//Blogs - 17 Aug 2018

Targeted blackmail campaign gains momentum

Since the dawn of email, spam has constantly pushed our ability to handle arbitrary, unsolicited input. Whether through gauntlets of long-forgotten regexes, or the most sophisticated of convolutional neural nets, detecting and blocking spam has been a Sisyphean battle which has consumed countless IT resources.

Not so at AusCERT. We have the dubious luxury of actively soliciting spam wherever it is to be found. Because of this we’re able to watch as campaigns wax and wane, see how they evolve over time, and get a feel for the objectives of the spammers. Some campaigns are evergreen – fake pharmaceuticals (usually of the male enhancement variety), various advance-fee scams (think Nigerian Prince), phishing for credentials – it’s rare a day goes by without examples of these coming across our inbox. Some campaigns are very flavour-of-the-month, for a few months everyone had their own ICO or crypto investment strategy to hawk to any mail socket willing to listen().

Other campaigns are more sporadic. It’s not unusual for us to see a short burst of activity on one particular topic or script which goes silent, only to re-emerge later. Sometimes this is to facilitate a transition to new infrastructure, or to replenish their supply of compromised accounts. Other times this can be to spend time reworking the script, or refining their technique – this blog deals with one such instance where the renewed campaign was so successful that we’ve seen a large uptick in its output.

This particular campaign is a faux sextortion blackmail. The premise of the blackmail is that the spammer has recorded the recipient visiting a pornographic website, through some vulnerability on the website or the recipient’s own computer. Unless the victim pays a sum of cryptocurrency to the spammer, they threaten to release this non-existent video to the victim’s family, friends, or colleagues. The campaign itself is far from new, we have seen minor variations on the same script pop up repeatedly. Recently a new variation emerged, almost exactly the same, but with one small difference: it would present the recipient’s password to them.

Given that these passwords were usually out of date, and data breaches and dumps are a great source of email address for spam campaigns, it stands to reason that the spammers were simply pulling passwords for a given email from old breaches and inserting them into the email template. In fact, in our case it would seem if they cannot find a matching password then it fills that portion of the template in with an empty string.

We’re certainly not the first to have written about this campaign,[1] but we were spurred to write this post due to the increase in its prevalence that we’re witnessing. Unfortunately this only means one thing: it’s working. We’re also now seeing campaigns where the recipient’s name and phone number are being used in place of the password. It’s not hard to see how as an unsuspecting recipient you could easily be fooled into believing the claims made. Indeed, efforts to catalogue and track the transactions of the various wallet addresses used by the spammers prove that it’s having the desired effect.[2]

Some things you can do to protect yourself against such scams:

  • Treat all unsolicited email with a healthy dose of skepticism.
  • If you receive any threatening email, take a sentence or two and search for them. This can help you detect if you’ve received a well-known script or variant. Report the email to your IT department if possible.
  • Practice good password hygiene. If you know you’ve used a strong, unique password for each service then you reduce your exposure when one is breached. Consider a password manager.

For reference, here is an example from this campaign that we have received:

It appears that, (), is your password. May very well not know me and you are probably wondering why you're getting this e-mail, right?     actually, I put in place a malware over the adult videos (adult porn) website and guess what happens, you visited this web site to have fun (you really know what What i'm saying is). When you were watching videos, your internet browser started off working like a RDP (Remote Desktop) which provided me accessibility to your screen and web camera. from then on, my software program obtained your complete contacts from your Messenger, Microsoft outlook, Facebook, as well as emails.     What did I really do?     I created a double-screen video clip. First part shows the recording you were seeing (you have a good taste haha . . .), and 2nd part shows the recording of your webcam.     what exactly should you do?     Well, in my opinion, $1200 is a fair price for your little secret. You will make the payment by Bitcoin (if you do not know this, search "how to buy bitcoin" in Google).     Bitcoin Address: **ADDRESS**  (It is case sensitive, so copy and paste it)     Very important:  You've got some days to make the payment. (I have a unique pixel in this e-mail, and at this moment I know that you've read through this email message). If I do not get the BitCoins, I will certainly send your videos to all of your contacts including relatives, co-workers, and so forth. Having said that, if I receive the payment, I'll destroy the recording immidiately. If you'd like evidence, reply with "Yes!" and I will definitely mail out your videos to your 6 contacts. It is a non-negotiable offer, that being said don't waste my personal time and yours by answering this message.

[1] https://krebsonsecurity.com/2018/07/sextortion-scam-uses-recipients-hacked-passwords/
[2] https://twitter.com/SecGuru_OTX/status/1022430328647024640