Extortion Attack Impersonates French Law Enforcement and Europol
The initial email in this attack was written in French and impersonated a Europol inspector with a message that asked the recipient to read the attached file and respond to its content within 48 hours. The email stated that if the recipient did not respond, local law enforcement authorities would be contacted and “mass media” would be notified. The email was sent from a likely compromised email account, but the reply-to address was set to a separate account that was created using Mail.com, a free webmail provider.
The attached JPEG file contained a supposed letter from Gendarmarie Nationale (French national law enforcement). The letter stated that a joint investigation with Europol resulted in the seizure of explicit materials and the recipient was now the subject of legal proceedings. As a result of this investigation, the letter demanded the recipient send an email to a new account resembling an official cybercrime within 72 hours, after which an arrest warrant would be drawn up against the recipient and they would be listed as a sex offender. Additionally, the letter threatened to release the recipient’s “file” to the media where their “family, loved ones and all of Europe'' would be informed about what “you are doing in front of your computer.” Based on the subsequent actions of similar attacks, the likely next step had a target reached out to the email provided would have involved the attacker trying to extort money from the recipient to make the “investigation” go away.
Email English Translation:
Court notification
Please read this attached file carefully and respond to us within 48 hours, otherwise the authorities in your locality will intervene and the mass media will be informed of your actions.
Attachment English Translation:
For the purposes of a judicial inquiry
(Article 390-1 of the Code of Criminal Procedure)
I am Mr Bruno Jockers Inspector General of the National Gendarmerie in collaboration with the European Office of Police (Europol). I contact you shortly after a computer seizure of cyber-infiltration (Authorized, in particular in matters of child pornography, Pornographic Site, Cyber pornography, to inform you that you are the subject of several legal proceedings in force:
* CHILD PORNOGRAPHY
* PORN SITE
* CYBER PORN
* HIJACK OF MINORS
You are requested to make yourself heard by email: office.cybercrime@ncscoffice.com by writing us your justifications so that they can be examined and checked so as to assess the sanctions; this within a strict deadline of 72 hours. After this period, we will be obliged to send our report to Mrs. Maryvonne CAILLIBOTTE, deputy public prosecutor at the high court of Versailles and specialist in cybercrime to draw up an arrest warrant against you, and you will be listed as a sex offender. Your file will also be sent to the media for dissemination where your family, loved ones and all of Europe will see what you are doing in front of your computer.
Now you are warned
How Does This Attack Bypass Email Defenses?
Because the content within the email of the attack was text-based, without any other indicators of compromise, there is little for a secure email gateway to use to determine malicious intent. Since the extortion letter was attached in a JPEG format, the text of the content could not be captured and compared to known bad text strings. Because this email was sent from a legitimate account that was likely compromised without a history of abuse, there are no direct signals indicating the email’s origin is malicious. The reply-to address was an account hosted on Mail.com and, as a result, there was no bad domain reputation for traditional security providers to discover, and the email passes all authentication checks for SPF, DKIM, and DMARC.
How Can This Attack Be Detected?
Natural language processing can be used to enable cloud email security solutions to detect themes and content commonly used in text-based extortion attacks. Email header analysis indicated that the message failed a DKIM authentication check, indicating the potential misuse of the sender’s domain.
What are the Risks of This Attack?
While extortion emails may be seen as relatively simplistic and trivial attacks, the fact that they’re still common means attackers are generating a good ROI from the campaigns. If a victim complied with the attacker’s demands, whether out of embarrassment or fear, they would be out an unknown amount of money. While this is not a direct business loss, this type of attack can distract employees from their work and in some cases, make them fearful of their future with the company.