Extortion attacks, which are an increasingly common form of email scams, threaten the victim with compromising information, such as an embarrassing photo, and request payment in a cryptocurrency to prevent the information from being released. Attackers often purchase victims’ login credentials or find them through data breaches to “prove” that their threat is legitimate.
To get a better understanding of the financial infrastructure attackers use in extortion emails, Barracuda recently teamed up with researchers from Columbia to analyze over 300,000 emails that have been detected as extortion attacks over one-year period by Barracuda Networks’ AI-based detectors.
We found that a relatively small number of attackers are responsible for the vast majority of extortion emails, with the top 10 bitcoin addresses appearing in about 30% of emails, and the top 100 addresses appear in about 80% of emails.
We also found that the amount of money being requested in extortion attacks remains low, with 25% of emails asking for amount less than $1,000 and over 90% of extortion emails asking for an amount less than $2,000.
Here’s a closer look at the currency used in these attacks, the ways attackers are using bitcoin addresses, the volume of attacks they’re sending, and the amount of money being requested.
Cryptocurrencies used by extortion attackers
In our dataset, the only cryptocurrency by attackers is bitcoin. We could not find any examples of attackers using other cryptocurrencies including ethereum, lightcoin, and monero. There are several probable reasons why attackers would use bitcoin as a ransom payment method. Bitcoin is largely anonymous, transactions use wallet addresses, and anyone can generate as many wallet addresses as they would like.
Additionally, the infrastructure surrounding bitcoin is well developed, which makes it easy for victims to buy bitcoin and for attackers to further anonymize their action using “mixers,” which are services designed to obscure transaction histories by randomly combining and splitting bitcoin from numerous wallets. Lastly, due to the publicly available nature of the blockchain it is easily verifiable if a victim has paid or not, removing some of the issues that come from traditional transactions.
Bitcoin address analysis
Even though bitcoin is anonymous, we can still learn some very interesting properties about the attackers and their behavior by analyzing the bitcoin addresses attackers use when they send their extortion emails. For example, if we see the same address being used across multiple attack emails received by Barracuda users, we can tell it belongs to the same attacker (or attacker group), even though we can’t tell who the attacker is.
To do such an analysis, we grouped all the extortion emails in our dataset by the bitcoin addresses in them and counted the number of unique addresses and the number of emails that a certain address appears in.
We found that indeed the attacks are concentrated within a small number of bitcoin addresses. There are in total around 3,000 unique bitcoin addresses in our dataset, of which the top 10 addresses appear in about 30% of emails, and the top 100 addresses appear in about 80% of emails.
We can therefore deduce that a relatively small number of attackers are responsible for the vast majority of extortion emails. This gives us hope, because if these attackers can be stopped, or their methods can be effectively blocked, a large proportion of this email threat can be neutralized.
Cross-analyzing bitcoin address with email sender
Another important piece of information we can use to attribute particular emails to specific attackers is the actual email fields. For example, we can use the “sender” field of each email as a proxy for the attacker. While a single attacker can easily send emails from different email accounts, we do know that if we receive multiple emails from the same sender, it belongs to the same attacker.
So, we grouped the emails by the email “sender” field and counted the number of emails that each “sender” sends, as well as the number of unique bitcoin addresses each sender uses in their emails. For a clear visualization of the analysis, we broke down the graphs by the number of emails that a sender sends.
There are several interesting takeaways from this analysis. First, across all senders, the vast majority use the same bitcoin address when sending their attacks. This is true for senders that send a large number of emails and even more so for those that send small quantities. Second, out of 120,000 unique senders in the entire dataset, less than 3,000 senders sent out more than 10 emails. Only 8 senders sent out more than 500 emails.
We conclude that attackers are somewhat lazy in obfuscating their identity and, in the vast majority of cases, seem to use the same bitcoin address for these scams. Once again, this leaves us somewhat optimistic because it leaves the possibility that this relatively small number of bitcoin addresses (and attackers) can be tracked down by law enforcement.
How much money do attackers ask for?
In order to better understand attacker behavior, we wanted to understand how much money extortion attackers ask for and how consistent the amount is across our dataset. To get the amount of money asked for in the email bodies, we extracted various money notations, such as $, usd, us dollar, euro, €, GBP, £, etc.
Out of the 200,000 emails from which we can extract bitcoin addresses, 97% of them ask for U.S. dollars, 2.4% ask for euros, and the remaining 0.6% ask for British pound sterling, Canadian dollars, bitcoins, etc. For any extracted amount that is not in USD, we convert it to its equivalent U.S. dollars values in the day the email was sent for the sake of comparison.
Below is the cumulative distribution function of the money amount distribution. The results are interesting:
- Almost all attackers ask for between $400 and $5,000
- 25% of emails ask for amount less than $1,000
- Over 90% of extortion emails ask for an amount less than $2,000
- Attackers most typically ask for money ranging from $500 to $2,000
We speculate that the amount of money attackers ask for is relatively concentrated in a “sweet spot” band: It is high enough to be substantial for the attacker but not too high that it:
- Would cause the victim to avoid paying it,
- Would cause the victim to investigate whether the attacker actually has compromising information (they typically do not)
- Will not raise alarms with the victim’s bank or tax authorities
We also suspect that because given the amount of money asked in these attacks is concentrated in a very specific band and the attackers seem to be part of a relatively small group, they are probably adopting “best practices” from each other.
Conclusion
Even though bitcoin offers a relatively anonymous payment system for attackers, we can still glean important information from extortion attacks using the bitcoin addresses (and other information such as the email sender). We conclude that even though extortion is a significant email threat with millions of malicious emails sent to victims every year, it is caused by a relatively small group of perpetrators (fewer than 100 attackers, and probably an even smaller number than that, assuming attackers use multiple bitcoin addresses). We suspect this small groups of attackers use similar best practices and templates.
These properties lead us to be optimistic about countering this particular email threat. First, we suspect that if law enforcement is able to track down even a small number of these attackers, they can significantly disrupt this threat. Second, since extortion attackers seem to be copying each other and following very similar templates, email security vendors should be able to block a large percentage of these attacks with relatively simple detectors. That has indeed been our experience at Barracuda, where our machine learning detectors have had extremely high precision in catching these types of attacks.
4 ways to protect against extortion attacks
AI-based protection — Attackers are adapting extortion attacks to bypass email gateways and spam filters, so a good spear-phishing solution that protects against extortion is a must.
Account-takeover protection — Many extortion attacks originate from compromised accounts; be sure scammers aren’t using your organization as a base camp to launch these attacks. Deploy technology that uses artificial intelligence to recognize when accounts have been compromised.
Proactive investigations — Given the embarrassing nature of extortion scams, employees might be less willing than usual to report these attacks. Conduct regular searches on delivered mail to detect emails related to password changes, security alerts, and other content.
Security-awareness training — Educate users about extortion attacks and make it part of your security awareness training program. Ensure your staff can recognize these attacks, understand their fraudulent nature, and feel comfortable reporting them. Use phishing simulation to test the effectiveness of your training and evaluate the users most vulnerable to extortion attacks.
Photo: GaudiLab / Shutterstock
This post originally appeared on Smarter MSP.