Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

12:20 PM

Sextortion Campaigns Net Cybercriminals Nearly $500K in Five Months

Tracking the cryptocurrency paid by victims finds that, even with a low rate of payout, the scheme netted a cool half million for the various groups involved.

A simple fraud scheme that spams out extortion demands threatening to reveal the online porn habits of victims can be very profitable when usernames and passwords are included in the messages, according to an analysis published by cybersecurity firm Sophos on April 22. 

The company analyzed so-called "sextortion" spam caught in its email filters over five months, capturing the Bitcoin wallet address sent to victims for payments, and found that the campaigns cumulatively raked in $473,000, about $3,100 a day. Email messages used in the sextortion fraud scheme accounted for 4.23% of all observed spam traffic over the five months, and only 0.5% of the Bitcoin wallets used in the campaigns received a payment, Sophos stated in its advisory.

"It was a microscopic response rate, but it was still enough for them to make a profit," says Sean Gallagher, senior threat researcher with Sophos.

The research shows that a simple fraud scheme can have big payoffs for the groups behind the cybercrimes. 

Sextortion scams usually center on a simple fraud: threatening to reveal the private porn habits of would-be victims using usernames and passwords leaked from previous data breaches to add credence to the threats. Those compromised credentials usually come from massive breaches and have nothing to do with people's surreptitious activities online, but the inclusion of a once-valid username and password can frighten the recipient, Gallagher says.

"People still reuse passwords, and people still react in fear when they see something come in from someone that shows a valid username and password," he says. "So people who are doing risky behavior online — such as going to porn sites — they feel seen, they feel exposed, they immediately panic and respond."

Typically, groups will just send a single email to the victims using information from a compromised account. The scam can be profitable, because like other spam campaigns, only a small fraction of recipients need to respond to make the scam pay for itself.

The attackers used 10 to 20 campaigns, usually occurring on the weekends and, a handful of times, exceeding 20% of the spam volume detected by Sophos, according to the researchers' analysis

The researchers analyzed spam activity connected to the sextortion scams between September 1, 2019, and January 31, 2020, finding transactions totaling nearly 51 Bitcoins, which at the average daily price of the cryptocurrency, tallied up to about $473,000.

Embracing the well-worn adage of "follow the money," the researchers teamed up with CipherTrace to track the nearly 50,000 Bitcoin wallets to see whether victims paid the extortion demands and how much. Each wallet address was only included in the extortion email messages for an average of 2.6 days. Only 261 of the wallets received payment, which averaged out to 0.20 Bitcoins per address, according to the researchers.

Sophos and CipherTrace tracked the Bitcoin wallets for three transactions, or "hops," and found that they tended to cluster into seven different groups, suggesting that there may be seven cybercriminal groups involved in the spam campaigns that the companies tracked.

"It is really hard to tell once you put [Bitcoin] into an exchange or a mixer, where the connections begin and end," Gallagher says. "We can't really say when stuff goes into an exchange where they go, because exchanges tend to mix things together making it hard to say how connected these groups are beyond that."

The spam campaigns used some interesting techniques to work around email filtering technology and obfuscate their purpose. 

Some messages, for example, had invisible random strings or white "garbage text" to break up the message and prevent spam filters from matching specific strings. Other messages had non-ASCII characters that look similar to the regular English alphabet or concealed the message in the HTML style tags to, the attacker hoped, escape classification by a spam filter. 

While the companies had difficulty tracking the ultimate destination of the money used in the scam, at least some of the money was used to buy stolen credit card data, according to Gallagher.

Related Content

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "5 Ways to Prove Security's Worth in the Age of COVID-19."

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
NSA Appoints Rob Joyce as Cyber Director
Dark Reading Staff 1/15/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: I like the old version of Google assistant much better.
Current Issue
2020: The Year in Security
Download this Tech Digest for a look at the biggest security stories that - so far - have shaped a very strange and stressful year.
Flash Poll
Assessing Cybersecurity Risk in Today's Enterprises
Assessing Cybersecurity Risk in Today's Enterprises
COVID-19 has created a new IT paradigm in the enterprise -- and a new level of cybersecurity risk. This report offers a look at how enterprises are assessing and managing cyber-risk under the new normal.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-01-21
Kubernetes Secrets Store CSI Driver Vault Plugin prior to v0.0.6, Azure Plugin prior to v0.0.10, and GCP Plugin prior to v0.2.0 allow an attacker who can create specially-crafted SecretProviderClass objects to write to arbitrary file paths on the host filesystem, including /var/lib/kubelet/pods.
PUBLISHED: 2021-01-21
Kubernetes Secrets Store CSI Driver versions v0.0.15 and v0.0.16 allow an attacker who can modify a SecretProviderClassPodStatus/Status resource the ability to write content to the host filesystem and sync file contents to Kubernetes Secrets. This includes paths under var/lib/kubelet/pods that conta...
PUBLISHED: 2021-01-21
Kubernetes CSI snapshot-controller prior to v2.1.3 and v3.0.2 could panic when processing a VolumeSnapshot custom resource when: - The VolumeSnapshot referenced a non-existing PersistentVolumeClaim and the VolumeSnapshot did not reference any VolumeSnapshotClass. - The snapshot-controller crashes, ...
PUBLISHED: 2021-01-21
Kubernetes Java client libraries in version 10.0.0 and versions prior to 9.0.1 allow writes to paths outside of the current directory when copying multiple files from a remote pod which sends a maliciously crafted archive. This can potentially overwrite any files on the system of the process executi...
PUBLISHED: 2021-01-21
Kubernetes API server in all versions allow an attacker who is able to create a ClusterIP service and set the spec.externalIPs field, to intercept traffic to that IP address. Additionally, an attacker who is able to patch the status (which is considered a privileged operation and should not typicall...