Blackmailers extort small amounts to stay off radar

Email fraudsters, who attempt to extort money from victims by threatening to release embarrassing or illicit material, target no more than 10 work email accounts at a time and make moderate payment demands to stay under the radar, according to Barracuda.

Barracuda tapped researchers at Columbia University in the United States to study and analyse 300,000 emails detected as blackmailing scams over a period of 12 months in Asia and worldwide.

Findings revealed how scammers making payment demands of around US$1000 in Bitcoin, are able to stay under the radar and avoid alerting potential victims, security teams and payment systems.

Extortion attacks threaten to expose compromising information, such as photos, videos, or details of illicit online activity, unless the victim pays the attackers – generally in a cryptocurrency such as bitcoin.

The team at Columbia grouped the extortion emails by the bitcoin wallet addresses in them. They assumed that an attacker would use the same bitcoin wallet for all their attacks so that one wallet corresponds to one attacker. 

The team found 3,000 unique bitcoin wallet addresses. Of these, 100 wallets appear in 80% of the emails. 

This suggests that a relatively small number of attackers were responsible for most of the extortion emails.

Also, the team looked at the “sender” email fields for each extortion email. They assumed that an attacker would use the same account for all the emails distributed in a single attack but might use a different account for another attack, and so on. 

The team found that 97% of sender accounts sent out fewer than 10 attack emails each. Of the attacks, 90% demanded payments of less than $2,000 in bitcoin. 

“Our analysis suggests that extortion scams are implemented by a relatively small number of perpetrators, each firing off multiple small-scale attacks with moderate extortion demands,” said Asaf Cidon, associate professor of electrical engineering at Columbia University.

Cidon said these relatively modest sums make it likelier the targets will cooperate with the extortion, and the relatively small number of emails per sender make it easier for attackers to evade detection by traditional security technologies and anti-fraud measures at payment providers and avoid arousing the attention of law enforcement and the media – which would alert potential victims to the scam.

Mark Lukie, Barracuda’s director of solution architects in APAC, said txtortion attacks need to be taken seriously by security teams, especially when they are targeting people through their work email accounts .

“How did the attacker get hold of the account details, for example – were they exposed or stolen at some point? Or does it mean that the recipient has used their work account and device for inappropriate activity such as visiting questionable websites?,” said Lukie.

“Both scenarios have security implications for the company – and for the target. This can be embarrassing and distressing and can potentially make it more likely a victim will pay,” he added.

According to Barracuda, there are some important steps that security teams can take to keep employees and the wider organisation protected from extortion scams. 

These include investing in AI-powered email security that can detect and block such emails before they reach the intended recipient and prevent attackers from seizing control of accounts and using the company as a base to launch other attacks. 

This should be coupled with employee training and security policies that discourage staff from using their work email to access third party sites or to store sensitive, personal material on work devices – but which also provide them with a safe and confidential place to report an incident.