Bomb Threat Emails: Extortion Gets Physical

Share and earn Cybytes
Facebook Twitter Google+ LinkedIn Email

We’ve seen yet another change in tactics for the recent spate of extortion campaigns. Whereas before these emails tried to coax victims into paying a ransom under the pretence of releasing sensitive information about watching adult content online, extortionists actors have now upped the ante by making bomb threats. Digital Shadows has been able to analyse a series of these bomb threat emails. In this blog, we provide six things we know so far.

At the time of writing, this campaign:

1. Does not appear to be legitimate. While these emails have led to several building evacuations and panicked calls to emergency services and law enforcement around the world, as yet no credible evidence has emerged to indicate this is anything but a hoax. The US-CERT recommends reporting the email to the Federal Bureau of Investigation (FBI) Internet Crime Complaint Center or to a local FBI Field Office.

2. Is a fraction of the size of the sextortion campaigns. When Digital Shadows first started seeing these bomb threat emails on 13 December, 2018, only a handful of emails had been sent in a short timeframe; the majority of emails we have observed were sent within a 15-minute window. In this time, the number of bomb threat emails being distributed was only 6% of what the sextortion campaign achieved during the same period (please note this is based on the emails we have directly observed). At its peak point of distribution in November (according to our data covering a four-month period), sextortion out-distributed the email bomb campaign by 250 times. Finally, whereas the sextortion emails have been sent as a constant stream, over several days, these bomb threats all appear to have been sent in a very tight space of time, and as a one-off.

3. Does not use publicly available emails and credentials. In the sextortion campaigns, attackers were targeting emails found in anti-combo lists and public datasets, trying to socially engineer their victims by claiming to have stolen their passwords by using malware or, in a later iteration of the campaign, a vulnerability affecting Cisco devices. In this bomb threat wave, we’ve observed extortion emails received by email accounts that do not appear in public combo-lists or leaked datasets.

4. Originates from a single, Russian hosting provider. All of the emails we’ve observed have come from the same Russian hosting provider: reg[.]ru. Not all of the emails are spoofs of the target (victim) address, as seen in the sextortion campaigns (where the ‘from’ and ‘to’ email addresses were the same). As mentioned above, the ‘from’ addresses used in this latest campaign do not appear in public breaches, data dumps and search engine indexes. As it’s unlikely all the ‘from’ emails were legitimately registered to the same Russian hosting provider, it appears the extortionists are still using spoofing techniques, albeit they are also impersonating domains that don’t belong to the target organization.

5. Uses unique Bitcoin addresses and a slight variation in keywords. As with the previous sextortion campaigns, the changing of keywords in the text will have helped evade filtering and research efforts.

Figure 1: Example of one of the bomb threat emails sent in this latest campaign


6. Has not generated any money so far. The Bitcoin addresses we’ve tracked are all empty and, as of yet, had not received any payments relating to these campaigns. It is unlikely that they will; something as serious as a bomb threat would only work against organizations. In any case, these types of emails are less likely to make it to business inboxes due to more advanced email filtering protections, and the information will very quickly be shared amongst peers and law enforcement, who would determine that the emails are a scam and warn against paying the ransom.


This campaign, while a lot more aggressive in tactics, is far less likely to be as successful. One reason is the substantive media coverage that it is currently receiving, with clear advice from law enforcement agencies to avoid paying the ransom.

The original sextortion campaigns were themselves a change in pace to the normal spam campaigns we are accustomed to. By using previously compromised emails and passwords, along with the threat of exposing potentially embarrassing online viewing habits, these campaigns had an air of credibility that might lead the right individual in the right circumstance to pay-out. The tactics that have followed in these bomb threats, however, are far more bizarre, rushed, and lack the significant personalization of the sextortion threats (which focused on genuinely compromised victim credentials). If extortionist actors continue this trend, their chances of success will continue to wane.


To stay up to date with the latest in digital risk protection, subscribe to our threat intelligence emails here.

Share this post and earn Cybytes
Facebook Twitter Google+ LinkedIn Email
About Digital Shadows
Digital Shadows monitors and manages an organization’s digital risk, providing relevant threat intelligence across the widest range of data sources within the open, deep, and dark web to protect their brand, and reputation. The Digital Shadows SearchLight™ service combines scalable data analytics with human data analysts to manage and mitigate risks of an organization’s brand exposure, VIP exposure, cyber threat, data exposure, infrastructure exposure, physical threat, and third party risk, and create an up-to-the minute view of an organization’s digital risk with tailored threat intelligence.

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Cybrary On The Go

Get the Cybrary app for Android for online and offline viewing of our lessons.

Get it on Google Play

Support Cybrary

Donate Here to Get This Month's Donor Badge



DNS Rebinding – Behind The Enemy Lines
Views: 990 / January 19, 2019
My IT Learning Journey
Views: 1488 / January 18, 2019
A New Age of Digital Interconnection
Views: 1242 / January 18, 2019
7 Project Management Basic Rules
Views: 1699 / January 17, 2019
Skip to toolbar

We recommend always using caution when following any link

Are you sure you want to continue?