In extortion emails, cybercriminals threaten to publish compromising information about their victims, such as an embarrassing photo, and demand payment in cryptocurrency. Attackers often purchase victims' login credentials or obtain them through data breaches to "prove" that their threat is legitimate.
To gain a better understanding of the financial infrastructure attackers use in extortion emails, Barracuda partnered with researchers at Columbia University to analyze over 300.000 emails captured by Barracuda Networks' AI-based detectors over a period of one year year when extortion attacks were detected.
🔎Example of an extortionate cover letter (Image: Barracuda Networks)
Below we'll take a closer look at the currencies used in these attacks, how the attackers use Bitcoin addresses, the volume of emails sent, and the amounts of money requested.
Cryptocurrencies used by extortion attackers
In the data set examined, Bitcoin is the only cryptocurrency used by attackers. There are several reasons why criminals use Bitcoin as their preferred payment method for ransoms. Bitcoin is largely anonymous, transactions are processed via wallet addresses, and anyone can generate as many wallet addresses as they want.
Additionally, the infrastructure surrounding Bitcoin is well developed, making it easy for victims to purchase Bitcoin and allowing attackers to further anonymize their actions using so-called “mixers.” These are services designed to conceal transaction history by randomly combining and splitting Bitcoin from numerous wallets. Additionally, due to the public nature of the blockchain, extortionists can easily verify whether a victim has paid or not, eliminating some of the problems encountered with traditional transactions.
Analysis of Bitcoin addresses
Although Bitcoin is anonymous, you can still get some very interesting information about the attackers and their behavior by analyzing the Bitcoin addresses in their extortion emails. For example, if the same Bitcoin address is used in multiple emails received from users, it shows that it belongs to the same attacker or group of attackers.
When analyzing the data set examined, the researchers found that the attacks are concentrated on a small number of Bitcoin addresses. In total, there were about 3.000 unique Bitcoin addresses, of which the top 10 appeared in about 30 percent of the emails and the top 100 appeared in about 80 percent of the emails. This suggests that a small number of attackers are responsible for the vast majority of extortion emails. So if you can stop these attackers or effectively block their methods, a large part of this email threat can be neutralized.
Cross analysis of Bitcoin address and email sender
Another important piece of information for assigning emails to specific attackers are the email fields. For example, the “Sender” field of every email can be seen as a proxy for the attacker. If multiple emails come from the same sender, they belong to the same attacker. The research grouped emails by the “sender” field and counted the number of emails each sender sent, as well as the number of unique Bitcoin addresses each sender used.
This showed that the vast majority of all senders used the same Bitcoin address in their attacks. This applies both to attackers who sent large numbers of emails and to blackmailers who only worked with small quantities. Additionally, of the 120.000 unique senders in the entire data set, fewer than 3.000 senders sent more than ten emails. Only eight senders sent more than 500 emails.
This shows that the attackers are somewhat lax in concealing their identities and in the vast majority of cases use the same Bitcoin address for their scams. This creates the possibility that this small number of Bitcoin addresses (and attackers) can be tracked down by law enforcement.
How much money do the blackmailers demand?
To better understand the attackers' behavior, the researchers also examined how much money the attackers demanded and how consistent the amount was in the data set examined. Of the 200.000 emails from which Bitcoin addresses could be extracted, 97 percent asked for US dollars, 2,4 percent for euros and the remaining 0,6 percent for British pounds, Canadian dollars, bitcoins, etc. For any amount that was not was in US dollars, the researchers converted it into the equivalent US dollar value of the day the email was sent for comparison. The results were as follows:
- Almost all attackers demand an amount between $400 and $5.000
- 25 percent of emails request an amount less than $1.000
- Over 90 percent of extortion emails request an amount less than $2.000
- The attackers typically demand amounts between $500 and $2.000
This suggests that the amounts of money demanded by attackers are more concentrated in a “sweet spot” area. This is high enough to be significant to the attacker, but not so high that it would cause the victim to not make the payment or investigate whether the attacker actually has compromising information (which is usually not the case). ). In addition, the amount does not trigger an alarm for the victim's bank or tax authorities.
Ways to protect against extortion attacks
If law enforcement authorities track down even a small number of attackers, criminal operations can be severely disrupted. Additionally, as extortionists adopt tactics from one another, email security providers should be able to block a large percentage of these attacks using simple detection tools. Here are four best practices companies can use to defend themselves against these types of attacks:
- AI-based protection: Attackers adapt extortion attacks to bypass email gateways and spam filters, so a good spear phishing solution that protects against extortion is a must.
- Account takeover protection: Many extortion attacks come from compromised accounts. Therefore, it is important to ensure that fraudsters do not use the company as a base for these attacks. This is where technologies that use artificial intelligence to detect when accounts have been compromised can help.
- Proactive investigations: Given the embarrassing nature of extortion scams, employees may be less willing than usual to report these attacks. Therefore, companies should conduct regular scans of delivered messages to identify emails related to password changes, security warnings, and other content.
- Security Awareness Training: Companies should also educate users about extortion attacks and make the topic part of their security awareness training program. It should be ensured that employees recognize these attacks, understand their fraudulent nature and feel comfortable reporting them. Using phishing simulations also helps test the effectiveness of training and identify users most vulnerable to extortion attacks.
Email extortion is a significant threat, with attackers sending millions of malicious messages to victims each year, but it appears to be committed by a small number of perpetrators and that these groups use similar tactics. This makes us optimistic about combating this particular email threat.
By Dr. Klaus Gheri, Vice President & General Manager Network Security at Barracuda Networks
Via Barracuda Networks Striving to make the world a safer place, Barracuda believes that every business should have access to cloud-enabled, enterprise-wide security solutions that are easy to purchase, implement and use. Barracuda protects email, networks, data and applications with innovative solutions that grow and adapt as the customer journey progresses. More than 150.000 companies worldwide trust Barracuda to help them focus on growing their business. For more information, visit www.barracuda.com.
Matching articles on the topic