Years-old Botnet Used to Send Tens of Millions of Sextortion Emails
'Sextortion' emails are a lucrative means of income for cyber criminals, and they are gaining in popularity.
In 2018, the FBI IC3 (Internet Crime Complaint Center) saw a 242% increase in extortion related complaints from 2017. Of these, states the FBI, "the majority of extortion complaints were part of a sextortion campaign in which victims received an email threatening to send a pornographic video of them or other compromising information to family, friends, coworkers, or social network contacts if a ransom was not paid." The losses from these extortion/sextortion complaints totalled US$83 million.
Researchers at Check Point have uncovered a botnet that acts as a 'messenger' and sends sextortion emails to victims, millions at a time, via thousands of infected computers.
The botnet - Phorpiex (aka Trik) - isn't new and has been active for the better part of a decade. During this time it has distributed other malware as a means of monetising itself and used its hosts to mine cryptocurrency. Now it's turned its attention to sextortion.
In the five months Check Point has been monitoring Phorpiex, it made around $22,000 a month. This is peanuts compared to other cyber crime activity, but it's not bad for "a low maintenance operation requiring only a large credentials list and the occasional wallet replacement."
The sextortion chain of events begins when Phorpiex uses a spam bot to download a database of email addresses from a command & control server.
"The downloaded database is a text file which contains up to 20,000 email addresses," said the researchers. "In various campaigns, we observed between 325 and 1363 email databases on a C&C server. Therefore, one spam campaign covers up to 27 million potential victims."
Some of the more recent sextortion emails have even included passwords.
"The most interesting feature of the last spam campaigns is that the Phorpiex/Trik spam bot uses databases with leaked passwords in combination with email addresses. A victim’s password is usually included in the email message; this exacerbates the threat by showing that the password is known to the attacker. For further shock value, the message starts with a string that contains the password."
The researchers were able to estimate that around 150 victims paid the extortion demand during the time Check Point monitored Phorpiex. While this number is low, considering the amount of emails sent, it showed that Phorpiex, which operates in excess of half a million infected hosts, has "found a way to use them to generate easy income on a long term basis."
. . .
If you want to stay notified of vulnerabilities that affect you, register for a weekly security report customised to your stack.