News

Years-old Botnet Used to Send Tens of Millions of Sextortion Emails

Giulio Saggin
Giulio Saggin
Tuesday, 28 November 2023

'Sextortion' emails are a lucrative means of income for cyber criminals, and they are gaining in popularity. In 2018, the FBI IC3 (Internet Crime Complaint Center) saw a 242% increase in extortion related complaints from 2017. Of these, states the FBI, "the majority of extortion complaints were part of a sextortion campaign in which victims received an email threatening to send a pornographic video of them or other compromising information to family, friends, coworkers, or social network contacts if a ransom was not paid." The losses from these extortion/sextortion complaints totalled US$83 million. Researchers at Check Point have uncovered a botnet that acts as a 'messenger' and sends sextortion emails to victims, millions at a time, via thousands of infected computers. The botnet - Phorpiex (aka Trik) - isn't new and has been active for the better part of a decade. During this time it has distributed other malware as a means of monetising itself and used its hosts to mine cryptocurrency. Now it's turned its attention to sextortion. In the five months Check Point has been monitoring Phorpiex, it made around $22,000 a month. This is peanuts compared to other cyber crime activity, but it's not bad for "a low maintenance operation requiring only a large credentials list and the occasional wallet replacement." The sextortion chain of events begins when Phorpiex uses a spam bot to download a database of email addresses from a command & control server. "The downloaded database is a text file which contains up to 20,000 email addresses," said the researchers. "In various campaigns, we observed between 325 and 1363 email databases on a C&C server. Therefore, one spam campaign covers up to 27 million potential victims." Some of the more recent sextortion emails have even included passwords. "The most interesting feature of the last spam campaigns is that the Phorpiex/Trik spam bot uses databases with leaked passwords in combination with email addresses. A victim’s password is usually included in the email message; this exacerbates the threat by showing that the password is known to the attacker. For further shock value, the message starts with a string that contains the password." The researchers were able to estimate that around 150 victims paid the extortion demand during the time Check Point monitored Phorpiex. While this number is low, considering the amount of emails sent, it showed that Phorpiex, which operates in excess of half a million infected hosts, has "found a way to use them to generate easy income on a long term basis."

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2024 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203