Hacked Passwords Lead to Extortion Hoax

An old, yet proven extortion hoax is making a return.  Hacked emails and passwords are being used to trick, phish and actually extort a user to paying a ransom to suspect Bitcoin addresses.   

Method

A Wapack Labs member passed a new Bitcoin ransom scheme they had observed this past week.  Further analysis reveals this scheme is making the rounds in all critical infrastructure sectors.   The message to victims implies that a bad actor has compromised their computer and has recorded the user in watching pornography.  A threat is then placed to release the video to all of the victim’s contacts, unless they pay a Bitcoin ransom.  What is different in this threat, is that the bad actor has the real password, thus adds credibility to the threat. 

The ransom amounts vary, but average from $1000.00USD to $1400.00.  The BTC address used against our member is: 13wyz926tKAzMxcrDDP7GBRqnjHFJRKGAi. Another BTC address used is: 1Dvd7Wb72JBTbAcfTrxSJCZZuf4tsT8V72.  The threat offers 24 hours to pay the ransom or face exposure.  This tactic again to play upon peoples fears of exposure.  Research has shown the emails and passwords used in these instances were often valid, yet old.  In some cases, ten years old.  So many of these passwords were outdated and raised some suspicion.  The current attempts appear to be semi-automated.  The bad actor most likely creates a script that draws directly from the usernames and passwords from past data breaches.  Most of this old data is easily found in the underground, so creating a likely low threat tier level.  It is likely that as this scam is refined by the hackers, current emails and passwords will be utilized.  This will again, add to the validity of the threat to unsuspecting victims. 

Mitigations

  • Never send compromising images of yourself to anyone, no matter who they are, or who they say they are.
  • Do not open attachments from people you do not know. Always be suspicious of opening attachments even from those you do know.
  • Turn off AND cover any web cameras when you are not directly using them.
  • Do not pay to this group of extortionists as their claims of keylogging the victims and having recorded videos, are false.

Indicators

Indicator

Type

Kill Chain Phase

1st Seen

Last Seen

Comments

Attribution

ttmmariannezq@outlook.com

Email

Delivery

07/21/2018

07/21/2018

Fake Email

 

40.92.66.78

IP

Delivery

07/21/2018

07/21/2018

IP address

 

Axel Diana

String

Exploitation

07/21/2018

07/21/2018

Lure name

 

13wyz926tKAzMxcrDDP7GBRqnjHFJRKGAi

String

Actions and Objectives

07/21/2018

07/21/2018

BTC account

 

1Dvd7Wb72JBTbAcfTrxSJCZZuf4tsT8V72

String

Actions and Objectives

07/21/2018

07/21/2018

BTC Account

 

Figure 1. Vienna Austria IP location

For questions or comments regarding this report, please contact Wapack Labs at 603-606-1246, or feedback@wapacklabs.com

 

E-mail me when people leave their comments –

You need to be a member of Red Sky Alliance to add comments!