An old, yet proven extortion hoax is making a return. Hacked emails and passwords are being used to trick, phish and actually extort a user to paying a ransom to suspect Bitcoin addresses.
Method
A Wapack Labs member passed a new Bitcoin ransom scheme they had observed this past week. Further analysis reveals this scheme is making the rounds in all critical infrastructure sectors. The message to victims implies that a bad actor has compromised their computer and has recorded the user in watching pornography. A threat is then placed to release the video to all of the victim’s contacts, unless they pay a Bitcoin ransom. What is different in this threat, is that the bad actor has the real password, thus adds credibility to the threat.
The ransom amounts vary, but average from $1000.00USD to $1400.00. The BTC address used against our member is: 13wyz926tKAzMxcrDDP7GBRqnjHFJRKGAi. Another BTC address used is: 1Dvd7Wb72JBTbAcfTrxSJCZZuf4tsT8V72. The threat offers 24 hours to pay the ransom or face exposure. This tactic again to play upon peoples fears of exposure. Research has shown the emails and passwords used in these instances were often valid, yet old. In some cases, ten years old. So many of these passwords were outdated and raised some suspicion. The current attempts appear to be semi-automated. The bad actor most likely creates a script that draws directly from the usernames and passwords from past data breaches. Most of this old data is easily found in the underground, so creating a likely low threat tier level. It is likely that as this scam is refined by the hackers, current emails and passwords will be utilized. This will again, add to the validity of the threat to unsuspecting victims.
Mitigations
- Never send compromising images of yourself to anyone, no matter who they are, or who they say they are.
- Do not open attachments from people you do not know. Always be suspicious of opening attachments even from those you do know.
- Turn off AND cover any web cameras when you are not directly using them.
- Do not pay to this group of extortionists as their claims of keylogging the victims and having recorded videos, are false.
Indicators
Indicator | Type | Kill Chain Phase | 1st Seen | Last Seen | Comments | Attribution |
ttmmariannezq@outlook.com | Delivery | 07/21/2018 | 07/21/2018 | Fake Email |
| |
40.92.66.78 | IP | Delivery | 07/21/2018 | 07/21/2018 | IP address |
|
Axel Diana | String | Exploitation | 07/21/2018 | 07/21/2018 | Lure name |
|
13wyz926tKAzMxcrDDP7GBRqnjHFJRKGAi | String | Actions and Objectives | 07/21/2018 | 07/21/2018 | BTC account |
|
1Dvd7Wb72JBTbAcfTrxSJCZZuf4tsT8V72 | String | Actions and Objectives | 07/21/2018 | 07/21/2018 | BTC Account |
|
Figure 1. Vienna Austria IP location
For questions or comments regarding this report, please contact Wapack Labs at 603-606-1246, or feedback@wapacklabs.com
Comments