Extortion Spam Emails Continue to Consume Valuable Resources

October 21, 2021

Say the word “extortion” today, and what comes to mind for the average person is more likely to be the racy version that’s been flooding inboxes the last couple years than the traditional version involving coercion under the threat of violence. Unfortunately, physically threatening extortion attempts sent via email continue to impact companies and public institutions when received—disrupting business, intimidating employees, and occasioning costly responses from public safety.

Regrettably, splashy tactics like sending threatening spam messages that garner media attention increase the likelihood that other attackers will be led by example. A recent campaign illustrates the continued persistence of this type of threat, as well as the broadening of its attack surface. With the executive suite no longer the primary target for extortion threats, employees themselves may receive these email threats directly. A recent example shows this shift.

New Bomb Threat Comes via Email

Between October 17, 2021, and October 19, 2021, Abnormal identified and blocked more than 100 extortion emails across a dozen clients, all of which threatened to detonate a device placed in their data center unless they received $5,000. This campaign appears to be sent across a wide variety of enterprises and industries, and has caused a real-world police response for multiple organizations that were not Abnormal customers. For those organizations, police responded to the threats, and businesses across the United States and Canada were evacuated for safety.

Extortion 2021

Although victims who received the email were instructed to make payment through FranTech California, which bills itself as an affordable DDoS-protected hosting provider, their website now displays the following message.

Extortin website message

It also remains unclear as to the expected method of payment to FranTech, as the attacker did not specify. Is each recipient expected to inquire further at the email address provided for additional instructions? An oversight this critical may indicate the desired goal was a smear campaign and not monetary.

Additionally, an extortion threat with a ransom of only $5,000 strikes us as improbably low, indicating that the attacker either wasn’t very familiar with the value of five thousand USD, or perhaps had another payment structure in mind. That kind of ransom seems more appropriately like the kind directed at an individual, and not what a savvy criminal would demand from a corporation.

Extortion Spam is a Persistent Technique

For some, this campaign may bring a sense of deja vu, as it closely resembles a bomb hoax campaign that made the rounds in 2018. Although less famous than the fake bomb threats Apophis Squad used to terrorize schools in the United Kingdom and the United States earlier that year, another campaign emerged shortly with a very similar theme.

Perhaps inspired by the chaos caused by the first campaign, many US-based banks and businesses received similar extortion emails demanding a $20,000 ransom, or else a bomb located on their premises would be detonated.

Similar to our latest example, the attacker counseled the victim not to contact the police, demanded payment by the end of the day, and indicated that they were in contact with someone inside the building. That time, however, the actor provided a different Bitcoin wallet address for every extortion email sent out, making the task of tracking any cryptocurrency payments they may have received more difficult.

Extortin 2018

(Source: KrebsOnSecurity)

The critical difference between these two is that the first attacker included a Bitcoin wallet address, making extortion payments possible. Although both of these campaigns rank low on the believability meter, the duty to respond to such threats where public safety is concerned can quickly become costly. This is especially true if responding to these false alarms pulls essential resources better spent elsewhere.

Keeping Organizations Safe from Extortion Hoaxes

While it’s not clear how many organizations received these emails this week, Abnormal can determine that it was sent across the telecommunications, technology, and e-commerce industries, and typically targeted technical personnel at each company. For those customers protected by Abnormal, the emails were blocked because of a variety of factors, most notably the suspicious financial transaction and the recipient pattern structure.

Extortion analysis

As a result of these indicators, Abnormal could determine that the bomb threat was just that—a threat—and the email should be blocked before reaching employee inboxes. If the multiple examples of police responses across North America show us anything, it’s that cybersecurity is essential to keeping employees safe, and business on track.

To see how Abnormal stops bomb hoaxes and other extortion threats, schedule a demo today.

Related Posts

B 12 03 22 SIEM
Learn about Abnormal’s enhanced SIEM export schema, which provides centralized visibility into email threats
Read More
Blog phishing cover
The phishing email is one of the oldest and most successful types of cyberattacks. Attackers have long used phishing as a common attack vector to steal sensitive information or credentials from their victims. While most phishing emails are relatively simple to spot, the number of successful attacks has grown in recent years.
Read More
Blog brand cover
For those of you who have visited the Abnormal website over the last month, you’ve seen something different—a redesigned brand focused on precision. It’s new and innovative, and different from any other cybersecurity company, because it was created with one thing in mind: our customers.
Read More
B 11 22 21 AAA
At Abnormal, our customers have always been our biggest priority. Customer obsession is one of our five company values, and we live this every single day as we provide the best email security protection available for the hundreds of companies who entrust us to protect their mailboxes.
Read More
Blog microsoft abnormal cover
Before we jump into modern threats, I think it’s important to set the stage ​​since email has been around. Since email existed, threat actors targeted email users with malicious messages, general spam, and different ways to take advantage of the platform. Then of course, more dangerous attacks started to come up… things like malware and other viruses.
Read More
Blog black friday scam cover
While cybersecurity awareness is a year-round venture, it is especially important to be mindful during certain times of the year. With Thanksgiving here in the United States on Thursday, our thoughts will likely be on our family and friends and everything we have to be thankful for this holiday season.
Read More
Blog automation workflows cover
Our newest platform capabilities help customers streamline critical security workflows, like triaging phishing mailbox submissions or triggering tickets to investigate account takeovers, through automated playbooks. Doing so can decrease mean time to respond (MTTR) to incidents, further reducing any potential risk to the organization and eliminating manual workflows to save time and increase the efficiency of IT and security teams.
Read More
Blog tsa scam cover
On November 9, 2021, we identified an unusual phishing email that claimed to be from “Immigration Visa and Travel,” inviting the recipient to renew their membership in the TSA PreCheck program. The email wasn’t sent from a .gov domain, but the average consumer might not immediately reject it as a scam, particularly because it had the term “immigrationvisaforms” in the domain. The email instructed the user to renew their membership at another quasi-legitimate-looking website.
Read More
Blog pyspark cover
At Abnormal Security, we use a data science-based approach to keep our customers safe from the most advanced email attacks. This requires processing huge amounts of data to train machine learning models, build datasets, and otherwise model the typical behavior of the organizations we’re protecting.
Read More
Blog tiktok attack cover
As major social media platforms have expanded the ability of creators to monetize their content in the last few years, they and their users have increasingly found themselves the targets of malicious activity. TikTok is now no exception.
Read More
Blog ransomware guide cover
While various state agencies and the private sector keep track of ransomware attacks and related tactics worldwide, malicious actors change and evolve their ransomware strategies all the time. We’ve put together a comprehensive guide that will define ransomware, how to detect it, and what steps to take if you’ve fallen victim to a ransomware virus attack.
Read More
Blog detection efficacy cover
One of the key objectives of the Abnormal platform is to provide the highest precision detection to block all never-before-seen attacks. This ranges from socially-engineered attacks to account takeovers to everyday spam, and the platform does it without customers needing to create countless rules like with traditional secure email gateways.
Read More