[ad_1]
Spam and phishing emails are a constant plague in our inboxes, but more recently sextortion campaigns have also appeared.
This particular brand of fraud attempts to take advantage of the way some of us view adult content, a personal and private matter that we wouldn’t necessarily want contacts like friends or family to know about or our viewing preferences.
Often times, these emails will claim that someone has been watching you through your webcam at the same time you are watching pornography or live webcam and not only knows what you have watched and when, but has also obtained the contact information of friends, family and Colleagues.
Emails can also include a password from an online account, stolen due to a data breach and posted online in data dumps, to appear more authentic.
See also: France asks Apple to reduce iPhone security for developing coronavirus monitoring apps
Cybercriminals will then demand payment from victims in cryptocurrency such as Bitcoin (BTC) or Ethereum (ETH) to prevent footage of the victim apparently watching pornography from being leaked.
Given the adult nature of these threats, some sextortion email recipients fall in love with this tactic and pay. But where does the cryptocurrency go?
SophosLabs researchers, along with CipherTrace analysts, set out to find out.
On Wednesday, the companies released an investigative report on a large sextortion campaign running from September 2019 to February 2020.
Millions of sextortion spam emails have been sent in this time. Victims were asked to pay up to $ 800 in BTC into the scammers’ owned wallet addresses, amassing cybercriminals about $ 500,000 – 50.98 BTC – over the life of the scam.
The scheme used botnets made up of compromised PCs around the world to send spam. Most of the emails were sent in English, but some were also sent in Italian, German, French and Chinese.
The sextortion campaign appears to be a step above most as scammers have used obfuscation techniques to bypass spam filters, including blocks of white junk text, random strings, and adding words in Cyrillic characters to confuse scanners.
Below is an example of the sextortion message:
Research teams analyzed the wallet addresses associated with the campaign which grossed an estimated $ 3.1,000 per day. Wallets that received deposits were laundered approximately every 15 days.
In total, 328 addresses were tracked, 12 of which linked to online cryptocurrency exchanges and online wallet services, many of which are already considered “high risk” as they do not impose Know Your Customer (KYC) requirements, making them useful in money laundering. of money.
Cryptocurrency exchanges including Binance, LocalBitcoins, and Coinpayments have also been “unwitting participants” in cryptocurrency washdowns, in which funds are moved to clean up dirty paths, according to the researchers.
Other transactions were linked to private, non-hosted wallets. In total, 316 transactions made up to three “hops” from an original transaction address, ending up in places including the Dark Web Hydra Market and the FeShop credit card dump market. The funds were also sent to other corners of the underground criminal economy, including mixers for conversion to other cryptocurrencies, cash, and services.
A wallet used in the sextortion scheme was also linked to a BTC transaction linked to the 2019 Binance hack.
“There were 13 addresses among the 328 passed to CipherTrace that had no traceable outbound transactions,” the report said. “But otherwise, whoever was behind the wallets didn’t let their cryptocurrency loot remain long. Based on the date of the first input (when the first extortion payment transaction occurred) and the last output ( when some Bitcoin in the wallet was drained), [there is] an average “lifespan” of approximately 32.28 days. ”
Tracking sextortion campaign funds in the real world is a difficult prospect, not only because of the wallet anonymization factors, but also because of the use of IP masking and VPNs.
CNET: The senator asks the CEOs of Google and Apple to be personally responsible for the privacy of the COVID-19 monitoring project
On all 328 addresses, CipherTrace was able to trace the IP data of 20 addresses, but each of them was connected to VPN or Tor exit nodes. Most deposits have ended up in global cryptocurrency exchanges, and the use of these solutions can bypass geo-restrictions, giving teams little to work with when it comes to honing the true positions of threat actors.
“Since some of the transfers have been used to obtain stolen credit card data or other criminal services – possibly including multiple spam botnet services – the sextortion campaign payments are funding another round of scams and fraud.” , the researchers said.
TechRepublic: Security teams want new tools but don’t have the budget to experiment
Earlier this month, cybercriminals stole over $ 25 million worth of cryptocurrency belonging to Lendf.me. A combination of security holes and blockchain functionality is believed to have been put together in an attack that allowed threat actors to repeatedly make withdrawals.
Three days after the attack, the cyber attackers returned all funds following the leak of an IP address during the attack and direct trading with the cryptocurrency exchange.
Previous and related coverage
Do you have a suggestion? Get in touch securely via WhatsApp | Signal on +447 713 025 499 or in addition to the key base: charlie0
