Threats of Terror Pervade Recent Extortion Phishing Campaigns
By Lucas Ashbaugh
“There is an explosive device (tronitrotoluene) in the building where your business is conducted […] there will be many victims if it explodes”
Late last week, multiple customers notified CofenseTM of bomb-threat phishing emails that were almost certainly part of a worldwide scam to extort victims via bitcoin. This scam drew responses from major law enforcement agencies across the world and made global headlines, due to its vast reach and terrifying nature.
With subjects like “Better listen to me” and “keep calm,” the emails threatened to detonate a compact explosive device hidden somewhere at the victim’s workplace, resulting in serious casualties. The emails demanded that victims capitulate by the end of the work day, claiming “if you are late with the money the device will explode” (Exhibit 1).
Hello. There is an explosive device (tronitrotoluene) in the building where your business is conducted. It was built according to my guide. It can be hidden anywhere because of its small size, it is impossible to destroy the supporting building structure by my explosive device, but there will be many victims if it explodes. My recruited person keeps the building under the control. If any unusual activity or policeman is noticed the bomb will be blown up. I would like to offer you a transaction. You send me 20.000 dollars in Bitcoin and explosive will not explode, but do not try to deceive me -I assure you that I have to withdraw my recruited person only after 3 confirmations in blockchain network. Here is my BTC address : 14Rz7W71sXwmnwqZHLvXSf5s1vmpp9viFb You must solve problems with the transfer by the end of the workday, if you are late with the money the device will explode. Nothing personal this is just a business, if I do not receive the money and the explosive device detonates, other commercial enterprises will send me more money, because it isnt a single incident. I will no longer log into this email. I check my wallet every thirty-five minutes and if I see the transaction I will order my person to leave your district. If an explosion occurred and the authorities see this message! We are not the terrorist society and don’t assume responsibility for acts of terrorism in other places.
Overall, the campaign seemed rather fruitless, with none of the reported bitcoin wallets having any money in them at all. This suggests that those bitcoin wallets were created solely for use in this scam and that, thus far, no monetization has occurred. However, with the obvious and predictable response to these campaigns by law enforcement, it’s possible the emails were intended only to sow fear and not generate profit.
Key details were changed in every email, making them harder to search for and detect. They all originated from different junk email accounts at domains that were likely compromised. They had unique subject lines and even took care to vary the explosives they referenced, mentioning compounds like TNT and Nitramine by their formal chemical name (Exhibit 2).
My recruited person has hidden the bomb (Tetryl) in the building where your business is located. My man constructed an explosive device according to my instructions. It can be hidden anywhere because of its small size, it is impossible to damage the structure of the building by my bomb, but in case of its explosion there will be many victims. My recruited person is watching the situation around the building. If he sees any strange behavior, panic or cops the device will be blown up. I can withdraw my man if you pay. You pay me $20'000 in BTC and the device will not explode, but do not try to fool me -I ensure you that I have to call off my mercenary only after 3 confirmations in blockchain network. My payment details (BTC address)- 1PqX7bMnCzpJ7L1mxuGgNyaJSkJRM8SjES You must solve problems with the transaction by the end of the working day, if you are late with the transaction the device will explode. This is just a business, if you don’t send me the bitcoins and a bomb detonates, other commercial enterprises will pay me a lot more, because this isnt a single incident. To stay anonimous I will not visit this email. I monitor my Bitcoin address every 25 min and if I receive the transaction I will order my man to leave your area. If a bomb detonates and the authorities read this email! We arent a terrorist organization and do not take responsibility for acts of terrorism in other places.
The Larger Picture – Old Hoax, New Theme
Someone truly upped the stakes of a run-of-the-mill scam. Employees across the United States evacuated their offices and municipal police scrambled to understand and respond to the incident. Federal law enforcement agencies worldwide also responded, including the U.S. FBI and the Australian CSC. Even though the scammers claimed to have no terrorist affiliations, that didn’t prevent the NYPD Counterterrorism Unit from getting involved, weighing in that the threat was not credible.
The introduction of bomb threats has made these scams newsworthy. However, this form of bitcoin extortion closely resembles one of the most common extortion scams the Cofense Phishing Defense Center handles. Commonly referred to as “sextortion,” most of these scams attempt to extort people over supposed explicit recordings (Exhibit 3). Over the past year, we’ve handled many different variations of this ploy. Traditionally, these scam emails are sent by someone who purchases leaked credentials online and then emails users claiming to have broken into all of their accounts, reiterating their purchased password as “proof.” (Exhibit 3). The scammers assume the victim most likely used the same password across different accounts, which is unfortunately often true. Yet sextortion scams are often much darker, with one recent wave threatening to “pour out acid in your face,” adding that it “hurts, forever.”
Hello! My nickname in darknet is evelyn72. I hacked this mailbox more than six months ago, through it I infected your operating system with a virus (trojan) created by me and have been monitoring you for a long time. So, your password from [REDACTED] is [REDACTED] Even if you changed the password after that - it does not matter, my virus intercepted all the caching data on your computer and automatically saved access for me. I have access to all your accounts, social networks, email, browsing history. Accordingly, I have the data of all your contacts, files from your computer, photos and videos. I was most struck by the intimate content sites that you occasionally visit. You have a very wild imagination, I tell you! During your pastime and entertainment there, I took screenshot through the camera of your device, synchronizing with what you are watching. Oh my god! You are so funny and excited! I think that you do not want all your contacts to get these files, right? If you are of the same opinion, then I think that $876 is quite a fair price to destroy the dirt I created. Send the above amount on my BTC wallet (bitcoin): 1EZS92K4xJbymDLwG4F7PNF5idPE62e9XY As soon as the above amount is received, I guarantee that the data will be deleted, I do not need it. Otherwise, these files and history of visiting sites will get all your contacts from your device. Also, I'll send to everyone your contact access to your email and access logs, I have carefully saved it! Since reading this letter you have 48 hours! After your reading this message, I'll receive an automatic notification that you have seen the letter. I hope I taught you a good lesson. Do not be so nonchalant, please visit only to proven resources, and don't enter your passwords anywhere! Good luck!
How To Protect Yourself And Business
Anyone receiving a bomb threat via email should immediately contact the authorities. Do not delete the threatening email. U.S. based victims have been advised to notify the FBI at 1-800-CALL-FBI, or to reach out to them at www.ic3.gov. Victims outside of the United States should reach out to their federal authorities. Anyone receiving a bomb threat via a different method of communication should reference the U.S. DHS Bomb Threat Procedures.
However, planning for a bomb threat should happen well before a threat ever occurs. The U.S. DHS What To Do – Bomb Threat webpage supplies a thorough explanation of how to plan ahead and how to handle an active incident.
For email extortion in general, you can train users on how to use email safely with tools such as Cofense PhishMeTM, plus how to report suspicious emails to security teams for inspection with tools like Cofense ReporterTM and Cofense Phishing Defense Services, powered by Cofense TriageTM.
All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks.