Threat Level: green Handler on Duty: Xavier Mertens

SANS ISC Internet Storm Center

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Latest Diaries

Do Extortionists Get Paid?

Published: 2015-10-07
Last Updated: 2015-10-07 15:36:31 UTC
by Johannes Ullrich (Version: 1)
0 comment(s)

Online extortion, may it be ransomware like cryptolocker, or extorting people with damaging data like Ashley Madision, is certainly one way criminals try to use to make a living. Many of these attempts go unreported, and I expect that they are also often ignored by the individuals receiving these emails. As an example, one of our readers sent us an Ashley Madison extortion attempt.

The individual forwarding us the extortion emails received multiple e-mails. All appear to originate from the same group. The "From:" addresses for all of the emails use the ".xyz" top level domain and similar subject lines as well as bodies.

Interestingly, the amount being extorted varies from e-mail to e-mail between 1 BTC and 5 BTC. The e-mails note two different Bitcoin addresses. For Bitcoin transactions, it is pretty easy to figure out how many Bitcoins were transferred to any particular address. All transactions are registered in the blockchain, and sites like allow you to search the blockchain for a particular transaction. In this case, it certainly looks like the miscreant was paid. One of the addresses received two transactions of 1 BTC each, and the other one a total of 9 BTCs in several transactions ranging from 1 to 3 BTC.

So the short lesson: crime pays. If we assume that all these transactions are due to these extortion emails (and the amounts match what was asked for), then these emails made at least 11 BTC or $2,700 . It is likely that this individual or group uses multiple bitcoin addresses. Sadly, the victim in this case paid for nothing. Since the data is already public, many others could follow with similar extortion requests.

In this particular case, the attacker makes the threat more "real" but claiming that they found the victim's Facebook page and they threaten to share the information with the victim's Facebook friends and possibly employer. They then advice the victim to change the Facebook privacy settings to prevent others from doing the same.

Here is the full text of the e-mail (I removed the bitcoin address as it may link to the person forwarding us the e-mail):

From: "Laura" <>
Subject: You got.... busted

Unfortunately your data was leaked in the recent hacking of Ashley Madison and I know have your information. I have also used your user profile to find your Facebook page, using this I can now message all of your friends and family members.

If you would like to prevent me from sharing this dirt info with all of your friends and family members (and perhaps even your employers too?) then you need to send 1 bitcoin to the following BTC address.

Bitcoin Address:

You may be wondering why should you and what will prevent other people from doing the same, in short you now know to change your privacy settings in Facebook so no one can view your friends/family list. So go ahead and update that now (I have a copy if you dont pay) to stop any future emails like this.

You can buy bitcoin using online exchanges easily. If the bitcoin is not paid within 3 days then my system will automatically message all of your friends and family members. The bitcoin address is unique to you.

Consider how expensive a divorce lawyer is. If you are no longer in a committed relationship then think about how this will affect your social standing amongst family and friends. What will your friends and family think about you?



Johannes B. Ullrich, Ph.D.

0 comment(s)
ISC StormCast for Wednesday, October 7th 2015

If you have more information or corrections regarding our diary, please share.

Recent Diaries

Cyber Security Awareness Month... Through Proverbs
1 day ago by Xme (3 comments)

Cyber Security Awareness Month: Protecting Your Network From "Dave"
2 days ago by Johannes (1 comment)

BizCN gate actor update
5 days ago by Brad Duncan (1 comment)

Recent trends in Nuclear Exploit Kit activity
6 days ago by Brad Duncan (0 comments)

Mistakenly-deployed test patch leads to suspicious Windows update
1 week ago by Brad Duncan (0 comments)

View All Diaries →

Latest Discussions

Software to scan Cisco Network Devices
created 5 days ago by Anonymous (2 replies)

Good network security platform?
created 1 week ago by Anonymous (2 replies)

Cybersecurity Canon: a list of must-read books
created 1 week ago by Xme (1 reply)

Scammer Emails and Instant Domain Whois record Disappearance
created 2 weeks ago by Anonymous (1 reply)

Can XP really be patched?
created 3 weeks ago by Loki (2 replies)

View All Forums →

Latest News

View All News →