Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

01:20 PM
Connect Directly

Cyber Extortionists Can Earn $360,000 a Year

Extortion scams capitalize on compromised credentials, sensitive data, and technical vulnerabilities on Internet-facing applications to pressure victims to pay up.

Cybercriminals seeking sensitive data on high net-worth individuals will pay aspiring extortionists an average of $360,000 per year to target executives, lawyers, doctors, and other prominent figures, researchers discovered.

The Digital Shadows Photon Research Team today published "A Tale of Epic Extortions," a deep dive into the ways cybercriminals prey on individuals' online exposure. Extortionists take advantage of compromised credentials, sensitive data (documents, intellectual property), and technical vulnerabilities on Internet-facing applications to convince their victims to pay up.

"The extortion landscape is broader and more diverse than any of us thought before we started," says Rafael Amado, senior strategy and research analyst with Digital Shadows.

Oftentimes, he continues, the technical news that resonates with the infosec community is considered esoteric to everyone else. "Extortion has the human element," says Amado. "Attacks on organizations have real-world impact for everyday humans on the street."

It wasn't long ago when online extortion meant blackmailers composing threatening emails to threaten victims with exposure of their personal data. Some warned their targets of a potential cyberattack – for example, a denial-of-service attempt – if demands were ignored. Ransomware emerged in the 2010s, bringing a viable means of coercion and culminating in WannaCry (2017).

Sextortion, SamSam, and Scaled Funding

Today's extortionists are getting creative and finding new ways to earn cash. They're after details of victims' personal lives and/or sensitive corporate data. Sextortion scams, in which criminals claim to have evidence of targets watching sexually explicit content, have skyrocketed. Between July 2018 and Feb. 2019, Digital Shadows collected and analyzed 792,000 sextortion attempts targeting 89,000 recipients. Criminals amassed $332,000 USD in payments; analysis of Bitcoin wallets linked to attacks shows they could earn $540 per victim, on average.

Even suspicious-looking sextortion emails have the power to sway recipients. Many follow a similar pattern: an attacker shows their target a known password as proof of compromise, claims to have footage of them viewing adult content online, and demands ransom paid to a Bitcoin address. Later versions involve the attacker further proving their credibility with another email referring to a Cisco ASA router bug, which they say let them access the victim's device.

"The research shows that cybercriminal groups are increasing their targeting of high net worth individuals and/or those that hold positions of power within companies," said Rick Holland, CISO and head of the Photon Research Team at Digital Shadows, in a statement on the report.

Still, other attackers use technical vulnerabilities to exploit victims. The SamSam group used public-facing applications, and abuse of valid account for remote access systems, to extort. Its actors relied on businesses not patching their software against known vulnerabilities, and once inside they used their access to extort organizations.

Researchers warn companies are still giving groups like SamSam this level of access. At the time of writing, they say, there were over 3.6M RDP servers available on the public Internet.

Some groups, like extortionists thedarkoverlord (TDO), choose not to extort victims directly. Instead, TDO has begun using online crowdfunding campaigns to sell stolen data in batches. In Sept. 2018 it appeared on the hacking forum KickAss, where it sought accomplices and sold valuable databases, source code, and intellectual property. They demand ransom to prevent the information's release, and threaten to expose more data with each financial milestone.

Criminal Groups Hunt for Talent

Many cybercriminals are looking for members to collaborate with so they can grow their operations. There are many ways to jump into the game, and you don't have to be technically savvy: aspiring extortionists with weak skillsets can find tutorials on the Dark Web. Some experienced attackers sell DoS and ransomware-as-a-service models to novice hackers.

"Extortion campaigns aren't the most sophisticated from a technical perspective, but you still need people to create spoof emails, to mine for personal data like compromised credentials," says Amado. "You need someone to manage Bitcoin transactions, someone to launder money."

The extortion skillset is broad. Researchers found admin panels, network and website access, and sensitive data being sold on the "accesses" sections of top-tier criminal forums. For these, extortionists would need technical skills to move laterally inside target networks and find data. On the other end of the spectrum are entry-level buyers and sellers of data trading credentials.

Researchers found message boards and forums where experts are willing to pay new recruits $30,000 or more for cyber extortion scams targeting high net-worth individuals. Those with network management, penetration testing, and programming skills are in higher demand, and can earn $64,000 per month, with add-ons and a final salary of $90,000 per month after their second year. Recruits who can speak Chinese, Arabic, or German get a 5% bump on their salaries.

Is Your Business at Risk?

Extortion can affect any organization, says Amado, but the type of threat you're likely to encounter depends on the type of business you are. Are you a financial firm processing confidential documents? Or a healthcare company, handling personal health data? Law and insurance firms are also at risk due to the nature of sensitive files they have on their clients.

"These types of organizations are particularly attractive to extortionists," Amado explains, adding that large public bodies and municipal organizations are also top of mind for attackers.

Sometimes extortionists don't go after an organization because they're in a particular industry, but because a scan of public facing infrastructure showed they were vulnerable. All businesses should be asking themselves: Do I have public-facing infrastructure? Should it be public-facing? If it does need to be open to the public, are there vulnerabilities?

"If so, [you] need to patch those as soon as possible," Amado says.

There is an element of control for users and businesses to protect themselves, he continues. Researchers recommend treating sextortion emails as spam, discovering breached accounts and passwords on HaveIBeenPwned, and securing email end-users, developing a ransomware playbook, and applying best practices for user permissions: remove local admin rights, restrict execution privileges on temporary data folders, and implement whitelists application lists.

Related Content:



Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry's most knowledgeable IT security experts. Check out the Interop agenda here.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Ninja
2/21/2019 | 1:28:01 PM
Wrong profession
Have to smile here.  I am in a forensics unit for Malware at a major firm and my salary is well below the norm quoted herein.  WTF?   I am in the wrong job field - LOL  Of course JAIL is also a condition on call here so that should be considered too.  I like my home. 
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/2/2020
Ripple20 Threatens Increasingly Connected Medical Devices
Kelly Sheridan, Staff Editor, Dark Reading,  6/30/2020
DDoS Attacks Jump 542% from Q4 2019 to Q1 2020
Dark Reading Staff 6/30/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-07-02
Apache Guacamole 1.1.0 and older may mishandle pointers involved inprocessing data received via RDP static virtual channels. If a userconnects to a malicious or compromised RDP server, a series ofspecially-crafted PDUs could result in memory corruption, possiblyallowing arbitrary code to be executed...
PUBLISHED: 2020-07-02
A vulnerability in the web-based management interface of Cisco Unified Communications Manager, Cisco Unified Communications Manager Session Management Edition, Cisco Unified Communications Manager IM & Presence Service, and Cisco Unity Connection could allow an unauthenticated, remote attack...
PUBLISHED: 2020-07-02
In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, when users run the command displayed in NGINX Controller user interface (UI) to fetch the agent installer, the server TLS certificate is not verified.
PUBLISHED: 2020-07-02
In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, the Neural Autonomic Transport System (NATS) messaging services in use by the NGINX Controller do not require any form of authentication, so any successful connection would be authorized.
PUBLISHED: 2020-07-02
In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, the NGINX Controller installer starts the download of Kubernetes packages from an HTTP URL On Debian/Ubuntu system.