Affecting 1,700 people (mainly in the US), the scam was uncovered by email cyber security company, Mimecast, which said that the campaign started in early January.
The company clarified that, while Google Nest users weren't targeted exclusively, footage from Nest cameras was used as part of the campaign.
A sextortion email scam is when perpetrators claim to have compromising footage of the victim – which they'll then surrender once they have been paid. Usually, this initial email contains a link that allows the victim to pay the perpetrator (a Bitcoin wallet, for example), but in this case, victims were not initially directed to pay a ransom for the footage.
- The best security cameras of 2020
- The best antivirus software to protect your devices
- Read our Nest Cam IQ review
Instead, victims were given the login details to an email account, in which they would find an email containing a link to a site – this site hosted genuine footage downloaded from the Google Nest site, but crucially, the footage was not taken from the victim's camera.
Once there, victims were "directed to another email inbox, where they [were] told the footage [would] be posted within a week", unless they paid the scammers.
Mimecast's head of data science overwatch, Kiri Addison told Computer Weekly that by creating multiple steps, the scammers are "trying to make it harder for people to detect what’s happening".
In an example seen by Computer Weekly, the scammers reportedly asked for €500 (about $550 / £430 / AU$800) in Bitcoin, or gift cards or the likes of Amazon, iTunes, Best Buy, and Target.
According to Addison, these emails can be safely ignored. She explained: “The campaign is exploiting the fact people know these devices can be hacked very easily and preying on fears of that.”
“It is now widely known that many IoT (Internet of Things) devices lack basic security and are vulnerable to hacking, meaning that victims are more likely to believe the fraudsters’ claims, since the possibility of their device having really been hacked is highly plausible."
How the scammers gained access to the victims' email addresses or the Google Nest footage is unclear.
A spokesperson for Google told us: "Any incident where someone is made to feel unsafe in their home is deeply unfortunate and something Nest works hard to prevent. That’s why privacy and security are the foundation of our mission."
"Incidents like this campaign typically occur when a bad actor tries their luck with email addresses from databases of stolen information. Nest users who are contacted by these actors should not respond and we encourage them to contact Nest support if needed," they explained.
It's important to note that the scam wasn't the result of an IoT breach (that is, the victims' own security cameras were not actually hacked). While the footage was taken from the Google Nest site, it didn't actually belong to any of the victims targeted in sextortion campaign.
“The vulnerabilities are real. It is quite possible to hack a lot of these devices, but I think at the same time education around these extortion campaigns is really important so that people know not to fall for them,” Addison says.
How can we protect ourselves?
The potential for our smart home gadgets to be hacked and used against us as blackmail fodder does raise questions about whether they offer enough security for their users.
Jake Moore, cybersecurity specialist at internet security company ESET explains: “Anything connected to the internet from your home has the potential of being viewed by cyber criminals, so we have to put as many extra layers of protection in place to reduce this risk."
Whether that's enough to make you swap out your smart security camera for a regular 'dumb' camera comes down to how concerned you are about the possibility of hackers gaining access to that footage in the future – and that does seem unlikely.
So, how can we protect ourselves if we do choose to use smart devices? A Google spokesperson offered the following advice: "We offer several key protections to prevent the likelihood of hacks and keep our products secure. Two-factor authentication has already been enabled by millions of people."
"We also offer the option to migrate to a new Google Account. Privacy and security continue to be a focus for us, and we'll continue to introduce features that prevent these incidents from happening."
Moore echoes that: “Nest users should always enable two factor authentication on their device to help protect their account and data".
It's also important to keep an eye out for suspicious emails, "even when they purport to be from a platform they may have an account with", he says.
He continues: "People should be reminded not to click on links in emails even when they are from companies who they deal with, especially when they are requesting log in details to gain further access. It may be tempting to click away for ease of use or saving time, but it can be far more damaging if a cyber criminal gets access to your account.”
Via Computer Weekly