Virtual Kidnapping: when social engineering gets really nasty


If you thought that social engineering was all about phishing for credentials, think again. This threat mode also has a very nasty side in the form of virtual kidnapping.

Yes, virtual kidnapping is a very real thing and one that is worryingly starting to gain some momentum.

At the recent NetEvents Global Analyst Summit in San Jose, the opening keynote was entitled ‘The New Hacker’ and framed as offering insights from the US intelligence agency community. On the whole this involved MK Palmore (who heads up the cyber branch of the San Francisco FBI), Dr Ronald Layton (Deputy Assistant Director of the US Secret Service) and Michael Levin (formerly Deputy Director of the National Cyber Security Division of the US Department of Homeland Security) thinking rather carefully before saying anything. Indeed, the on the fly filtering as these guys spoke was almost palpable. So when one audience member asked whether encryption backdoors are a good idea, the answers avoided the usage of such things by law enforcement and instead suggested they were bad if they let threat actors perform criminal acts.

There were some more positive memorable moments. MK Palmore admitting that “getting hackers into the US criminal justice system is getting more difficult”, “encryption completely changes the landscape” and “anonymity allows for a level of activity we have not seen before,” for example. Or Ronald Layton stating that threat actors “all use Russian as a common modality for communication”, “the new caffeine is curiosity” (referring to the ease by which people are compromised by link-clicking) and “the hacker tools you see in use today would have been highly classified 20 years ago.”

Now you may have spotted that I haven’t quoted anything from Michael Levin as of yet. That’s because the most memorable moments with the former three letter agency man, and now CEO of the Center For Information Security Awareness (CFISA), were had later outside the conference hall as he pulled me to one side for a chat. Michael was keen to introduce himself, and have a conversation about the changing threatscape. I had only popped out during a discussion on software defined everything and intent-based networking (yawn) for a bathroom break; this turned into 30 minutes of some very interesting chat.

the criminals in this scam have done their homework

Perhaps the most interesting would be how Michael revealed that one of the more common pieces of social engineering, making full use of intelligence gleaned from social networks along with the compromising of mobile devices, is virtual kidnapping. If ever there was cause to rethink my mantra of ‘location based services aren’t that big a vulnerability to your security’ then this would be it.

Here’s how the scam, for that is what it is, works. You get a phone call from an unknown number informing you that a family member or loved one is being held hostage, and demanding a ransom be paid within a tight time limit or they will be physically harmed. More often than not you can hear someone in the background screaming for help.

Now you might think that this wouldn’t fool you, even for a moment. But what if that caller knew the name of the person they claim to have taken, inform you where they kidnapped them from (and that is outside their place of work, school or part of their usual routine) and maybe even throw in a description of what they are wearing? The last one might be gambling on you not remembering exactly what clothes they wore today, but if they have a recent photo or know the school uniform of a child then it’s these kind of details that can make all the difference.

As Michael Levin says “the criminals in this scam usually have done their homework including researching the victims’ social media sites and even hacking into the victim’s phone or computer.” Both are important pieces in the puzzle that builds a picture of believability in these virtual kidnapping cases. The former provides the background information, and you can build up a very accurate portrait of someone’s life, and the life of their family, from just an hour or so of browsing Facebook and Instagram. It certainly enables the daily routine and even ‘what are you wearing’ detail to be very believable indeed.

Often the threat actors here will wait until the supposed victim has posted a status that confirms they are ‘on the way’ somewhere, heading to the airport for a flight and so on. However, the latter is the real killer blow; once a threat actor has compromised your smartphone, hacked into the GPS let’s say, then they can track your movements so as to strike at the optimal time and also make it seem that they are indeed watching you.

there has been a resurgence in the threat of late

This is important, because for the scam to work they need to not only convince you that the threat is real, that it’s actually happening, but also to do so within an environment that leads you to panic and pay quickly without thinking it through too much. If they know where you are, and can direct you to the nearest place accepting Western Union money transfers, or suggest you take a right and park up in the supermarket car park, it makes everything very ‘real’ indeed.

Let’s get one thing straight here, the whole virtual kidnapping thing is not a new phenomena: it dates back at least two years to gangs in Mexico employing the tactic to scam money from American tourists. However, my conversation with Michael would suggest that there has been something of a resurgence in the threat of late.

Recent reports are appearing in the US media of this particularly aggressive form of social engineering. See The Root and Forbes for example.

Interestingly, the new cases appear to also be tied to South America with many of the threatening calls originating from either Mexico or Puerto Rico. Indeed, in a blog on the subject Michael warns that having recently travelled to either country could increase your risk of being victimised this way, as criminals may have gathered information about you while there.

In the summer, the FBI announced that a woman from Houston, Texas had been arrested in connection with making such virtual kidnap threats across three US states involving children of the intended victims from 2015. She is said to have worked in collaboration with others in Mexico. It is understood that ransoms of $28,000 (£21,000) were paid in money drops by two of the 39 victims. The charges included conspiracy to commit wire fraud and conspiracy to launder money. Although not charged with kidnapping, presumably as nobody was kidnapped, the accused still faces up to 20 years on each count should she be found guilty.

The FBI’s advice for dealing with the virtual kidnapping threat is pretty much common sense, but needs repeating as common sense can easily fly out of the window as panic flies in. Asking to speak to the supposed victim, so as to know if they are OK for instance, and if that’s not possible then request the ‘kidnapper’ calls you back using the victim’s phone. If the scammers are confident enough to try and bluff it out with a gang member pretending to be the victim, ensure you listen carefully to not only what they say bit how they say it. Ask questions that only the real person would know, and isn’t common knowledge or shared on social media. Or how about trying to contact them by phone, instant message, SMS or on social media? The FBI also advises against arguing or challenging the caller and instead remain calm and steady, and to contact law enforcement as soon as possible.

Michael Levin, unsurprisingly, advocates security awareness training in order to mitigate against the virtual kidnapping threat saying “being aware of new crimes and scams in the news is a fundamental part of security awareness training.” I’m inclined to agree with him on this one, as education and awareness has to reduce the risk of being victimised. User awareness training at work, if done properly, also extends like ripples on water out to family and friends in the form of ‘did you know about…’ conversations.