Almost 300 million extortion scam emails were blocked by Symantec in the first five months of 2019. The number is revealed in Symantec's Threat Intelligence blog.
An email arrives in your inbox, with one of your old passwords in the Subject line. Your curiosity is piqued, and you click into the message, only to discover that someone has allegedly hacked your webcam and recorded you engaged in some intimate acts, and they are now threatening to send this recording to everyone in your contact list. However, if you send the anonymous blackmailer a few hundred dollars in bitcoins they promise that no one will see the embarrassing footage.
Most of these sextortion-style scams follow largely the same pattern, with variations in the messages such as using attachments or obfuscated characters, etc., applied in an attempt by attackers to evade email protection technologies. For example, some spam filters might work by blocking emails with Bitcoin addresses in the body—hence why attackers may have then turned to using PDF attachments or obfuscated text to try to bypass the spam filter.
The majority of emails also contain a password or partial phone number previously (or perhaps still) associated with the email address the email is sent to. This is included to make it appear the attacker has access to private information about the recipient—when in fact they almost certainly obtained it from one of the many large password dumps of recent years.
As these email extortion scams are typical cyber crime activity, it is not clear exactly who is behind these attacks, but Symantec believes that a minimum of two cyber crime groups are engaged in this kind of activity, though there are potentially also many others. The barriers to entry for criminals are quite low for these scams—they do not necessarily require a huge degree of technical knowledge, and criminals only need a small percentage of them to be successful to make a profit.
When it comes to the success of these scams, Symantec looked at the 5,000 most-seen Bitcoin addresses in May, seeing that 63 of those wallets received bitcoins in 243 transactions. In total, the wallets received 12.8 bitcoins in that period—at the end of May one bitcoin was worth approximately US$8,300, meaning these wallets received a total of approximately US$106,240. Taking that as an average amount to make in a 30-day period for these kinds of scams, it means they are making just over US$1.2 million in a year ($1,292,586). For the amount of effort and skill that is required to carry out these scams, it represents a pretty good return on investment.
Almost all these wallets had been cleared out when we examined them at the end of May—it appears the criminals involved are not leaving any funds in these wallets for too long.
These scams are still being actively sent, so consumers should be aware of these scams and the steps they can take to avoid falling victim to them.