Recently found Email Extortion: beware of your old credentials

AnubisNetworks By AnubisNetworks • May 15, 2020

We've detected a new campaign of  Email Extortion, standing on stolen real credentials, used to extort cryptocurrency.

Anubis analyzes thousands of bad emails. And we see everything: from carefully disguised scams where a boss convinces the recipient to do an urgent wire transfer, to hidden URLs in an apparently regular attachment that will trigger a malware installation on your device. 

Among these examples, there's the extortion email. A type of Ransomware that does not use malware but, instead, relies on the recipient's public (sort-of) information (credentials) that will supposedly lead to information to be made public if a ransom is not paid.

As of the last days, we've noticed one huge campaign of this type of email. Here are two examples:




The important piece of this extortion is that the attacker knows the email address, and a real password. And uses this real information to build similar looking emails (a few variations), distributed massively.  

Considering that Email Security Protection (such as Anubis') hunts these type of emails, the attackers came up with a few interesting aspects to ensure these emails reach the destination:

  • First of all, the Email does not contain any (infected) attachment or URL. 
  • Secondly, it tries to avoid Data Leakage filters, by disguising the Bitcoin address with an asterisk (*), hence avoiding automated systems which are triggered by the length and character combination of the address.
  • It uses UTF8 character encoding to display languages similar to latin charset, to avoid the scanning of regular character sets.
  • We've detected two variations of the same extortion, and possibly there's more:  This persists the possibility of success, once the security systems start detecting these emails.
  • The distribution method also varies: From sending from different servers around the world (the first example) to using a regular Microsoft Outlook system. The variation in the origin and coding is also a factor that aims at avoiding detecting the entire campaign.
  • The text is well written (grammar wise) and tries to avoid some sensitive wording to skip some systems which look for these patterns. Unfortunately for them, they still kept a few "triggers" such as bitcoin, "remove *", and a few others.

The good news is that this campaign will be short lived. It has been spotted (for instance here), and systems are now in place to avoid the delivery of the emails. The bad news is that we should expect other variations, also trying to extort people based on the huge amount of data breaches and consequent credentials available on the internet!

Are you safe? Should you pay?

First of all, the number one rule for Cyber Ransomware is Don't pay. Not only the chances of success are very low (and the attacker will still have your data to come back again), but as a society, if we increase the attackers' return , we'll increase their appetite for more (in volume, and in sophistication) ransomware attacks.

Secondly,  and for this particularly case:

  • We've tracked down a few credentials in these emails and they seem to be all from well known public leaks, namely the famous Linkedin password breach of 2012 (167M passwords, and counting!).  There have been many other breaches that ended up with the passwords being displayed on the internet, and probably that is where the attackers went to get the credentials used for this extortion. There are several cyber security organizations dedicated to track down these leaks. Some of them, such as this service, will let you search if your credentials where made public after being stolen from certain websites and applications. These security services also notify the breached organization, which always lead them to require the affected users to change the passwords.
  • There are no records of any "private data" being leaked for the people who haven't paid for this extortion. From the attacker's point-of-view, the only private data that could be retrieved would be related to using the stolen credentials in the place that was breached (e.g. Linkedin) before either the user or that breached place had a chance to change the credentials or the authentication method. 
This means, basically, that the recipients that got this extortion email, must make sure there is no website or application left that (still) uses the credentials displayed on the extortion emails. And re-think, if needed, how they manage their passwords, to avoid future extortionists!

It's always the passwords

It's important to set your ruleset for your credentials online. You should take a look at our older post for more about password management, but basically:

  • Don't use the same credentials pair (username and password) for accessing different websites and applications -  one of them may be breached, and have the password displayed on the internet for some extortionist to pull a stunt like the emails above!
  • Try adding a second factor (for instance a temporary key to a mobile phone) to your plain username+password accesses to certain systems. Fortunately, more and more systems are forcing these complex authentication systems, as well as detecting suspicious behavior (for example, if you logged in from London in one hour, you can't login from Sydney the following hour). 
  • And finally, change passwords frequently, and make these as complex as possible (length and different characters). Use a password manager (uses one credential to access every other credential) if you find it hard to memorize (don't write your passwords in places that can be found. Be creative).