Extortion Spam Emails Continue to Consume Valuable Resources

October 21, 2021

Say the word “extortion” today, and what comes to mind for the average person is more likely to be the racy version that’s been flooding inboxes the last couple years than the traditional version involving coercion under the threat of violence. Unfortunately, physically threatening extortion attempts sent via email continue to impact companies and public institutions when received—disrupting business, intimidating employees, and occasioning costly responses from public safety.

Regrettably, splashy tactics like sending threatening spam messages that garner media attention increase the likelihood that other attackers will be led by example. A recent campaign illustrates the continued persistence of this type of threat, as well as the broadening of its attack surface. With the executive suite no longer the primary target for extortion threats, employees themselves may receive these email threats directly. A recent example shows this shift.

New Bomb Threat Comes via Email

Between October 17, 2021, and October 19, 2021, Abnormal identified and blocked more than 100 extortion emails across a dozen clients, all of which threatened to detonate a device placed in their data center unless they received $5,000. This campaign appears to be sent across a wide variety of enterprises and industries, and has caused a real-world police response for multiple organizations that were not Abnormal customers. For those organizations, police responded to the threats, and businesses across the United States and Canada were evacuated for safety.

Extortion 2021

Although victims who received the email were instructed to make payment through FranTech California, which bills itself as an affordable DDoS-protected hosting provider, their website now displays the following message.

Extortin website message

It also remains unclear as to the expected method of payment to FranTech, as the attacker did not specify. Is each recipient expected to inquire further at the email address provided for additional instructions? An oversight this critical may indicate the desired goal was a smear campaign and not monetary.

Additionally, an extortion threat with a ransom of only $5,000 strikes us as improbably low, indicating that the attacker either wasn’t very familiar with the value of five thousand USD, or perhaps had another payment structure in mind. That kind of ransom seems more appropriately like the kind directed at an individual, and not what a savvy criminal would demand from a corporation.

Extortion Spam is a Persistent Technique

For some, this campaign may bring a sense of deja vu, as it closely resembles a bomb hoax campaign that made the rounds in 2018. Although less famous than the fake bomb threats Apophis Squad used to terrorize schools in the United Kingdom and the United States earlier that year, another campaign emerged shortly with a very similar theme.

Perhaps inspired by the chaos caused by the first campaign, many US-based banks and businesses received similar extortion emails demanding a $20,000 ransom, or else a bomb located on their premises would be detonated.

Similar to our latest example, the attacker counseled the victim not to contact the police, demanded payment by the end of the day, and indicated that they were in contact with someone inside the building. That time, however, the actor provided a different Bitcoin wallet address for every extortion email sent out, making the task of tracking any cryptocurrency payments they may have received more difficult.

Extortin 2018

(Source: KrebsOnSecurity)

The critical difference between these two is that the first attacker included a Bitcoin wallet address, making extortion payments possible. Although both of these campaigns rank low on the believability meter, the duty to respond to such threats where public safety is concerned can quickly become costly. This is especially true if responding to these false alarms pulls essential resources better spent elsewhere.

Keeping Organizations Safe from Extortion Hoaxes

While it’s not clear how many organizations received these emails this week, Abnormal can determine that it was sent across the telecommunications, technology, and e-commerce industries, and typically targeted technical personnel at each company. For those customers protected by Abnormal, the emails were blocked because of a variety of factors, most notably the suspicious financial transaction and the recipient pattern structure.

Extortion analysis

As a result of these indicators, Abnormal could determine that the bomb threat was just that—a threat—and the email should be blocked before reaching employee inboxes. If the multiple examples of police responses across North America show us anything, it’s that cybersecurity is essential to keeping employees safe, and business on track.

Image

Prevent the Attacks That Matter Most

Get the Latest Email Security Insights

Subscribe to our newsletter to receive updates on the latest attacks and new trends in the email threat landscape.

0
Demo 2x 1

See the Abnormal Solution to the Email Security Problem

Protect your organization from the attacks that matter most with Abnormal Integrated Cloud Email Security.

Related Posts

B 10 3 22 Cobalt Terrapin Blog
Threat group Cobalt Terrapin uses sophisticated impersonation techniques with multiple steps to commit invoice fraud.
Read More
B 09 29 22 CISO Cybersecurity Awareness Month
October is here, which means Cybersecurity Awareness Month is officially in full swing! These five tips can help security leaders take full advantage of the month.
Read More
B Email Security Challenges Blog 09 26 22
Understanding common email security challenges caused by your legacy technology will help you determine the best solution to improve your security posture.
Read More
B 5 Crucial Tips
Retailers are a popular target for threat actors due to their wealth of customer data and availability of funds. Here are 5 cybersecurity tips to help retailers reduce their risk of attack.
Read More
B 3 Essential Elements
Legacy approaches to managing unwanted mail are neither practical nor scalable. Learn the 3 essential elements of modern, effective graymail management.
Read More
B Back to School
Discover how threat group Chiffon Herring leverages impersonation and spoofed email addresses to divert paychecks to mule accounts.
Read More
B 09 06 22 Rearchitecting a System Blog
We recently shared a look at how the Abnormal engineering team overhauled our Unwanted Mail service architecture to accommodate our rapid growth. Today, we’re diving into how the team migrated traffic to the new architecture—with zero downtime.
Read More
B Industry Leading CIS Os
Stay up to date on the latest cybersecurity trends, industry news, and best practices by following these 12 innovative and influential thought leaders on social media.
Read More
B Podcast Engineering 11 08 24 22
In episode 11 of Abnormal Engineering Stories, David Hagar, Director of Engineering and Abnormal Head of UK Engineering, continues his conversation with Zehan Wang, co-founder of Magic Pony.
Read More