When it comes to online crime, fear is a valuable currency. Symantec revealed a rise in email extortion scams recently, blogging that it had blocked almost 300 million of them in the first five months of this year.
There was a particular spike in February, according to the company’s figures, but it also saw an average that rose steadily over time.
The extortion mails take several forms, but one of the most popular is sextortion. In this scenario, the victim gets an email telling them that they've been caught looking at porn sites, and that the attacker used their own webcam to video them in a compromising situation. They can make the whole problem go away by, naturally, paying up.
The whole thing’s a scam of course, but the attackers can be very convincing. Last November, we reported on scammers that used stolen login credentials to convince victims that the mails were real. Someone without much knowledge could mount an attack like that en masse, armed with a simple Python script and a list purchased from the dark web.
Scammers don't just rely on humiliation and shame, though. Another popular category of email was the bomb scare, warned Symantec. In these emails, the attacker threatens to detonate a device in your building unless you pay up.
The attackers keep on sending these mails because there are still enough people falling for the scams to make them worthwhile. Symantec saw 63 of the most popular Bitcoin addresses receive Bitcoins (presumably from victims) in a single month, totaling 243 transactions. They harvested 12.8 bitcoin ($123,955 at the time of writing) in that time period. Extrapolated over a year, that's a cool 153.6 bitcoins, or $1.5m. Clearly, spam still pays.
Symantec believed that there are at least two cyber-criminal groups behind this activity, and possibly more. It’s a novel alternative to other online scams, because the barrier to entry is so low.
The perpetrators don’t need to pay for or install ransomware. They don’t need to nurture and convince victims over time, as they might need to with 419 scams or romance scams. It doesn't require the same level of research and due diligence that underpin successful business email compromise scams. It just needs someone with no scruples, and in the criminal underground, there are plenty of those folks about.
