This article is the second part of a two-part series on the recent upsurge in sextortion. Part 1 detailed the nature and scope of the threat, applicable criminal statutes, and background on the primary threat actor – the distributed groups of the Yahoo-boys primarily in West Africa. Part 2 summarizes tactics, techniques, and procedures being used by the Yahoo-boys to conduct sextortion-at-scale, why juveniles are targeted, preventative/protective measures, steps to deal with sextortion, and provides a sampling of additional resources.
Tactics, Techniques, and Procedures
Developing a sextortion attack capability is neither expensive nor time-consuming. It requires relatively little technical skill and does not require the actual compromise of the target’s computer. The strategies vary, based on the target specifics, and can involve:
- Catfishing/Scamming: Someone sends you a message from a fake social media account. They share an intimate image of themselves (that might be stolen from someone else or created using artificial intelligence – AI) and ask you to share one back.
- Grooming: Someone spends time building a friendship or relationship with you online so that you start to trust them and feel OK about sharing intimate messages and images
- Hacking: Someone claims to have hacked your device or account and found intimate images of you (they might have hacked it or they might just be saying they have hacked it)
- Revenge: A former partner who wants to reconcile or humiliate you gets in touch to say they are going to publish intimate images that you had previously sent to them or allowed them to take
- Editing: Someone contacts you and threatens to create inappropriate images (deepfakes) of you via digital editing tools or AI (Yubo)
Two major categories of operational tools are generally deployed:
- Tools for facilitating crime commission on the cyberspace: laptop, mobile phone, printer, Internet, virtual private network (VPN), internet protocol (IP) log-ins, etc
- Tools for making cash payments: Bitcoin, Blockchain, Cash App, Ethereum, iTunes, Paypal, Steam, Venmo, Zelle, gift cards, etc
Data needed to identify potential victims are readily available online, supplemented via a mix of underground online forums, criminal contacts, data aggregators, people databases, youth sports email databases, and/or collected via social engineering/phishing/spoofing techniques.
The Yahoo-boys develop and openly share their multi-sextortion tactics, techniques, and procedures (TTPs) by advertising their services or offering training courses via social media (Facebook, Instagram, Scribd, Snapchat, TikTok, YouTube, etc), sharing templates of messages to victims and examples of fake social media personas they can replicate. Numerous videos posted to Yahoo Boy networks on TikTok and YouTube provide instruction about how to exploit generative artificial intelligence (GenAI) applications to create content, including text, images, audio, or video, to target victims in sextortion-at-scale operations using false identities or deepfake images, AI voice cloning/changers, AI chatbots, etc, to initiate and sustain interactions with targets. Cybercriminals can program these conversational agents to engage in dialogue that gradually escalates in a sexual nature, encouraging and inducing targets to share and/or reciprocate nudes or other explicit content. Once the content is obtained, it can be weaponized to facilitate sextortion.
TTP summary:
- Create several email addresses and/or obtain many different telephone numbers to establish fake online personas and/or hack accounts to use across various websites (dating, online classifieds, etc), forums, chat rooms, social media platforms and messaging applications
- Generate multiple friend/follow requests to obtain victims’ friends, followers and following lists, e.g. using catfish accounts on Instagram, Snapchat, etc, to impersonate young females, send hundreds of thousands of Follow requests to boys. They are targeting literally every youth sports team in America they can find. Soccer, lacrosse, hockey, and football teams appear to be the most common targets. The moment a teen accepts the request, the criminal takes screenshots of the target’s Instagram Followers and Following lists
- Send victims extremely threatening, manipulative and convincing socially-engineered emails and messages, e.g. lure the minors to Snap, where they coerce them to send an explicit photo. In a supermajority of cases, the criminals show the victim screenshots of their Followers and Following lists. This gives criminals immense leverage to use as blackmail, threatening to send the compromising photos to all the victim’s friends and family. These lists are the primary source of leverage in nearly all financial sextortion schemes targeting minors. Passwords are another source of leverage and are collected from published usernames and passwords from old website breaches, data aggregators, and/or people databases, all widely available on the Internet
- Barrage victims with incessant texts and iMessages (various Paul Raffile LinkedIn posts/comments)
There are several variations on the above based on the strategy employed — a sampling follows:
- A Yahoo-boy pretending to be a young female makes a post indicating interest not just for new contacts but probably more. When people seeking hookups, extramarital affairs, etc, respond, the Yahoo-boys initiate contact and collect all useful personally identifiable information (PII) about the victim, e.g. name, mobile phone, location, sexual preferences, etc. Details are published on the forum, as well as conversations and pictures. To have the information removed, the victim has to register on the forum and pay some money to “help the project.” The problem is that, even if the victim pays, the forum is indexed by search engines. This makes the process of removing the PII very difficult, if not impossible (SANS Technology Institute)
- The sexual grooming process includes identifying a minor, establishing a connection by offering support and attention to the minor, befriending them, gaining their trust, gathering personal information about them, exploiting any vulnerabilities they may have, and lowering their inhibitions by talking, joking, and teaching a minor about sex. Because minors today may feel more comfortable chatting and sending images and videos over the internet, long-term sexual grooming is often unnecessary
- Pretending to be minor boys and girls, a Yahoo-boy will stream pre-recorded videos (often referred to as loops) of other minors engaged in sexual acts to the targeted victim to trick the minor into believing they are watching a live video of someone their own age. This normalizes the sexual behavior and makes children feel more comfortable exposing themselves over a broadcast. Using peer pressure, an offender convinces the minor to engage in sexual acts like those shown to them on the pre-recorded videos. The victim may be unaware he or she is communicating with an adult and that the adult is recording the minor’s sexually explicit activity (National Strategy for Child Exploitation Prevention and Interdiction 2023, Subject Matter Expert Working Group Report)
Why Juveniles Are Targeted
Today’s average juvenile likely has some online privacy and security knowledge, but may not consistently put this knowledge into practice. Their online privacy practices often vary based on context, e.g. how juveniles use email may differ from how they use social media or games or whether they are online at home or at some other location. They may be circumspect with strangers but very willing to share material with other juveniles, some of whose online security practices may be lacking (Usenix). These technical combined with socio-economic vulnerabilities (loneliness, poverty, lack of education or poor school systems, unstable/abusive home situation, substance abuse, etc) make this demographic group very susceptible to social engineering tactics designed to exploit human vulnerabilities. By leveraging publicly available information, the Yahoo-boys can manipulate juveniles into unwittingly disclosing PII to aid their cons.
Preventative/Protective Measures
The Yahoo-boys’ top threat vectors of choice for initial compromise generally entail social engineering/phishing/spoofing, vulnerability exploitation, and using compromised credentials.
Online Best Practices: Best practices stand the test of time as the first line of defense:
- Not clicking on suspicious links or opening attachments
- Updating software
- Using strong password hygiene and multi-factor verification
FBI recommendations:
Online users:
- NEVER send compromising images of yourself to anyone, no matter who they are and/or who they say they are
- Use discretion when posting images, videos, and personal content online
- Apply privacy settings on social media accounts—including setting profiles and your friends lists as private—to limit the public exposure of your photos, videos, and other personal information
- Exercise caution when accepting friend requests, communicating, engaging in video conversations, or sending images to individuals you do not know personally
- Do not provide any unknown or unfamiliar individuals with money or other items of value
- Use discretion when interacting with known individuals online who appear to be acting outside their normal pattern of behavior
- Secure social media and other online accounts using complex passwords or passphrases and multi-factor authentication
Parents:
- Research the privacy, data sharing, and data retention policies of social media platforms, apps, and websites and discuss with your children before allowing them to upload and share images, videos, or other personal content
- Monitor children’s online activity and discuss risks associated with sharing personal content
- Run frequent online searches of the family’s PII to help identify the exposure and spread of PII on the internet
- Consider using reverse image search engines to locate any photos or videos that have circulated on the internet without your knowledge
Counter-GenAI Techniques
Voice Clones: Today, one needs only three seconds of an individual’s voice to clone it and use a text-to-speech API to generate authentic fake voices. If something seems suspicious in a phone call or sounds off in a conversation where sensitive information is being discussed, paraphrase and repeat what was said to verify the accuracy. Doing this will trip up the chatbot, which still struggles to understand basic conversational cues because it needs to access both the text-to-speech APIs and the chatbot telling it what to do (IBM).
Steps to Deal With Sextortion
If you become a target of sextortion it is normal to feel betrayed, vulnerable, and want to do anything to make the situation go away. Do not panic, think the situation through, and take the following steps, as appropriate, for your situation:
- Do not give in to the sextortionist’s demands or pay them any money
- Don’t engage or communicate with them
- Document their extortion/threats with screenshots. You can, and should, block them but do not delete the conversations
- Report what is happening. If you’re a minor, tell your parents. You can decide if you want to contact the police or report elsewhere. FBI online, 1-800-CALL-FBI; NCMEC online, 1-800-THE-LOST, Take It Down (for help to remove nude photos online and prevent them being uploaded altogether); Cybercrime Support Network
- Report suspicious userids via the social media platform’s reporting feature (check settings or on the user’s profile page) together with supporting evidence (screenshots, links, etc) Organization for Social Media Safety
Additional Resources
Canadian Centre for Child Protection (C3P), An Analysis of Financial Sextortion Victim Posts Published on r/Sextortion, Nov 2022
Cyberbullying Research Center, Sextortion, Sextortion Among Adolescents, Sextortion: More Insight Into the Experiences of Youth
Cybercrime Support Network, Extortion Scams, Revenge Porn and Sextortion
Cybersecurity & Infrastructure Support Agency, Avoiding Social Engineering and Phishing Attacks, Protecting Your Privacy
FBI
- Sextortion includes information on what kids, teens, and caregivers need to know
- For-Profit Companies Charging Sextortion Victims for Assistance and Using Deceptive Tactics to Elicit Payments, I-040723-PSA, 7 Apr 2023
- Malicious Actors Manipulating Photos and Videos to Create Explicit Content and Sextortion Schemes, I-060523-PSA, 5 Jun 2023
Federal Trade Commission, Online Privacy and Security
Financial Crimes Enforcement Network (FinCEN) notice, “FinCEN Calls Attention to Online Child Sexual Exploitation Crimes,” FIN-2021-NTC3, 16 Sep 2021
Internet Watch Foundation
- Report Remove tool
- Sextortion Resources
- Teenage boys targeted as hotline sees ‘heartbreaking’ increase in child ‘sextortion’ reports, 18 Mar 2024
National Center on Sexual Exploitation, Dirty Dozen List 2023
Organization for Economic Co-operation and Development (2023), Transparency Reporting on Child Sexual Exploitation and Abuse Online, OECD Digital Economy Papers, No. 357, OECD Publishing, Paris, examines the policies and procedures of the world’s top-50 global online content-sharing services related to child sexual exploitation and abuse (CSEA) material, providing an objective factual snapshot in time of the services’ current practices, with a focus on transparency reporting. Annex B. Profiles of the Top-50 Services, addresses sextortion in the Terms of Service (ToS) or Community Guidelines/Standards for Facebook, Snapchat, and Google Drive.
Rajwani, K, Sextortion Red Flags, provides a compilation of Follow the Money sextortion resources for the banking industry based on work by the C3P, the Australian Institute of Criminology, and the National Center for Missing and Exploited Children
Rape, Abuse & Incest National Network, Social Media Safety provides social media safety tips, including how to report, block, and filter content on various platforms like Twitter, Instagram, Facebook, Pinterest, Snapchat, Tumblr, LinkedIn, Spotify, and Venmo
Reddit, r/Sextortion is the world’s largest sextortion support forum and provides insight into some of the methods and tactics used by cybercriminals and what to do about them
Sampling of services to check if your email address and credentials have been exposed:
The App Danger Project listing of apps (181 as of this article) by the number of reviews from the app stores where users have reported dangerous situations for children
Thorn
- Stop Sextortion
- Self-Generated Child Sexual Abuse Material: Youth Attitudes and Experiences in 2021 is the only annual tracking survey of its kind monitoring changes in minors’ behaviors and attitudes related to self-generated child sexual abuse material (SG-CSAM)