Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

12:20 PM

Sextortion Campaigns Net Cybercriminals Nearly $500K in Five Months

Tracking the cryptocurrency paid by victims finds that, even with a low rate of payout, the scheme netted a cool half million for the various groups involved.

A simple fraud scheme that spams out extortion demands threatening to reveal the online porn habits of victims can be very profitable when usernames and passwords are included in the messages, according to an analysis published by cybersecurity firm Sophos on April 22. 

The company analyzed so-called "sextortion" spam caught in its email filters over five months, capturing the Bitcoin wallet address sent to victims for payments, and found that the campaigns cumulatively raked in $473,000, about $3,100 a day. Email messages used in the sextortion fraud scheme accounted for 4.23% of all observed spam traffic over the five months, and only 0.5% of the Bitcoin wallets used in the campaigns received a payment, Sophos stated in its advisory.

"It was a microscopic response rate, but it was still enough for them to make a profit," says Sean Gallagher, senior threat researcher with Sophos.

The research shows that a simple fraud scheme can have big payoffs for the groups behind the cybercrimes. 

Sextortion scams usually center on a simple fraud: threatening to reveal the private porn habits of would-be victims using usernames and passwords leaked from previous data breaches to add credence to the threats. Those compromised credentials usually come from massive breaches and have nothing to do with people's surreptitious activities online, but the inclusion of a once-valid username and password can frighten the recipient, Gallagher says.

"People still reuse passwords, and people still react in fear when they see something come in from someone that shows a valid username and password," he says. "So people who are doing risky behavior online — such as going to porn sites — they feel seen, they feel exposed, they immediately panic and respond."

Typically, groups will just send a single email to the victims using information from a compromised account. The scam can be profitable, because like other spam campaigns, only a small fraction of recipients need to respond to make the scam pay for itself.

The attackers used 10 to 20 campaigns, usually occurring on the weekends and, a handful of times, exceeding 20% of the spam volume detected by Sophos, according to the researchers' analysis

The researchers analyzed spam activity connected to the sextortion scams between September 1, 2019, and January 31, 2020, finding transactions totaling nearly 51 Bitcoins, which at the average daily price of the cryptocurrency, tallied up to about $473,000.

Embracing the well-worn adage of "follow the money," the researchers teamed up with CipherTrace to track the nearly 50,000 Bitcoin wallets to see whether victims paid the extortion demands and how much. Each wallet address was only included in the extortion email messages for an average of 2.6 days. Only 261 of the wallets received payment, which averaged out to 0.20 Bitcoins per address, according to the researchers.

Sophos and CipherTrace tracked the Bitcoin wallets for three transactions, or "hops," and found that they tended to cluster into seven different groups, suggesting that there may be seven cybercriminal groups involved in the spam campaigns that the companies tracked.

"It is really hard to tell once you put [Bitcoin] into an exchange or a mixer, where the connections begin and end," Gallagher says. "We can't really say when stuff goes into an exchange where they go, because exchanges tend to mix things together making it hard to say how connected these groups are beyond that."

The spam campaigns used some interesting techniques to work around email filtering technology and obfuscate their purpose. 

Some messages, for example, had invisible random strings or white "garbage text" to break up the message and prevent spam filters from matching specific strings. Other messages had non-ASCII characters that look similar to the regular English alphabet or concealed the message in the HTML style tags to, the attacker hoped, escape classification by a spam filter. 

While the companies had difficulty tracking the ultimate destination of the money used in the scam, at least some of the money was used to buy stolen credit card data, according to Gallagher.

Related Content

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "5 Ways to Prove Security's Worth in the Age of COVID-19."

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
7 Old IT Things Every New InfoSec Pro Should Know
Joan Goodchild, Staff Editor,  4/20/2021
Cloud-Native Businesses Struggle With Security
Robert Lemos, Contributing Writer,  5/6/2021
Defending Against Web Scraping Attacks
Rob Simon, Principal Security Consultant at TrustedSec,  5/7/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-05-15
A XSS Vulnerability in /uploads/dede/action_search.php in DedeCMS V5.7 SP2 allows an authenticated user to execute remote arbitrary code via the keyword parameter.
PUBLISHED: 2021-05-15
DedeCMS V5.7 SP2 contains a CSRF vulnerability that allows a remote attacker to send a malicious request to to the web manager allowing remote code execution.
PUBLISHED: 2021-05-14
The Linux kernel before 5.11.14 has a use-after-free in cipso_v4_genopt in net/ipv4/cipso_ipv4.c because the CIPSO and CALIPSO refcounting for the DOI definitions is mishandled, aka CID-ad5d07f4a9cd. This leads to writing an arbitrary value.
PUBLISHED: 2021-05-14
In the Linux kernel before 5.12.4, net/bluetooth/hci_event.c has a use-after-free when destroying an hci_chan, aka CID-5c4c8c954409. This leads to writing an arbitrary value.
PUBLISHED: 2021-05-14
The block subsystem in the Linux kernel before 5.2 has a use-after-free that can lead to arbitrary code execution in the kernel context and privilege escalation, aka CID-c3e2219216c9. This is related to blk_mq_free_rqs and blk_cleanup_queue.