Beware of Fake Extortion Letters

We live in the age of extortion. Ever since cybercriminals discovered that extortion is an effective method of monetizing cyber attacks the news has been filled with Ransomware incidents and cases where victimized companies had to pay up to prevent stolen data from being leaked. Extortion is far from being a new technique in cybercrime, with cases where attackers threatened victims with DDoS attacks unless they paid a ransom predating even the Dark Web itself. However, in recent years, it has moved from a niche monetization method to a wide-spread tactic. The popularity of extortion has reached such a point where even threat actors who are not sophisticated enough to execute a successful cyber attack are getting into the action.

Much like criminals in the “real world”, cybercriminals differ from one another. They vary in sophistication, from elite masterminds who execute multimillion dollar heists to bottom-feeding nickel-and-dime scammers. One tactic used by cybercriminals of all sophistication levels is social engineering. In sophisticated attacks it plays a part, for example in getting an employee to open a malware-infested document, a steppingstone to getting access into the secure networks of an organization. In the case of unsophisticated fraudsters, on the other hand, social engineering is the attack itself, by sending well-crafted scam letters to fool the victim into sending the scammers money. 419 scams (also known as Nigerian scams) and romance scams are such example.

Interestingly, those criminals who are not sophisticated enough to pull of an attack don’t let that fact stop them whenever possible. Take Business E-mail Compromise (BEC) fraud, for example. As the name suggests, the attack involves an attacker gaining access to an employee’s mailbox, then sending on their behalf a fraudulent request to the CFO, account payables team or even a customer, to wire money to the attacker’s account, with the ruse that the payment is done to fulfil an invoice. As the request is sent from a legitimate employee’s account, the success rate for this attack is surprisingly high. Unsophisticated attackers skip the whole part of compromising an account and just send the request from a different (but similar) domain which they’ve registered, or in even less sophisticated cases directly from a free Gmail or Yahoo account. The success rate is lower, but still enough to justify these forms of attacks. Now, similar activity is observed when it comes to extortion.

Unsophisticated criminals are sending extortion letters, not only without executing on their threat, but without any basis to make claims in the first place. In one case, an individual received an extortion letter claiming that they were infected by ransomware and if they don’t pay the ransom, they will never regain access to the encrypted files. While this sounds like a run-of-the-mill ransomware incident, the computer was never infected by malware and the files were never encrypted. However, this has caused a real concern to the recipient, who was contemplating paying the ransom. The fraudsters were banking on the popularity of ransomware incidents and the fear that they generate in order to social engineer the victim into paying them money.

Another incident included a different type of extortion. An individual received a ransom note saying that their computer was infected by malware, which recorded him through the webcam in private and sensitive situations while watching porn. As in the previous case, these claims were unfounded, but the fraudsters were banking on recent real incidents to social engineer the victim and scare him to pay. Interestingly, to prove to the victim that their claims of infecting the computer with malware were legitimate, they included one of the recipient’s clear-text passwords. The password, supposedly captured by the malware, was actually obtained from an unrelated public database leak of a hacked website.

The reality is that as these scammers have joined the extortion game, it is now quite possible to receive ransoms and demands that are technically unfounded. While the victims of the aforementioned incidents were individuals, criminals target companies as well, as can be seen in the BEC fraud cases. It’s also important to note that to increase the success rate of their social engineering attempts, fraudsters would provide any “evidence” they can come across to prove their claims. Employee passwords that are publicly available through database dumps of websites, as well as internal documents that are accidentally publicly available and can be found in various sources using OSINT, can be used to “prove” their claims. 

At the end of the day, ransom demands based on unfounded claims are scams, much like the Nigerian scam or BEC fraud, which play into the fear of cyber attacks. While organizations face the threat of real attacks, they should also be aware that they are facing the threat of bogus ones. Any extortion claims made by criminals, even ones that are provided with “evidence”, should be deeply examined as to not fall prey to this kind of scammers.