chat
expand_more

Extortion Spam Emails Continue to Consume Valuable Resources

Unfortunately, physically threatening extortion attempts sent via email continue to impact companies and public institutions when received—disrupting business, intimidating employees, and occasioning costly responses from public safety.
October 21, 2021

Say the word “extortion” today, and what comes to mind for the average person is more likely to be the racy version that’s been flooding inboxes the last couple years than the traditional version involving coercion under the threat of violence. Unfortunately, physically threatening extortion attempts sent via email continue to impact companies and public institutions when received—disrupting business, intimidating employees, and occasioning costly responses from public safety.

Regrettably, splashy tactics like sending threatening spam messages that garner media attention increase the likelihood that other attackers will be led by example. A recent campaign illustrates the continued persistence of this type of threat, as well as the broadening of its attack surface. With the executive suite no longer the primary target for extortion threats, employees themselves may receive these email threats directly. A recent example shows this shift.

New Bomb Threat Comes via Email

Between October 17, 2021, and October 19, 2021, Abnormal identified and blocked more than 100 extortion emails across a dozen clients, all of which threatened to detonate a device placed in their data center unless they received $5,000. This campaign appears to be sent across a wide variety of enterprises and industries, and has caused a real-world police response for multiple organizations that were not Abnormal customers. For those organizations, police responded to the threats, and businesses across the United States and Canada were evacuated for safety.

Extortion 2021

Although victims who received the email were instructed to make payment through FranTech California, which bills itself as an affordable DDoS-protected hosting provider, their website now displays the following message.

Extortin website message

It also remains unclear as to the expected method of payment to FranTech, as the attacker did not specify. Is each recipient expected to inquire further at the email address provided for additional instructions? An oversight this critical may indicate the desired goal was a smear campaign and not monetary.

Additionally, an extortion threat with a ransom of only $5,000 strikes us as improbably low, indicating that the attacker either wasn’t very familiar with the value of five thousand USD, or perhaps had another payment structure in mind. That kind of ransom seems more appropriately like the kind directed at an individual, and not what a savvy criminal would demand from a corporation.

Extortion Spam is a Persistent Technique

For some, this campaign may bring a sense of deja vu, as it closely resembles a bomb hoax campaign that made the rounds in 2018. Although less famous than the fake bomb threats Apophis Squad used to terrorize schools in the United Kingdom and the United States earlier that year, another campaign emerged shortly with a very similar theme.

Perhaps inspired by the chaos caused by the first campaign, many US-based banks and businesses received similar extortion emails demanding a $20,000 ransom, or else a bomb located on their premises would be detonated.

Similar to our latest example, the attacker counseled the victim not to contact the police, demanded payment by the end of the day, and indicated that they were in contact with someone inside the building. That time, however, the actor provided a different Bitcoin wallet address for every extortion email sent out, making the task of tracking any cryptocurrency payments they may have received more difficult.

Extortin 2018

(Source: KrebsOnSecurity)

The critical difference between these two is that the first attacker included a Bitcoin wallet address, making extortion payments possible. Although both of these campaigns rank low on the believability meter, the duty to respond to such threats where public safety is concerned can quickly become costly. This is especially true if responding to these false alarms pulls essential resources better spent elsewhere.

Keeping Organizations Safe from Extortion Hoaxes

While it’s not clear how many organizations received these emails this week, Abnormal can determine that it was sent across the telecommunications, technology, and e-commerce industries, and typically targeted technical personnel at each company. For those customers protected by Abnormal, the emails were blocked because of a variety of factors, most notably the suspicious financial transaction and the recipient pattern structure.

Extortion analysis

As a result of these indicators, Abnormal could determine that the bomb threat was just that—a threat—and the email should be blocked before reaching employee inboxes. If the multiple examples of police responses across North America show us anything, it’s that cybersecurity is essential to keeping employees safe, and business on track.

Extortion Spam Emails Continue to Consume Valuable Resources

See Abnormal in Action

Get a Demo

Get the Latest Email Security Insights

Subscribe to our newsletter to receive updates on the latest attacks and new trends in the email threat landscape.

 

See the Abnormal Solution to the Email Security Problem

Protect your organization from the full spectrum of email attacks with Abnormal.

 
Integrates Insights Reporting 09 08 22

Related Posts

B Earn Your CPE Credits with Abnormal
Earn your continuing education credits with ISC2 by viewing cybersecurity content from Abnormal Security.
Read More
B Seg Lessons
Discover key insights gleaned from replacing 100+ SEGs for Abnormal customers.
Read More
B Europe Attack Data Blog
Discover what our research uncovered about the European threat landscape and attack trends for organizations in the region.
Read More
B SAT
Abnormal aims to provide superior detection of email attacks while also directly and indirectly influencing the security awareness of your employees.
Read More
B 6 3 24 BEC Attacks
Discover how cybercriminals obtain corporate data from brokers like ZoomInfo and Apollo to enable targeted business email compromise (BEC) attacks.
Read More
B Addressing Account Takeovers Blog
Discover how security leaders are protecting their organizations against account takeover with insights from our survey of 300 cybersecurity stakeholders.
Read More