Email Bomb Threat Has Ties to Earlier ‘Sextortion’ Scam

The mass email bomb threat on Thursday that turned out to be a hoax was likely perpetrated by a group of spammers who have also been scamming people with an email ‘sextortion’ scheme, according to Cisco’s Talos security group. Our e-mail server was hit a few times during the past few weeks and is the reason we are making this post.

Thursday’s mass email bomb threat has been connected to a group of spammers who’ve also been bombarding inboxes with “sextortion” messages claiming to have recorded people watching porn.

Both email scams have been using the same IP addresses to send out the extortion messages to inboxes across the world, according to Cisco’s Talos security group, which said the spammers have been changing tactics in an effort to scare victims into paying them Bitcoin.

“The criminals conducting these extortion email attacks have demonstrated that they are willing to concoct any threat and story imaginable that they believe would fool the recipient,” Talos security researcher Jaeson Schultz wrote in a Friday blog post.

Bomb Threat Email Example

Thursday’s email bomb threat sparked alarm across the US; schools, businesses and community centers ordered building evacuations on fears the threat was real. However, the messages all appear to be a hoax, and so far police have discovered no explosives tied to the scheme.

It wasn’t the first time the spammers used empty threats to scam victims, according to Talos. In October, the company’s security researchers documented a mass sextortion campaign from the group that had been going on for months. It worked by scaring victims into thinking a hacker had taken over their computers and recorded them watching porn. If you wanted the embarrassing video kept secret, then you had to pay up.

Although the sextortion threat was a scam, the spammers were able to make at least $146,000 from the mass email messages, according to Talos’ research. It now appears the spammers have decided to go beyond threatening mere individuals to entire businesses and organizations as evidenced by yesterday’s bomb threats.

In an interview, Schultz said he estimated that the spammers sent “tens of thousands” of email bomb threats to people’s inboxes on Thursday before deciding to stop by the evening. Schultz made the estimate based on copies of messages detected by Cisco’s spam filtering solution, SpamCop.

Countries targeted by the bomb threats included the US, Canada, New Zealand, and Australia. But the emails themselves were specifically sourced to IP addresses belonging to a domain registrar and hosting provider in Russia, called Reg.ru. According to the Schultz, the spammers probably hacked accounts for domains hosted by the Russian provider to mass email the bomb threats.

Each IP address sent out only about 5 messages, none of which contained any malware. This may explain why the spam filtering on some people’s inboxes let the bomb threats through. “That small quantity per IP made it much more difficult to use the reputation of the IP address to block the mail,” Schultz said.

Talos noticed that the spammers were using at least 17 bitcoin addresses to receive their payments. But none of the addresses received the $20,000 extortion fee the culprits were seeking.

“They definitely didn’t make much money on this bomb threat,” Schultz said. But the scheme also backfired in attracting unwanted attention from US authorities, including the FBI and police departments across the country.

“With each new email campaign, there is a chance that the attackers will make a mistake, or otherwise give away a critical piece of information that may implicate them,” Schultz added.

Who, exactly, is behind the bomb threat isn’t known, but they appear to be changing tactics. “As of late yesterday, the bomb threat email attack morphed,” Schultz wrote. “The attackers have returned to their empty threats of harming the individual recipient. This time, they threaten to throw acid on the victim.”

Acid Throwing Threat Email

This new round of extortion emails have been sourced to different IP addresses coming from a separate Russian hosting company called TimeWeb. But Schultz suspects yesterday’s email bomb spammers are also behind the acid-throwing extortion’s scheme. That’s because the messages have been using identical subjects lines and similar text, he said.

Unfortunately, the spammers probably won’t stop unless they’re either caught or people stop falling for their extortion schemes. “DO NOT pay extortion payments,” Schultz advised. “Doing so will only confirm for the attackers that their social engineering approach is working, and victims’ money goes directly toward facilitating additional attacks.”

As I have said before DO NOT play into these threats. DO NOT open unknown e-mails and lastly DO NOT EVER be held hostage with your information. Secure your accounts NOW change your passwords frequently and for GODS sake don’t share your information with anyone unless trusted, when in doubt check’em out.

Have a great week from all of us on the ZI STAFF