Extortion Spam Emails Continue to Consume Valuable Resources

Say the word “extortion” today, and what comes to mind for the average person is more likely to be the racy version that’s been flooding inboxes the last couple years than the traditional version involving coercion under the threat of violence. Unfortunately, physically threatening extortion attempts sent via email continue to impact companies and public institutions when received—disrupting business, intimidating employees, and occasioning costly responses from public safety.

Regrettably, splashy tactics like sending threatening spam messages that garner media attention increase the likelihood that other attackers will be led by example. A recent campaign illustrates the continued persistence of this type of threat, as well as the broadening of its attack surface. With the executive suite no longer the primary target for extortion threats, employees themselves may receive these email threats directly. A recent example shows this shift.

Between October 17, 2021, and October 19, 2021, Abnormal identified and blocked more than 100 extortion emails across a dozen clients, all of which threatened to detonate a device placed in their data center unless they received $5,000. This campaign appears to be sent across a wide variety of enterprises and industries, and has caused a real-world police response for multiple organizations that were not Abnormal customers. For those organizations, police responded to the threats, and businesses across the United States and Canada were evacuated for safety.

Although victims who received the email were instructed to make payment through FranTech California, which bills itself as an affordable DDoS-protected hosting provider, their website now displays the following message.

It also remains unclear as to the expected method of payment to FranTech, as the attacker did not specify. Is each recipient expected to inquire further at the email address provided for additional instructions? An oversight this critical may indicate the desired goal was a smear campaign and not monetary.

Additionally, an extortion threat with a ransom of only $5,000 strikes us as improbably low, indicating that the attacker either wasn’t very familiar with the value of five thousand USD, or perhaps had another payment structure in mind. That kind of ransom seems more appropriately like the kind directed at an individual, and not what a savvy criminal would demand from a corporation.

For some, this campaign may bring a sense of deja vu, as it closely resembles a bomb hoax campaign that made the rounds in 2018. Although less famous than the fake bomb threats Apophis Squad used to terrorize schools in the United Kingdom and the United States earlier that year, another campaign emerged shortly with a very similar theme.

Perhaps inspired by the chaos caused by the first campaign, many US-based banks and businesses received similar extortion emails demanding a $20,000 ransom, or else a bomb located on their premises would be detonated.

Similar to our latest example, the attacker counseled the victim not to contact the police, demanded payment by the end of the day, and indicated that they were in contact with someone inside the building. That time, however, the actor provided a different Bitcoin wallet address for every extortion email sent out, making the task of tracking any cryptocurrency payments they may have received more difficult.

The critical difference between these two is that the first attacker included a Bitcoin wallet address, making extortion payments possible. Although both of these campaigns rank low on the believability meter, the duty to respond to such threats where public safety is concerned can quickly become costly. This is especially true if responding to these false alarms pulls essential resources better spent elsewhere.

While it’s not clear how many organizations received these emails this week, Abnormal can determine that it was sent across the telecommunications, technology, and e-commerce industries, and typically targeted technical personnel at each company. For those customers protected by Abnormal, the emails were blocked because of a variety of factors, most notably the suspicious financial transaction and the recipient pattern structure.

As a result of these indicators, Abnormal could determine that the bomb threat was just that—a threat—and the email should be blocked before reaching employee inboxes. If the multiple examples of police responses across North America show us anything, it’s that cybersecurity is essential to keeping employees safe, and business on track.