Cyber Security

The protection of internet-connected systems, including hardware, software and data, from cyberattacks

New research reveals how scammers keep cyber extortion attacks under the radar

New research shows that email fraudsters trying to extort money from victims by threatening to release embarrassing or illicit material, target no more than 10 work email accounts at a time and make moderate payment demands – around $1,000 USD in bitcoin. Such tactics could help attackers to stay under the radar and avoid alerting potential victims, security teams and payment systems.

A team of researchers at Columbia University analyzed 300,000 emails detected as blackmailing scams over a period of 12 months by Barracuda Networks’ AI-based detectors. The overall goal was to understand the financial infrastructure attackers use for extortion emails. Extortion attacks threaten to expose compromising information, such as photos, videos, or details of illicit online activity, unless the victim pays the attackers – generally in a cryptocurrency such as bitcoin. The research findings are detailed in a new Barracuda Threat Spotlight.


Understanding the attack model

The team at Columbia grouped the extortion emails by the bitcoin wallet addresses in them. They assumed that an attacker would use the same bitcoin wallet for all their attacks so that one wallet = one attacker. The team found 3,000 unique bitcoin wallet addresses. Of these, 100 wallets appear in 80% of the emails. This suggests that a relatively small number of attackers were responsible for most of the extortion emails.

The team also looked at the “sender” email fields for each extortion email. They assumed that an attacker would use the same account for all the emails distributed in a single attack but might use a different account for another attack, and so on. The team found that 97% of sender accounts sent out fewer than 10 attack emails each. 90% of the attacks demanded payments of less than $2,000 USD in bitcoin.

“Our analysis suggests that extortion scams are implemented by a relatively small number of perpetrators, each firing off multiple small-scale attacks with moderate extortion demands,” said Asaf Cidon, Associate Professor of Electrical Engineering at Columbia University. “These relatively modest sums make it likelier the targets will cooperate with the extortion, and the relatively small number of emails per sender make it easier for attackers to evade detection by traditional security technologies and anti-fraud measures at payment providers and avoid arousing the attention of law enforcement and the media – which would alert potential victims to the scam.”


Keeping employees and the organization protected

“Extortion attacks need to be taken seriously by security teams, especially when they are targeting people through their work email accounts,” said Nishant Taneja, Senior Director, Product Marketing, Email Protection at Barracuda. “How did the attacker get hold of the account details, for example – were they exposed or stolen at some point? Or does it mean that the recipient has used their work account and device for inappropriate activity such as visiting questionable websites? Both scenarios have security implications for the company – and for the target. This can be embarrassing and distressing and can potentially make it more likely a victim will pay.”

There are some important steps that security teams can take to keep employees and the wider organisation protected from extortion scams. These include investing in AI-powered email security that can detect and block such emails before they reach the intended recipient and prevent attackers from seizing control of accounts and using the company as a base to launch other attacks. This should be coupled with employee training and security policies that discourage staff from using their work email to access third party sites or to store sensitive, personal material on work devices – but which also provide them with a safe and confidential place to report an incident.

For more details check out the blog at here.