Email blackmail on the rise

September 15, 2023
| No comments
Advertising

Share post

In extortion emails, cybercriminals threaten to publish compromising information about their victims, such as an embarrassing photo, and demand payment in cryptocurrency. Attackers often purchase victims' login credentials or obtain them through data breaches to "prove" that their threat is legitimate.

To gain a better understanding of the financial infrastructure attackers use in extortion emails, Barracuda partnered with researchers at Columbia University to analyze over 300.000 emails captured by Barracuda Networks' AI-based detectors over a period of one year year when extortion attacks were detected.

Advertising

🔎Example of an extortionate cover letter (Image: Barracuda Networks)

Below we'll take a closer look at the currencies used in these attacks, how the attackers use Bitcoin addresses, the volume of emails sent, and the amounts of money requested.

Cryptocurrencies used by extortion attackers

In the data set examined, Bitcoin is the only cryptocurrency used by attackers. There are several reasons why criminals use Bitcoin as their preferred payment method for ransoms. Bitcoin is largely anonymous, transactions are processed via wallet addresses, and anyone can generate as many wallet addresses as they want.

Advertising

Subscribe to our newsletter now

Read the best news from B2B CYBER SECURITY once a month



By clicking on "Register" I agree to the processing and use of my data in accordance with the declaration of consent (please open for details). I can find more information in our Privacy Policy. After registering, you will first receive a confirmation email so that no other person can order something you don't want.
Expand for details on your consent
It goes without saying that we handle your personal data responsibly. If we collect personal data from you, we process it in compliance with the applicable data protection regulations. Detailed information can be found in our Privacy Policy. You can unsubscribe from the newsletter at any time. You will find a corresponding link in the newsletter. After you have unsubscribed, your data will be deleted as soon as possible. Recovery is not possible. If you would like to receive the newsletter again, simply order it again. Do the same if you want to use a different email address for your newsletter. If you would like to receive the newsletter offered on the website, we need an e-mail address from you as well as information that allows us to verify that you are the owner of the e-mail address provided and that you agree to receive the newsletter. Further data is not collected or only collected on a voluntary basis. We use newsletter service providers, which are described below, to process the newsletter.

CleverReach

This website uses CleverReach to send newsletters. The provider is CleverReach GmbH & Co. KG, Schafjückenweg 2, 26180 Rastede, Germany (hereinafter “CleverReach”). CleverReach is a service that can be used to organize and analyze the sending of newsletters. The data you enter for the purpose of subscribing to the newsletter (e.g. email address) will be stored on the CleverReach servers in Germany or Ireland. Our newsletters sent with CleverReach enable us to analyze the behavior of the newsletter recipients. This can include It is analyzed how many recipients have opened the newsletter message and how often which link in the newsletter was clicked. With the help of so-called conversion tracking, it can also be analyzed whether a previously defined action (e.g. purchase of a product on this website) took place after clicking on the link in the newsletter. Further information on data analysis by CleverReach newsletter is available at: https://www.cleverreach.com/de/funktionen/reporting-und-tracking/. The data processing takes place on the basis of your consent (Art. 6 Para. 1 lit. a DSGVO). You can revoke this consent at any time by unsubscribing from the newsletter. The legality of the data processing operations that have already taken place remains unaffected by the revocation. If you do not want an analysis by CleverReach, you must unsubscribe from the newsletter. For this purpose, we provide a corresponding link in every newsletter message. The data you have stored with us for the purpose of subscribing to the newsletter will be stored by us or the newsletter service provider until you unsubscribe from the newsletter and deleted from the newsletter distribution list after you have canceled the newsletter. Data stored by us for other purposes remain unaffected. After you have been removed from the newsletter distribution list, your e-mail address may be stored by us or the newsletter service provider in a blacklist if this is necessary to prevent future mailings. The data from the blacklist is only used for this purpose and is not merged with other data. This serves both your interest and our interest in complying with the legal requirements when sending newsletters (legitimate interest within the meaning of Art. 6 Para. 1 lit. f GDPR). Storage in the blacklist is not limited in time. You may object to the storage if your interests outweigh our legitimate interest. For more information, see the privacy policy of CleverReach at: https://www.cleverreach.com/de/datenschutz/.

Data processing

We have concluded a data processing agreement (DPA) for the use of the above-mentioned service. This is a contract mandated by data privacy laws that guarantees that they process personal data of our website visitors only based on our instructions and in compliance with the GDPR.

Additionally, the infrastructure surrounding Bitcoin is well developed, making it easy for victims to purchase Bitcoin and allowing attackers to further anonymize their actions using so-called “mixers.” These are services designed to conceal transaction history by randomly combining and splitting Bitcoin from numerous wallets. Additionally, due to the public nature of the blockchain, extortionists can easily verify whether a victim has paid or not, eliminating some of the problems encountered with traditional transactions.

Analysis of Bitcoin addresses

Although Bitcoin is anonymous, you can still get some very interesting information about the attackers and their behavior by analyzing the Bitcoin addresses in their extortion emails. For example, if the same Bitcoin address is used in multiple emails received from users, it shows that it belongs to the same attacker or group of attackers.

When analyzing the data set examined, the researchers found that the attacks are concentrated on a small number of Bitcoin addresses. In total, there were about 3.000 unique Bitcoin addresses, of which the top 10 appeared in about 30 percent of the emails and the top 100 appeared in about 80 percent of the emails. This suggests that a small number of attackers are responsible for the vast majority of extortion emails. So if you can stop these attackers or effectively block their methods, a large part of this email threat can be neutralized.

Cross analysis of Bitcoin address and email sender

Another important piece of information for assigning emails to specific attackers is the email fields. For example, the "Sender" field of each email can be seen as a proxy for the attacker. If multiple emails come from the same sender, they belong to the same attacker. In the study, the emails were grouped by the "Sender" field and the number of emails each sender sent was counted, as well as the number of unique Bitcoin addresses each sender used.

This showed that the vast majority of all senders used the same Bitcoin address in their attacks. This applies both to attackers who sent large numbers of emails and to blackmailers who only worked with small quantities. Additionally, of the 120.000 unique senders in the entire data set, fewer than 3.000 senders sent more than ten emails. Only eight senders sent more than 500 emails.

This shows that the attackers are somewhat lax in concealing their identities and in the vast majority of cases use the same Bitcoin address for their scams. This creates the possibility that this small number of Bitcoin addresses (and attackers) can be tracked down by law enforcement.

How much money do the blackmailers demand?

To better understand the attackers' behavior, the researchers also examined how much money the attackers demanded and how consistent the amount was in the data set examined. Of the 200.000 emails from which Bitcoin addresses could be extracted, 97 percent asked for US dollars, 2,4 percent for euros and the remaining 0,6 percent for British pounds, Canadian dollars, bitcoins, etc. For any amount that was not was in US dollars, the researchers converted it into the equivalent US dollar value of the day the email was sent for comparison. The results were as follows:

  • Almost all attackers demand an amount between $400 and $5.000
  • 25 percent of emails request an amount less than $1.000
  • Over 90 percent of extortion emails request an amount less than $2.000
  • The attackers typically demand amounts between $500 and $2.000

This suggests that the amounts of money demanded by attackers are more concentrated in a "sweet spot" area, which is high enough to be significant to the attacker, but not so high that it would cause the victim to not make the payment or investigate whether the attacker actually has compromising information (which is usually not the case), nor would the amount raise any alarms with the victim's bank or tax authorities.

Ways to protect against extortion attacks

If law enforcement authorities track down even a small number of attackers, criminal operations can be severely disrupted. Additionally, as extortionists adopt tactics from one another, email security providers should be able to block a large percentage of these attacks using simple detection tools. Here are four best practices companies can use to defend themselves against these types of attacks:

  • AI-based protection: Attackers adapt extortion attacks to bypass email gateways and spam filters, so a good spear phishing solution that protects against extortion is a must.
  • Account takeover protection: Many extortion attacks come from compromised accounts. Therefore, it is important to ensure that fraudsters do not use the company as a base for these attacks. This is where technologies that use artificial intelligence to detect when accounts have been compromised can help.
  • Proactive investigations: Given the embarrassing nature of extortion scams, employees may be less willing than usual to report these attacks. Therefore, companies should conduct regular scans of delivered messages to identify emails related to password changes, security warnings, and other content.
  • Security Awareness Training: Companies should also educate users about extortion attacks and make the topic part of their security awareness training program. It should be ensured that employees recognize these attacks, understand their fraudulent nature and feel comfortable reporting them. Using phishing simulations also helps test the effectiveness of training and identify users most vulnerable to extortion attacks.

Email extortion is a significant threat, with attackers sending millions of malicious messages to victims each year, but it appears to be committed by a small number of perpetrators and that these groups use similar tactics. This makes us optimistic about combating this particular email threat.
By Dr. Klaus Gheri, Vice President & General Manager Network Security at Barracuda Networks

More at Barracuda.com

 

Via Barracuda Networks

Striving to make the world a safer place, Barracuda believes that every business should have access to cloud-enabled, enterprise-wide security solutions that are easy to purchase, implement and use. Barracuda protects email, networks, data and applications with innovative solutions that grow and adapt as the customer journey progresses. More than 150.000 companies worldwide trust Barracuda to help them focus on growing their business. For more information, visit www.barracuda.com.

Matching articles on the topic

25 years with numerous cybersecurity challenges

As we approached the year 2000, the IT and business world looked with concern at the infamous “Y2K bug” – a ➡ Read more

AI poses growing challenges for data protection in 2025

With the introduction of generative AI in many companies, the amount of data that needs to be protected has increased by 2024. ➡ Read more

Threats in the European retail sector

In 2024, business services were the most frequently attacked sector in the retail sector, followed by retail and manufacturing. In France, Germany, and Italy ➡ Read more

Real-time deepfakes: The new dimension of cyberattacks

Artificial intelligence will also determine cybersecurity in 2025. One of the fields in which it has been used for some time is ➡ Read more

Cybersecurity in EMEA: These are the trends

Advanced ransomware, cloud attacks, and AI-based cyber warfare will threaten corporate cybersecurity in 2025. Phishing is the most common method of distributing malicious files. ➡ Read more

Study: Ransomware causes significant damage to companies

A ransomware attack causes maximum damage to companies: It takes a long time to resume normal operations afterwards. This leads to significant ➡ Read more

Home Office Security: What Your Company Should Know

Companies & Home Office: Without the protective walls of corporate IT, employees quickly become the first line of defense against cyberattacks – a ➡ Read more

Cybersecurity: How platformization reduces complexity

For many companies, the complexity of their different security solutions represents a major challenge, according to a new global study ➡ Read more

 

Barracuda, Stories
, , , , ,