of protection in place to reduce this risk,’ said Jake Moore, specialist at internet security company ESET.
‘Many IoT devices lack basic security and usually the responsibility of security lies with the user to set up and control.
‘Seeing extortion linked to home security cameras may make you think twice about having such devices, when sensitive moments may be captured and placed on the cloud.’
Last year, researchers at Cisco Talos discovered eight different bugs in the Nest camera that would allow hackers to take it offline or steal its data.
Google released its Nest Hub Max security camera, with an in-built screen for video-chatting, last September.
WHAT IS GOOGLE’S NEST HUB MAX?
Nest Hub Max will launch this summer for $229
Google’s latest smart home device has a built in camera for video-chatting and even indoor security.
At the annual I/O developer conference, the firm unveiled the $229 Nest Hub Max that combines the features of Nest and Home Hub devices.
It has a 10-inch HD display, smart camera, and a rear-facing woofer to provide ‘full stereo sound.’
Nest Hub Max can be used to keep an eye on your home when you aren’t there, and comes with the ability to enable notifications for motion or unfamiliar people.
Google Duo capability also means it can be used for video calling on iOS and Android devices. ‘You can also use Duo to leave video messages for other members of your household,’ Google notes.
Nest Hub Max will launch in the US this summer for $229, along with the UK (£219) and in Australia (AUS$349).
The Nest Hub Max has a built-in camera with a wide-angle lens and 10-inch display