Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

2/21/2019
01:20 PM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
50%
50%

Cyber Extortionists Can Earn $360,000 a Year

Extortion scams capitalize on compromised credentials, sensitive data, and technical vulnerabilities on Internet-facing applications to pressure victims to pay up.

Cybercriminals seeking sensitive data on high net-worth individuals will pay aspiring extortionists an average of $360,000 per year to target executives, lawyers, doctors, and other prominent figures, researchers discovered.

The Digital Shadows Photon Research Team today published "A Tale of Epic Extortions," a deep dive into the ways cybercriminals prey on individuals' online exposure. Extortionists take advantage of compromised credentials, sensitive data (documents, intellectual property), and technical vulnerabilities on Internet-facing applications to convince their victims to pay up.

"The extortion landscape is broader and more diverse than any of us thought before we started," says Rafael Amado, senior strategy and research analyst with Digital Shadows.

Oftentimes, he continues, the technical news that resonates with the infosec community is considered esoteric to everyone else. "Extortion has the human element," says Amado. "Attacks on organizations have real-world impact for everyday humans on the street."

It wasn't long ago when online extortion meant blackmailers composing threatening emails to threaten victims with exposure of their personal data. Some warned their targets of a potential cyberattack – for example, a denial-of-service attempt – if demands were ignored. Ransomware emerged in the 2010s, bringing a viable means of coercion and culminating in WannaCry (2017).

Sextortion, SamSam, and Scaled Funding

Today's extortionists are getting creative and finding new ways to earn cash. They're after details of victims' personal lives and/or sensitive corporate data. Sextortion scams, in which criminals claim to have evidence of targets watching sexually explicit content, have skyrocketed. Between July 2018 and Feb. 2019, Digital Shadows collected and analyzed 792,000 sextortion attempts targeting 89,000 recipients. Criminals amassed $332,000 USD in payments; analysis of Bitcoin wallets linked to attacks shows they could earn $540 per victim, on average.

Even suspicious-looking sextortion emails have the power to sway recipients. Many follow a similar pattern: an attacker shows their target a known password as proof of compromise, claims to have footage of them viewing adult content online, and demands ransom paid to a Bitcoin address. Later versions involve the attacker further proving their credibility with another email referring to a Cisco ASA router bug, which they say let them access the victim's device.

"The research shows that cybercriminal groups are increasing their targeting of high net worth individuals and/or those that hold positions of power within companies," said Rick Holland, CISO and head of the Photon Research Team at Digital Shadows, in a statement on the report.

Still, other attackers use technical vulnerabilities to exploit victims. The SamSam group used public-facing applications, and abuse of valid account for remote access systems, to extort. Its actors relied on businesses not patching their software against known vulnerabilities, and once inside they used their access to extort organizations.

Researchers warn companies are still giving groups like SamSam this level of access. At the time of writing, they say, there were over 3.6M RDP servers available on the public Internet.

Some groups, like extortionists thedarkoverlord (TDO), choose not to extort victims directly. Instead, TDO has begun using online crowdfunding campaigns to sell stolen data in batches. In Sept. 2018 it appeared on the hacking forum KickAss, where it sought accomplices and sold valuable databases, source code, and intellectual property. They demand ransom to prevent the information's release, and threaten to expose more data with each financial milestone.

Criminal Groups Hunt for Talent

Many cybercriminals are looking for members to collaborate with so they can grow their operations. There are many ways to jump into the game, and you don't have to be technically savvy: aspiring extortionists with weak skillsets can find tutorials on the Dark Web. Some experienced attackers sell DoS and ransomware-as-a-service models to novice hackers.

"Extortion campaigns aren't the most sophisticated from a technical perspective, but you still need people to create spoof emails, to mine for personal data like compromised credentials," says Amado. "You need someone to manage Bitcoin transactions, someone to launder money."

The extortion skillset is broad. Researchers found admin panels, network and website access, and sensitive data being sold on the "accesses" sections of top-tier criminal forums. For these, extortionists would need technical skills to move laterally inside target networks and find data. On the other end of the spectrum are entry-level buyers and sellers of data trading credentials.

Researchers found message boards and forums where experts are willing to pay new recruits $30,000 or more for cyber extortion scams targeting high net-worth individuals. Those with network management, penetration testing, and programming skills are in higher demand, and can earn $64,000 per month, with add-ons and a final salary of $90,000 per month after their second year. Recruits who can speak Chinese, Arabic, or German get a 5% bump on their salaries.

Is Your Business at Risk?

Extortion can affect any organization, says Amado, but the type of threat you're likely to encounter depends on the type of business you are. Are you a financial firm processing confidential documents? Or a healthcare company, handling personal health data? Law and insurance firms are also at risk due to the nature of sensitive files they have on their clients.

"These types of organizations are particularly attractive to extortionists," Amado explains, adding that large public bodies and municipal organizations are also top of mind for attackers.

Sometimes extortionists don't go after an organization because they're in a particular industry, but because a scan of public facing infrastructure showed they were vulnerable. All businesses should be asking themselves: Do I have public-facing infrastructure? Should it be public-facing? If it does need to be open to the public, are there vulnerabilities?

"If so, [you] need to patch those as soon as possible," Amado says.

There is an element of control for users and businesses to protect themselves, he continues. Researchers recommend treating sextortion emails as spam, discovering breached accounts and passwords on HaveIBeenPwned, and securing email end-users, developing a ransomware playbook, and applying best practices for user permissions: remove local admin rights, restrict execution privileges on temporary data folders, and implement whitelists application lists.

Related Content:

 

 

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry's most knowledgeable IT security experts. Check out the Interop agenda here.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
REISEN1955
100%
0%
REISEN1955,
User Rank: Ninja
2/21/2019 | 1:28:01 PM
Wrong profession
Have to smile here.  I am in a forensics unit for Malware at a major firm and my salary is well below the norm quoted herein.  WTF?   I am in the wrong job field - LOL  Of course JAIL is also a condition on call here so that should be considered too.  I like my home. 
97% of Americans Can't Ace a Basic Security Test
Steve Zurier, Contributing Writer,  5/20/2019
TeamViewer Admits Breach from 2016
Dark Reading Staff 5/20/2019
How a Manufacturing Firm Recovered from a Devastating Ransomware Attack
Kelly Jackson Higgins, Executive Editor at Dark Reading,  5/20/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-7844
PUBLISHED: 2019-05-22
Adobe Media Encoder version 13.0.2 has an out-of-bounds read vulnerability. Successful exploitation could lead to information disclosure.
CVE-2017-9809
PUBLISHED: 2019-05-22
OX Software GmbH OX App Suite 7.8.4 and earlier is affected by: Information Exposure.
CVE-2018-12886
PUBLISHED: 2019-05-22
stack_protect_prologue in cfgexpand.c and stack_protect_epilogue in function.c in GNU Compiler Collection (GCC) 4.1 through 8 (under certain circumstances) generate instruction sequences when targeting ARM targets that spill the address of the stack protector guard, which allows an attacker to bypas...
CVE-2019-7834
PUBLISHED: 2019-05-22
Adobe Acrobat and Reader versions 2019.010.20100 and earlier, 2019.010.20099 and earlier, 2017.011.30140 and earlier, 2017.011.30138 and earlier, 2015.006.30495 and earlier, and 2015.006.30493 and earlier have a use after free vulnerability. Successful exploitation could lead to arbitrary code execu...
CVE-2019-7835
PUBLISHED: 2019-05-22
Adobe Acrobat and Reader versions 2019.010.20100 and earlier, 2019.010.20099 and earlier, 2017.011.30140 and earlier version, 2017.011.30138 and earlier, 2015.006.30495 and earlier, and 2015.006.30493 and earlier have a use after free vulnerability. Successful exploitation could lead to arbitrary co...