We’ve seen yet another change in tactics for the recent spate of extortion campaigns. Whereas before these emails tried to coax victims into paying a ransom under the pretence of releasing sensitive information about watching adult content online, extortionists actors have now upped the ante by making bomb threats. Digital Shadows has been able to analyse a series of these bomb threat emails. In this blog, we provide six things we know so far.
At the time of writing, this campaign:
1. Does not appear to be legitimate. While these emails have led to several building evacuations and panicked calls to emergency services and law enforcement around the world, as yet no credible evidence has emerged to indicate this is anything but a hoax. The US-CERT recommends reporting the email to the Federal Bureau of Investigation (FBI) Internet Crime Complaint Center or to a local FBI Field Office.
2. Is a fraction of the size of the sextortion campaigns. When Digital Shadows first started seeing these bomb threat emails on 13 December, 2018, only a handful of emails had been sent in a short timeframe; the majority of emails we have observed were sent within a 15-minute window. In this time, the number of bomb threat emails being distributed was only 6% of what the sextortion campaign achieved during the same period (please note this is based on the emails we have directly observed). At its peak point of distribution in November (according to our data covering a four-month period), sextortion out-distributed the email bomb campaign by 250 times. Finally, whereas the sextortion emails have been sent as a constant stream, over several days, these bomb threats all appear to have been sent in a very tight space of time, and as a one-off.
3. Does not use publicly available emails and credentials. In the sextortion campaigns, attackers were targeting emails found in anti-combo lists and public datasets, trying to socially engineer their victims by claiming to have stolen their passwords by using malware or, in a later iteration of the campaign, a vulnerability affecting Cisco devices. In this bomb threat wave, we’ve observed extortion emails received by email accounts that do not appear in public combo-lists or leaked datasets.
4. Originates from a single, Russian hosting provider. All of the emails we’ve observed have come from the same Russian hosting provider: reg[.]ru. Not all of the emails are spoofs of the target (victim) address, as seen in the sextortion campaigns (where the ‘from’ and ‘to’ email addresses were the same). As mentioned above, the ‘from’ addresses used in this latest campaign do not appear in public breaches, data dumps and search engine indexes. As it’s unlikely all the ‘from’ emails were legitimately registered to the same Russian hosting provider, it appears the extortionists are still using spoofing techniques, albeit they are also impersonating domains that don’t belong to the target organization.
5. Uses unique Bitcoin addresses and a slight variation in keywords. As with the previous sextortion campaigns, the changing of keywords in the text will have helped evade filtering and research efforts.
Figure 1: Example of one of the bomb threat emails sent in this latest campaign
6. Has not generated any money so far. The Bitcoin addresses we’ve tracked are all empty and, as of yet, had not received any payments relating to these campaigns. It is unlikely that they will; something as serious as a bomb threat would only work against organizations. In any case, these types of emails are less likely to make it to business inboxes due to more advanced email filtering protections, and the information will very quickly be shared amongst peers and law enforcement, who would determine that the emails are a scam and warn against paying the ransom.
This campaign, while a lot more aggressive in tactics, is far less likely to be as successful. One reason is the substantive media coverage that it is currently receiving, with clear advice from law enforcement agencies to avoid paying the ransom.
The original sextortion campaigns were themselves a change in pace to the normal spam campaigns we are accustomed to. By using previously compromised emails and passwords, along with the threat of exposing potentially embarrassing online viewing habits, these campaigns had an air of credibility that might lead the right individual in the right circumstance to pay-out. The tactics that have followed in these bomb threats, however, are far more bizarre, rushed, and lack the significant personalization of the sextortion threats (which focused on genuinely compromised victim credentials). If extortionist actors continue this trend, their chances of success will continue to wane.
To stay up to date with the latest in digital risk protection, subscribe to our threat intelligence emails here.