SANS ISC: Do Extortionists Get Paid?

• SANS Site Network
  • Current Site
  • Internet Storm Center
  • Other SANS Sites Help
  • Graduate Degree Programs
  • Security Training
  • Security Certification
  • Security Awareness Training
  • Penetration Testing
  • Industrial Control Systems
  • Cyber Defense Foundations
  • DFIR
  • Software Security
  • Government OnSite Training

SANS ISC InfoSec Forums

Online extortion, may it be ransomware like cryptolocker, or extorting people with damaging data like Ashley Madision, is certainly one way criminals try to use to make a living. Many of these attempts go unreported, and I expect that they are also often ignored by the individuals receiving these emails. As an example, one of our readers sent us an Ashley Madison extortion attempt.

The individual forwarding us the extortion emails received multiple e-mails. All appear to originate from the same group. The "From:" addresses for all of the emails use the ".xyz" top level domain and similar subject lines as well as bodies.

Interestingly, the amount being extorted varies from e-mail to e-mail between 1 BTC and 5 BTC. The e-mails note two different Bitcoin addresses. For Bitcoin transactions, it is pretty easy to figure out how many Bitcoins were transferred to any particular address. All transactions are registered in the blockchain, and sites like blockchain.info allow you to search the blockchain for a particular transaction. In this case, it certainly looks like the miscreant was paid. One of the addresses received two transactions of 1 BTC each, and the other one a total of 9 BTCs in several transactions ranging from 1 to 3 BTC.

So the short lesson: crime pays. If we assume that all these transactions are due to these extortion emails (and the amounts match what was asked for), then these emails made at least 11 BTC or $2,700 . It is likely that this individual or group uses multiple bitcoin addresses. Sadly, the victim in this case paid for nothing. Since the data is already public, many others could follow with similar extortion requests.

In this particular case, the attacker makes the threat more "real" but claiming that they found the victim's Facebook page and they threaten to share the information with the victim's Facebook friends and possibly employer. They then advice the victim to change the Facebook privacy settings to prevent others from doing the same.

Here is the full text of the e-mail (I removed the bitcoin address as it may link to the person forwarding us the e-mail):

From: "Laura" <....@......xyz>
Subject: You got.... busted

Unfortunately your data was leaked in the recent hacking of Ashley Madison and I know have your information. I have also used your user profile to find your Facebook page, using this I can now message all of your friends and family members.

If you would like to prevent me from sharing this dirt info with all of your friends and family members (and perhaps even your employers too?) then you need to send 1 bitcoin to the following BTC address.

Bitcoin Address:
?????????

You may be wondering why should you and what will prevent other people from doing the same, in short you now know to change your privacy settings in Facebook so no one can view your friends/family list. So go ahead and update that now (I have a copy if you dont pay) to stop any future emails like this.

You can buy bitcoin using online exchanges easily. If the bitcoin is not paid within 3 days then my system will automatically message all of your friends and family members. The bitcoin address is unique to you.

Consider how expensive a divorce lawyer is. If you are no longer in a committed relationship then think about how this will affect your social standing amongst family and friends. What will your friends and family think about you?

Sincerely,
Laura

---
Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn