Extortion Attack Claims to Have Installed Malware as a Pretext to Demand Bitcoin

This extortion email started with a claim that the recipient’s computer had been infected with a RAT (remote access/administration trojan), a piece of malware that would enable an attacker to access a victim’s computer. The attacker claimed to have recorded explicit videos of the recipient and demanded that the recipient pay $950 to the attacker or else the videos would be sent to the recipient’s friends and family. The attacker asked for the ransom to be paid in bitcoin and provided a wallet address the target could send the money to. The attacker sent the email from a spoofed email address that matched the recipient’s address.

Because the attack is text-based, without any other indicators of compromise, there is little for a secure email gateway to use to determine malicious intent. The spoofed domain did not have an effective DMARC policy in place to reject any unauthorized senders that attempt to send emails from an address on the domain.

Natural language processing can be used to enable cloud email security solutions to detect themes and content commonly used in text-based extortion attacks. Bitcoin wallet addresses, which are generally provided in extortion emails, can be identified using a simple regular expression. The sending and receiving email addresses in this email were identical, which is an indicator that this message is potentially malicious.

While extortion emails may be seen as relatively simplistic attacks, the fact that they’re still common means attackers are generating a good ROI from the campaigns. If a victim complied with the attacker’s demands, possibly out of embarrassment or fear, they would be out $950, which is unlikely to be recovered since it would be sent using bitcoin. While this is not a direct business loss, this type of attack can distract employees from their work and could make them fearful of their future with the company.