Online Extortion Campaigns Target Users, Companies, Security Researchers

During the past week, there has been a sudden surge in online extortion campaigns, against regular users and security researchers alike.

The most devious of these was a campaign detected by Forcepoint security researcher Roland Dela Paz, and which tried to trick users into thinking hackers had gotten their hands on sensitive or sexually explicit images.

Attackers wanted payments of $320 to a Bitcoin address or they would have sent the compromising materials to the victim’s friends.

Massive spam wave delivered fake threats

This attempted blackmail message was the subject of a massive spam campaign that took place between August 11 and 18. Dela Paz says attackers sent out extortion emails to over 33,500 victims.

Most of the targets were from Australia and France. The extortion campaign was particularly active in Australia, where it caught the eye of officials at the Australian National University, who issued a safety warning on the topic, alerting students of the emails.

The extortion attempt was obviously fake, says Dela Paz.

“The scale of this campaign suggests that the threat is ultimately empty,” the expert explained. “If the actors did indeed possess personal details of the recipients, it seems likely they would have included elements (e.g. name, address, or date of birth) in more targeted threat emails in order to increase their credibility.”

Dela Paz warns that the campaign is still ongoing. Users can recognize the blackmail attempts by the following subject line formats:

“{Three random letters}: [{recipient email}]  {date and time} Соnсеrning оur yestеrday’s соnvеrsаtion”
“{Three random letters}: [{recipient email}]  {date and time} I havе sоmеthing that can mаке yоur lifе wоrse”
“{Three random letters}: [{recipient email}]  {date and time} I would not liкe tо start our knоwingaсquаintаnсе with this”
“{Three random letters}: [{recipient email}]  {date and time} I’m not hаpрy with yоur behаvior lately”
“{Three random letters}: [{recipient email}]  {date and time} Dont yоu thinк thаt your deviсе wоrкs wеird?”
“{Three random letters}: [{recipient email}]  {date and time} I think thаt it is not as funny for you as it is funny for mе”

Extortion email

Hackers tried to blackmail Swiss security researcher

In addition, during the past week, there were also extortion attempts sent to organizations. A hacker group calling itself ANX-Rans tried to extort a French company.

Another group calling itself CyberTeam also tried to extract a ransom payment of 5 Bitcoin (~$20,000) from, the website of a prominent Swiss security researcher.

Screen Shot 2017-08-21 at 08.27.43
These DDoS threats in the hope of extracting Bitcoin payments are called DDoS-for-Bitcoin or RDoS (Ransom DDoS) attacks. RDoS attacks have been on the rise since mid-June after a South Korean hosting provider paid a ransom of nearly $1 million after web ransomware encrypted its customer servers.

Ever since then, RDoS groups became extremely active hoping for a similar payday. We’ve already covered the active groups at the time in an article here.

Group posing as Anonymous targeted US companies

Since then, the most prominent RDoS campaign that took place was in mid-July when a group using the name of the Anonymous hacker collective tried to extort payments from US companies under the threat of DDoS attacks.

At the time, Bleeping Computer obtained a copy of the ransom email from cyber-security firm Radware, who was investigating the threats.

Anonymous RDoS extortion

Radware said that despite posing as Anonymous hackers, this was the same group who tried to obtain ransoms of $315,000 from four South Korean banks (for these RDoS extortions the group posed as Armada Collective, another famous hacking crew).

“This is not an isolated case. This is a coordinated large-scale RDoS spam campaign that appears to be shifting across regions of the world,” Radware security researcher Daniel Smith told Bleeping Computer via email at the time.

“All ransom notes received have the same expiration date,” he added. “In RDoS spam campaigns like this one the actors threaten multiple victims with a 1Tbps attack on the same day.”

Most RDoS extortion attempts are empty threats

The group also claimed it was in control of a Mirai botnet made up of compromised IoT devices and was capable of launching DDoS attacks of 1 Tbps. No such attacks have been observed following the ransom demands on US companies.

In research presented at the USENIX security conference last week, researchers from Cisco, Akamai, Google, and three US universities revealed that despite having a reputation of being able to take down some of the largest online companies around, the most variants of the Mirai botnet were mainly used to target online gaming servers.

Most of these DDoS attacks on gaming servers were also relatively small as multiple botnets broke up IoT devices (DDoS resources) among them.

In addition to the group posing as Anonymous, Radware also reported on multiple RDoS extortion attempts on gaming providers that also took place in July.

“We suggest companies do not pay the ransom,” Smith said at the time, a recommendation still valid today, as this encourages more blackmailers to join in.


About Author