Bitcoin Extortion - Abnormal Security

Bitcoin Extortion

In this attack, attackers extort recipients for a Bitcoin transfer in exchange for not revealing personal information that they claim to have stolen in a hack.

Quick Summary of Attack Target

Platform: Office 365
Mailboxes: 15,000-50,000
Email Security Bypassed: Office 365
Victims: Employees
Payload: Text
Technique: Extortion

What was the attack?

Setup: Recently, there has been a rise in scam emails demanding recipients to pay a ransom with Bitcoin or else personal information attackers have gathered about the recipients will be released to the public. The means by which attackers have obtained this information has evolved as well as the amount of BTC that is requested. One thing that remains the same however, is the goal of these scams: utilize high pressure intimidation tactics to extort victims into paying attackers to remain silent about information they do not have.  

Email Attack: This attack features an email that seemingly originates from a brand that services electrical contracts, but is actually a spoofed domain. The attacker begins by claiming they are a private investigator and that they are a part of an agency that compromises accounts, and they have discovered a plot to blackmail the recipient but is not specific on what that is exactly. The email goes on to claim they have negotiated a price with the agency they are working with and decided to give the recipient a discount, to be paid in bitcoin, in exchange for deleting the evidence that could damage the recipient’s reputation and career. If the recipient chooses to ignore the warning, the attackers threaten to release the information. 

Payload: The payload of this attack is provided in the body of the email. The instructions are provided for the recipient to send BTC to a specific wallet address. In the event the recipients are unclear on how to send funds to the wallet, they are instructed to “google” how to do it.  

Result: If the recipients should fall victim to this BTC scam, they are will incur a financial loss of $2,500.

Why is this attack effective?

Urgency: The letter uses extortive tactics to demand action from the recipient. The recipient is coerced into paying $2,500 to the attacker through a Bitcoin wallet within two days. By ensuring that any and all information the attackers have obtained will be deleted, this provides a strong incentive for victims to pay attackers the ransom. 

Spoofed Sender: The sender is impersonating a brand ’trumbo.biz’, however the email authentication is failing indicating the sender is spoofing the domain. By appearing to originate from a company domain, the recipient is given the impression the domain has been “hacked” so that when victims receive the attackers’ message, they are more likely to believe the attackers’ claims.

Related content