Blackmail on the Internet doesn’t necessarily boil down to the use of malicious code. Of course, crypto ransomware viruses like GandCrab dominate the online extortion ecosystem, at least in terms of the gross amount of money that the victims cough up for decrypting their hostage data. However, there are other intricate schemes that are doing the rounds and gearing up for a rise.
Most of these extortion campaigns are based on empty threats. The perpetrators don’t have any incriminating videos of the victims, nor will they blow up any buildings or hire a killer in case of non-payment. Although this sure sounds like good news, the bad news is that many people actually get on the hook and submit the ransoms.
Obviously, there is something about these hoaxes that makes them appear credible. But what is it? How are cybercrooks balancing on the slim edge between outright bluff and something trustworthy? The examples of the more “exotic” online extortion methods below might shed some light on this matter.
As the structure of the term suggests (sex + extortion), this type of e-blackmail revolves around demanding money for not disclosing some intimate facts about the victim’s adult interests and deeds. The scammer impersonates a member of an international hacking group and claims to have breached all of the user’s accounts.
To add insult to injury, the self-proclaimed hacker says he has accessed the webcam to record a video of the user visiting an adult website and compiled it with the content being viewed there. The con artist then threatens to send this material to the victim’s contacts, including friends and relatives, unless a ransom amounting to $800-$1500 worth of Bitcoin is paid within 48 hours.
The trickiest part, though, is that the extortion email appears to come from the target’s real email address. This is supposed to prove that the compromise actually took place.
However, the malefactor simply uses the notorious technique of spoofing the email sender to make the menace look more true-to-life and pressure the recipient into taking action. In some cases, the account credentials could have ended up in the wrong hands due to a data leak incurred by a major Internet service.
In fact, there is no spyware on the user’s computer, and the targeted hack never happened. The victim can safely delete this spoofed email, yet some people reportedly end up falling for the hoax and send the ransoms.
Another form of online extortion gaining momentum lately follows a much more deleterious logic and has drawn the attention of law enforcement in several countries. The perpetrators have been sending bogus bomb threats to numerous organizations in the United States, Canada, the United Kingdom, the Netherlands, Sweden, and Switzerland.
According to security researchers’ findings, these emails come from Russia and their subject can be one of the following: “No need to be heroic”, “Your building is under my control”, or “My device is inside your building”. The adversary tries to convince the recipient that their mercenary has hidden a bomb in the business premises and will detonate it by the end of the workday unless a ransom of $20,000 is paid in Bitcoin. According to the deceptive message, the deadly mechanism may go off earlier than that if the target calls the police.
Whereas analysts have unearthed ties between this campaign and the recent sextortion wave described above, the impact of bomb threats – even fake ones – is much more serious. They affect entire businesses, and every such report is subject to official law enforcement investigation. Interestingly, as opposed to the more successful sextortion scam, the BTC addresses associated with this particular hoax haven’t received any payments at the time of this writing.
This technique demonstrates that the current trends of online extortion continue to migrate into the realm of physical threats – a questionably reasonable shift for the crooks, actually. Preceded by a plethora of phony bomb reports, the hitman blackmail targets specific individuals with scary messages about intended murder.
The extortionist passes himself off as an owner of a darknet site that purportedly offers different kinds of shady services, including apparently criminal ones. According to the ransom message with the subject field saying, “Pretty significant material for you right here”, someone hired a hitman to kill the recipient for $4,000. However, the sender claims he often has to “remove the hitman” after the job is done, so he is considering the effortless option of cancelling the order in exchange for a smaller amount of money from the target.
In the latter scenario, the ransom is $1,200 worth of Bitcoin. The crook promises the victim to additionally disclose the “customer’s” identity after the payment. The message also emphasizes that the user is pressed for time and has 38 hours to submit the cryptocurrency, otherwise, the alleged execution will take effect.
Similarly to the bomb threat extortion, the BTC address of the malefactor hasn’t received any payments at this point. Hopefully, it will stay that way and nobody will succumb to the fraudulent demands.
The bottom line
The common denominator of these extortion vectors is that they are all bark and no bite. Only one of them, the sextortion scheme, proved to be effective for the criminals, though. It is subtle and manipulates the victims’ natural desire to safeguard their private life. People had been quietly paying up until the issue of bluff-based extortion became the talk of the town.
With the bomb and hitman threats, the scammers obviously took a wrong turn. First of all, these schemes evoke a great deal of repulsion. Secondly, the ransoms are higher. And thirdly, the implication of physical injury has incentivized the victims to report these incidents to the police. Media coverage has also contributed to general awareness about these frauds and incited public discussion.
It is very difficult for law enforcement agencies to catch these cyber criminals. They use VPN software, TOR and other secure networks to hide their real IP addresses. Some hackers just rent spam botnets from other hackers. Such botnets consist of hacked computers that send emails on behalf of their owners.
If you have received one of these messages over email, the rule of thumb is to refrain from plunging headlong into sending the ransom. You are most likely dealing with a scammer who knows how human psychology works.