Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

12:20 PM

Sextortion Campaigns Net Cybercriminals Nearly $500K in Five Months

Tracking the cryptocurrency paid by victims finds that, even with a low rate of payout, the scheme netted a cool half million for the various groups involved.

A simple fraud scheme that spams out extortion demands threatening to reveal the online porn habits of victims can be very profitable when usernames and passwords are included in the messages, according to an analysis published by cybersecurity firm Sophos on April 22. 

The company analyzed so-called "sextortion" spam caught in its email filters over five months, capturing the Bitcoin wallet address sent to victims for payments, and found that the campaigns cumulatively raked in $473,000, about $3,100 a day. Email messages used in the sextortion fraud scheme accounted for 4.23% of all observed spam traffic over the five months, and only 0.5% of the Bitcoin wallets used in the campaigns received a payment, Sophos stated in its advisory.

"It was a microscopic response rate, but it was still enough for them to make a profit," says Sean Gallagher, senior threat researcher with Sophos.

The research shows that a simple fraud scheme can have big payoffs for the groups behind the cybercrimes. 

Sextortion scams usually center on a simple fraud: threatening to reveal the private porn habits of would-be victims using usernames and passwords leaked from previous data breaches to add credence to the threats. Those compromised credentials usually come from massive breaches and have nothing to do with people's surreptitious activities online, but the inclusion of a once-valid username and password can frighten the recipient, Gallagher says.

"People still reuse passwords, and people still react in fear when they see something come in from someone that shows a valid username and password," he says. "So people who are doing risky behavior online — such as going to porn sites — they feel seen, they feel exposed, they immediately panic and respond."

Typically, groups will just send a single email to the victims using information from a compromised account. The scam can be profitable, because like other spam campaigns, only a small fraction of recipients need to respond to make the scam pay for itself.

The attackers used 10 to 20 campaigns, usually occurring on the weekends and, a handful of times, exceeding 20% of the spam volume detected by Sophos, according to the researchers' analysis

The researchers analyzed spam activity connected to the sextortion scams between September 1, 2019, and January 31, 2020, finding transactions totaling nearly 51 Bitcoins, which at the average daily price of the cryptocurrency, tallied up to about $473,000.

Embracing the well-worn adage of "follow the money," the researchers teamed up with CipherTrace to track the nearly 50,000 Bitcoin wallets to see whether victims paid the extortion demands and how much. Each wallet address was only included in the extortion email messages for an average of 2.6 days. Only 261 of the wallets received payment, which averaged out to 0.20 Bitcoins per address, according to the researchers.

Sophos and CipherTrace tracked the Bitcoin wallets for three transactions, or "hops," and found that they tended to cluster into seven different groups, suggesting that there may be seven cybercriminal groups involved in the spam campaigns that the companies tracked.

"It is really hard to tell once you put [Bitcoin] into an exchange or a mixer, where the connections begin and end," Gallagher says. "We can't really say when stuff goes into an exchange where they go, because exchanges tend to mix things together making it hard to say how connected these groups are beyond that."

The spam campaigns used some interesting techniques to work around email filtering technology and obfuscate their purpose. 

Some messages, for example, had invisible random strings or white "garbage text" to break up the message and prevent spam filters from matching specific strings. Other messages had non-ASCII characters that look similar to the regular English alphabet or concealed the message in the HTML style tags to, the attacker hoped, escape classification by a spam filter. 

While the companies had difficulty tracking the ultimate destination of the money used in the scam, at least some of the money was used to buy stolen credit card data, according to Gallagher.

Related Content

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "5 Ways to Prove Security's Worth in the Age of COVID-19."

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/25/2020
Hacking Yourself: Marie Moe and Pacemaker Security
Gary McGraw Ph.D., Co-founder Berryville Institute of Machine Learning,  9/21/2020
Startup Aims to Map and Track All the IT and Security Things
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/22/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-09-25
In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, when determining the common dimension size of two tensors, TFLite uses a `DCHECK` which is no-op outside of debug compilation modes. Since the function always returns the dimension of the first tensor, malicious attackers can ...
PUBLISHED: 2020-09-25
In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, a crafted TFLite model can force a node to have as input a tensor backed by a `nullptr` buffer. This can be achieved by changing a buffer index in the flatbuffer serialization to convert a read-only tensor to a read-write one....
PUBLISHED: 2020-09-25
In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, if a TFLite saved model uses the same tensor as both input and output of an operator, then, depending on the operator, we can observe a segmentation fault or just memory corruption. We have patched the issue in d58c96946b and ...
PUBLISHED: 2020-09-25
In TensorFlow Lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, saved models in the flatbuffer format use a double indexing scheme: a model has a set of subgraphs, each subgraph has a set of operators and each operator has a set of input/output tensors. The flatbuffer format uses indices f...
PUBLISHED: 2020-09-25
In TensorFlow Lite before versions 2.2.1 and 2.3.1, models using segment sum can trigger writes outside of bounds of heap allocated buffers by inserting negative elements in the segment ids tensor. Users having access to `segment_ids_data` can alter `output_index` and then write to outside of `outpu...