Whac-A-Phish: Cybercriminals Use Automation to Launch Mass Extortion Campaign

Preet Kumar
Written by Preet Kumar
Threat Research /
Whac-A-Phish: Cybercriminals Use Automation to Launch Mass Extortion Campaign

Each Blox Tale will take a look at a targeted email attack, outline why it made its way into an inbox, and provide guidance for organizations looking to stop such attacks. In this blog, we’ll focus on a mass extortion campaign where cybercriminals sent 3,500+ extortion emails from 3,000+ unique domains to get past email security filters and blocklists.

Org mailboxes: ~90,000

Emails sent: 3,788

Unique domains used: 3,074

Employees targeted: 100+

The Email

A few weeks ago, the Armorblox threat research team observed a spike in extortion-themed emails trying to hit one of our customer environments. In the email, the sender claimed that they had installed a Trojan horse on the victim’s system and now had access to all the victim’s data, contacts, and browsing history.

The email continues with a threat: the sender has compromising videos of the victim visiting adult websites - videos that they can easily send to all the victim’s contacts. In exchange for not sharing the videos, the sender asks for Bitcoin payments of USD 1400 within 48 hours.

Extortion email attacks are not a new phenomenon. Earlier this year, the FTC issued a public advisory warning people against scam emails that demand Bitcoin while threatening blackmail. With the world on edge during lockdown, sextortion and breach extortion emails have surged in 2020. The extortion campaign we cover in this blog is a similar attack launched at scale using automation to spin up unique sender domains.

A snapshot of the email is given below:


Fig: Sextortion email asking for Bitcoin payments

Extortion Bingo

The email follows all tenets of extortion attacks and aims to create a sense of helplessness in victim minds. The email induces a sense of urgency through a deadline (48 hours) and a sense of fear through its content (having compromising videos of the victim).

Targeted email attacks also aim to induce a sense of authority, often by impersonating VIPs in your organization or external entities like the IRS. Extortion emails like this one, however, aim to induce a different kind of authority - that of a confident cybercriminal who has covered all their bases and has the victim cornered.

The email goes to great lengths to describe what a foolproof Trojan horse the attacker has set up on the victim’s system. The email says ‘Rest assured that I can easily send this video to all your contacts with a few clicks’, planting the seed of quick action in the victim’s mind to avoid negative consequences.

The email also systematically closes other methods of recourse that the victim might think are available to them.

  • It makes no sense to reply me - this address has been generated automatically’ closes any potential email dialogue.
  • It makes no sense to complain either, since the letter along with my Bitcoin wallet cannot be tracked’ shuts the door on other avenues the victim might consider. Bitcoin transactions are notoriously difficult to track and recover, with the Wall Street Journal calling it a complex, 21st century cat-and-mouse game.
  • The time will start once you open this letter (this program has a built-in timer)’ cements a sense of urgency in the victim’s mind and lets them know that they can’t play for time.

Sextortion scams also try and trigger a sense of shame in victims. Even when people should probably reach out to their security team after getting such an email, some might shy away from the thought owing to the email’s contents and implications. Moreover, if C-suite executives are targeted with these scams, the thought of public disclosure is even more harrowing due to the negative impact it can have on the organization’s brand.

The Futility of Blocklists

This extortion email was sent 3,788 times from 3,074 unique domains, with the majority of them being sent during the last week of October 2020, as shown by the trend graph below.


Fig: The scam website was designed to resemble the look and feel of Ray-Ban’s website

Traditional email security solutions use filters and blocklists that can stop specific domains, IP addresses, and sender names based on policies created by the security team. Attack campaigns like this one use automation effectively to bypass email security filters and overwhelm organizations that use only deterministic measures to detect bad emails.

The futility of using filters and blocklists against these types of attacks is further highlighted by the breakdown of domains used by the attackers in this campaign. The illustrative table below shows the most common domains used, but 3,018 out of the 3,074 domains (~98%) were used to send 3 or fewer emails. This long tail of unique domains is virtually impossible - and exhausting - to block using filters.

It’s also not realistic to block or manually delete emails by their subject lines. Around 96% of emails in this extortion campaign had the title ‘Business offer’, which is too generic a subject line to enter into any blocklist.


Fig: Illustrative table listing domains used to send the extortion emails

Guidance and Recommendations

1. Be skeptical by default

I know this is easier said than done, but it’s highly unlikely that the people behind such extortion attacks actually have your photos, contacts, and other data. Because these emails are socially engineered and play to our baser psychological instincts, we tend to assume personalization even while reading generic email statements. While real extortion attacks exist, the claims of the vast majority of sextortion scams have no basis in reality.

2. Follow password management best practices

Extortion emails sometimes use victims’ passwords as their subject line, which immediately sets alarm bells ringing in our heads and drives us to quick action (i.e. paying the ransom). If you get such emails, immediately change your compromised password and ensure you’re following these best practices:

  • Don’t use the same password on multiple sites/accounts.
  • Use a password management software to store your account passwords.
  • Avoid using generic passwords like ‘password123’, ‘YourName123’.
  • Avoid using passwords that tie into your publicly available information (date of birth, anniversary date etc.).
  • To prevent (or at least minimize) impact of account compromise, deploy two-factor authentication (2FA) on all business and personal accounts.

3. Bend the truth with security questions

Some sites don’t support 2FA, instead opting for security questions like your mother’s maiden name, the name of your first pet, or the street you grew up on. If you create an account on a site with security questions, never provide true security answers to the questions. Most of this information can be publicly accessed via social media and secondary online research.

If you think you’ll have trouble remembering the fake answers to the security questions - your password management software can also store these answers for you.

4. Reach out to relevant stakeholders

If you receive an extortion email that worries you, report it to your organization’s IT/security team. If your organization does not have a dedicated security team, you can also reach out to local law enforcement or submit internet crime complaints to the FBI’s IC3.

For more email security threat research, news, and industry guidance, sign up for email updates from Armorblox below.

Join Armorblox Mailing List

Read This Next