Bomb Threat Emails: Extortion Gets Physical

save
Share and earn Cybytes
Facebook Twitter LinkedIn Email

We’ve seen yet another change in tactics for the recent spate of extortion campaigns. Whereas before these emails tried to coax victims into paying a ransom under the pretence of releasing sensitive information about watching adult content online, extortionists actors have now upped the ante by making bomb threats. Digital Shadows has been able to analyse a series of these bomb threat emails. In this blog, we provide six things we know so far.

At the time of writing, this campaign:

1. Does not appear to be legitimate. While these emails have led to several building evacuations and panicked calls to emergency services and law enforcement around the world, as yet no credible evidence has emerged to indicate this is anything but a hoax. The US-CERT recommends reporting the email to the Federal Bureau of Investigation (FBI) Internet Crime Complaint Center or to a local FBI Field Office.

2. Is a fraction of the size of the sextortion campaigns. When Digital Shadows first started seeing these bomb threat emails on 13 December, 2018, only a handful of emails had been sent in a short timeframe; the majority of emails we have observed were sent within a 15-minute window. In this time, the number of bomb threat emails being distributed was only 6% of what the sextortion campaign achieved during the same period (please note this is based on the emails we have directly observed). At its peak point of distribution in November (according to our data covering a four-month period), sextortion out-distributed the email bomb campaign by 250 times. Finally, whereas the sextortion emails have been sent as a constant stream, over several days, these bomb threats all appear to have been sent in a very tight space of time, and as a one-off.

3. Does not use publicly available emails and credentials. In the sextortion campaigns, attackers were targeting emails found in anti-combo lists and public datasets, trying to socially engineer their victims by claiming to have stolen their passwords by using malware or, in a later iteration of the campaign, a vulnerability affecting Cisco devices. In this bomb threat wave, we’ve observed extortion emails received by email accounts that do not appear in public combo-lists or leaked datasets.

4. Originates from a single, Russian hosting provider. All of the emails we’ve observed have come from the same Russian hosting provider: reg[.]ru. Not all of the emails are spoofs of the target (victim) address, as seen in the sextortion campaigns (where the ‘from’ and ‘to’ email addresses were the same). As mentioned above, the ‘from’ addresses used in this latest campaign do not appear in public breaches, data dumps and search engine indexes. As it’s unlikely all the ‘from’ emails were legitimately registered to the same Russian hosting provider, it appears the extortionists are still using spoofing techniques, albeit they are also impersonating domains that don’t belong to the target organization.

5. Uses unique Bitcoin addresses and a slight variation in keywords. As with the previous sextortion campaigns, the changing of keywords in the text will have helped evade filtering and research efforts.

Figure 1: Example of one of the bomb threat emails sent in this latest campaign

 

6. Has not generated any money so far. The Bitcoin addresses we’ve tracked are all empty and, as of yet, had not received any payments relating to these campaigns. It is unlikely that they will; something as serious as a bomb threat would only work against organizations. In any case, these types of emails are less likely to make it to business inboxes due to more advanced email filtering protections, and the information will very quickly be shared amongst peers and law enforcement, who would determine that the emails are a scam and warn against paying the ransom.

 

This campaign, while a lot more aggressive in tactics, is far less likely to be as successful. One reason is the substantive media coverage that it is currently receiving, with clear advice from law enforcement agencies to avoid paying the ransom.

The original sextortion campaigns were themselves a change in pace to the normal spam campaigns we are accustomed to. By using previously compromised emails and passwords, along with the threat of exposing potentially embarrassing online viewing habits, these campaigns had an air of credibility that might lead the right individual in the right circumstance to pay-out. The tactics that have followed in these bomb threats, however, are far more bizarre, rushed, and lack the significant personalization of the sextortion threats (which focused on genuinely compromised victim credentials). If extortionist actors continue this trend, their chances of success will continue to wane.

 

To stay up to date with the latest in digital risk protection, subscribe to our threat intelligence emails here.

Share this post and earn Cybytes
Facebook Twitter LinkedIn Email
Follow
8 Followers
About Digital Shadows
Digital Shadows is the leader in Digital Risk Protection. Digital Shadows minimizes digital risk by identifying unwanted exposure and protecting against external threats. Organizations can suffer regulatory fines, loss of intellectual property, and reputational damage when digital risk is left unmanaged. Digital Shadows SearchLight™ helps you minimize these risks by detecting data loss, securing your online brand, and reducing your attack surface. To learn more and get free access to SearchLight, visit www.digitalshadows.com.
Promoted Content
A Practical Guide to Reducing Digital Risk - Tools and Approaches for Security, Intelligence, and Fraud Teams
For those working to secure organizations, life isn't getting any easier. As businesses continue to invest in technology, the environment that must be secured has become more complex and challenging. This guide is written for people whose role it is to deal with this complexity: the practitioners. It provides advice to help understand how to identify critical business assets, understand the threat, monitor for exposure, and take action.

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Cybrary On The Go

Get the Cybrary app for Android for online and offline viewing of our lessons.

Get it on Google Play
 

Support Cybrary

Donate Here to Get This Month's Donor Badge

 
Skip to toolbar

We recommend always using caution when following any link

Are you sure you want to continue?

Continue
Cancel