{"id":16141,"date":"2019-08-22T08:10:05","date_gmt":"2019-08-22T16:10:05","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2019\/08\/22\/news-9884\/"},"modified":"2019-08-22T08:10:05","modified_gmt":"2019-08-22T16:10:05","slug":"news-9884","status":"publish","type":"post","link":"https:\/\/www.palada.net\/index.php\/2019\/08\/22\/news-9884\/","title":{"rendered":"The lucrative business of Bitcoin sextortion scams"},"content":{"rendered":"

Credit to Author: Threat Intelligence Team| Date: Thu, 22 Aug 2019 15:00:00 +0000<\/strong><\/p>\n

After a quiet period following a surge in late 2018 to early 2019<\/a>, the online blackmail scheme known as sextortion scams<\/a> are back on the radar and on the uptick<\/a>.<\/p>\n

According to a report from Digital Shadows<\/a>, a leading UK-based cybersecurity company that monitors potential threats against businesses, there are several resources available to embolden novice criminals to a life of extortion. These resources include: access to credentials leaked from past breaches, tools and technologies that aid in creating campaigns, training from online extortionists, and a trove of DIY extortion guides that exist on the dark web. <\/p>\n

The report also finds that these fledgling extortionists and accomplices are incentivized with high salaries if they are able to hook high-earning targets, such as doctors, lawyers, or company executives\u2014information that can be gleaned by scouring LinkedIn profiles or other social media accounts.<\/p>\n

With a number of creative ways to wring money out of Internet users, the high potential of a hefty payout, and many helping hands from professional criminals, we shouldn\u2019t expect online sextortion scams to stop (permanently) any time soon. Just ask the Nigerian Prince<\/a> how well his retirement is going.<\/p>\n

To look at what motivates threat actors to adopt sextortion scams as part of their criminal repertoire, we did what all good detectives do when trying to break open a case: We followed the money. Find out what we discovered on the trail begun by a single sextortion campaign.<\/p>\n

The spam<\/h3>\n

We were able to determine several Bitcoin sextortion schemes being implemented in the wild, but for this post, we looked at its most common distribution form: email spam.<\/p>\n

\"\"<\/a>
The sextortion email, with its message embedded as an image file\u2014a common tactic to avoid spam filters.<\/figcaption><\/figure>\n

The full text of this email reads:<\/p>\n

\n

Hi, this account is now hacked! Change your password right now!<\/em>
You do not heard about me and you may not be most likely surprised for what reason you are reading this letter, is it right?<\/em>
I\u2019mhacker who crackedyour email boxand devicesnot so long ago.<\/em>
You should not make an attempt to contact me or try to find me, it\u2019s hopeless, since I sent you this message using YOUR account that I\u2019ve hacked.<\/em>
I set up special program on the adult videos (porn) site and guess that you enjoyed this site to have a good time (you understand what I mean).<\/em>
When you have been taking a look at vids, your internet browser started out to act like a RDP (Remote Control) that have a keylogger that granted me ability to access your desktop and web camera.<\/em>
Consequently, my softwareobtainedall info.<\/em>
You have typed passwords on the online resources you visited, I already caught them.<\/em>
Of course, you could possibly change them, or perhaps already changed them.<\/em>
But it doesn\u2019t matter, my malware updates needed data every time.<\/em>
What actually I have done?<\/em>
I generated a backup of your every system. Of all files and personal contacts.<\/em>
I formed a dual-screen video recording. The first screen demonstrates the film you were watching (you\u2019ve got a very good taste, haha\u2026), and the 2nd screen shows the movie from your webcam.<\/em>
What should you do?<\/em>
Great, in my opinion, 1000 USD will be a reasonable price for your little secret. You\u2019ll make your deposit by bitcoins (if you don\u2019t recognize this, search \u201chow to purchase bitcoin\u201d in Google).<\/em>
My bitcoin wallet address:<\/em>
163qcNngcPxk7njkBGU3GGtxdhi74ycqzk<\/em>
(It is cAsE sensitive, so just copy and paste it).<\/em>
Warning:<\/em>
You have 2 days to perform the payment. (I have an exclusive pixel to this e-mail, and right now I understand that you\u2019ve read this email).<\/em>
To monitorthe reading of a letterhead the actionsin it, I installeda Facebook pixel. Thanks to them. (Anything thatis usedfor the authorities may helpus.)<\/em>
 <\/em>
In the event I do not get bitcoins, I shall undoubtedly offer your video files to each of your contacts, including relatives, colleagues, etcetera?<\/em> <\/p>\n<\/blockquote>\n

There are many variations of this spam content, but they all follow a similar template: We’ve hacked your account, we have video proof of you visiting porn sites and watching sexual content, and we now demand payment or we’ll release the video of you to the public. In fact, Cisco\u2019s Talos Security Intelligence & Research Group was able to retrieve an email spam template<\/a>, which they said the extortionists mistakenly sent out to their targets.<\/p>\n

The Electronic Frontier Foundation (EFF)<\/a> also keeps an updated record of variants of Bitcoin sextortion messages that you can look up in this blog post<\/a>.<\/p>\n

As we followed the money in this investigation, the only relevant piece of information we needed from the sextortion email was the Bitcoin address, which in this case is 163qcNngcPxk7njkBGU3GGtxdhi74ycqzk<\/em>. This is our starting point.<\/p>\n

The investigation<\/h3>\n

To better understand the next steps in our investigation, readers should first grasp the basics of how cryptocurrency<\/a> and the blockchain work.<\/a><\/p>\n

Paper money and coins are to the real, material world as digital currency is to the online, electronic world.<\/p>\n

Bitcoin is one of thousands of digital currencies available online to date. Specifically, it is a virtual currency\u2014because it is controlled by its creators and used and embraced by a virtual community\u2014and at the same time a cryptocurrency\u2014because it uses strong encryption algorithms and cryptographic schemes to ensure its resistant to forgery and cryptanalysis.<\/p>\n

The blockchain, as the name suggests, is a collection of data blocks that are linked together to form a chain. This system, commonly likened to a ledger, is used by several cryptocurrencies\u2014Bitcoin is one of them. Each block in a chain contains information on multiple transactions. And each transaction has a transaction ID, or TXID. Because of the way cryptocurrency wallets and sites record Bitcoin inputs to addresses, a single TXID may contain multiple entries in its record.<\/p>\n

While real-world ledgers are private and exclusive only to organizations and individuals that keep financial records, the blockchain Bitcoin operates in is not. This makes it easy for anyone, including security researchers, to look up cryptocurrency transactions online using publicly available tools, such as a block explorer.<\/p>\n

In a Bitcoin block, transaction information includes the sender and receiver\u2014all identified by Bitcoin addresses\u2014and the amount paid in Bitcoin.<\/p>\n

Keep these concepts in mind as we go back to the sextortion campaign at hand and navigate the trenches of Bitcoin transactions.<\/p>\n

Going with the (Bitcoin through the blockchain) flow<\/h3>\n

The Bitcoin address in our sextortion email, 163qcNngcPxk7njkBGU3GGtxdhi74ycqzk<\/em>, actually has a small transaction history.<\/p>\n

\"\"
The brief transaction history of 163qcNngcPxk7njkBGU3GGtxdhi74ycqzk <\/figcaption><\/figure>\n

However, we were able to take a closer look at these transactions and uncover additional addresses, giving us further insight into this particular campaign.<\/p>\n

According to TXID 94c86a55bb3081312d6020e67202e8c93a43d897f4a289cc655c0e9e6d9e31b4<\/em>, the balance of 0.25924622 BTC was sent to another Bitcoin address, 3HXdb3HAw1wVzU9b7ZSigvGaStd8KoZ3zJ<\/em> on March 13, 2019. During that time, this BTC value was worth approximately US$1,000, which is the amount demanded in the ransom email.<\/p>\n

\"\"<\/figure>\n

This TXID also contains 23 additional inputs from other Bitcoin addresses, which are likely also under the control of the same actor(s) behind the sextortion campaign, to 3HXdb3HAw1wVzU9b7ZSigvGaStd8KoZ3zJ<\/em>. Naturally, all BTC values from these inputs were combined, totaling 4.16039634 BTC (approximately US$16,100 at time of investigation).<\/p>\n

\"\"
2<\/em>The 24 total inputs from other Bitcoin addresses in one TXID. Notice that most input values are similar to the ransom demand actors extorted from targets.<\/figcaption><\/figure>\n

Looking closely at 3HXdb3HAw1wVzU9b7ZSigvGaStd8KoZ3zJ<\/em>, we found it has 11 other transactions that follow a similar pattern to from the transaction we just reviewed.<\/em><\/p>\n

\"\"
3HXdb3HAw1wVzU9b7ZSigvGaStd8KoZ3zJ and its transaction history. Highlighted here is the aforementioned TXID 94c86a55bb3081312d6020e67202e8c93a43d897f4a289cc655c0e9e6d9e31b4. <\/figcaption><\/figure>\n

We can confirm that that each of these transactions contains extorted funds. Take, for example, TXID b8ae16d604947f67d2b27774e6cfa7afcdb7ede651bdd539b5a5dc555be302aa<\/em>:<\/p>\n

\"\"
Inputs within TXID b8ae16d604947f67d2b27774e6cfa7afcdb7ede651bdd539b5a5dc555be302aa <\/figcaption><\/figure>\n

All Bitcoin addresses in this TXID have been reported as associated with criminal activity on Bitcoin-Spam<\/a>, a public database of crypto-addresses used by hackers and criminals. Here are links to their respective scam reports and the amount of money they received based on the Bitcoin price as of this writing:<\/p>\n