The FBI states that its Internet Crime Complaint Center (IC3) has identified this new variety of extortion through the increased instance of reports to the Centre from individuals who have fallen victim to the scam.
The scam seems to have developed as cyber criminals react to high profile news of data breaches at sites like Ashley Madison and the well-publicized desire of individuals registered on such sites to keep that information private.
Whilst such data breaches do occur and have serious consequences for businesses and users, it seems likely that the individuals sending the emails do not actually have access to the information that they claim, but instead succeed by sending out high volumes of emails and trusting that some, even if only a fraction of the total, will be received and opened by individuals who were registered at a recently hacked site.
The recipient is instructed to pay a relatively small amount of 2-5 Bitcoin (approximately $1000-$2500) within a short timeframe. If they do not comply the email threatens that personal information, such as their name, phone number, address, credit card information, and other details, will be released to the recipient’s social media contacts, family, and friends.
However, the release provided no details of whether any of the individuals reporting emails to IC3 had actually been the victim of a release of their data in the manner threatened if they did not comply nor of how many of the recipients had simply paid the ransom requested.
The release provided the following example of an extortion email:
“Unfortunately your data was leaked in a recent corporate hack and I now have your information. I have also used your user profile to find your social media accounts. Using this I can now message all of your friends and family members.”
“If you would like to prevent me from sharing this information with your friends and family members (and perhaps even your employers too) then you need to send the specified bitcoin payment to the following address.”
“If you think this amount is too high, consider how expensive a divorce lawyer is. If you are already divorced then I suggest you think about how this information may impact any ongoing court proceedings. If you are no longer in a committed relationship then think about how this information may affect your social standing amongst family and friends.”
“We have access to your Facebook page as well. If you would like to prevent me from sharing this dirt with all of your friends, family members, and spouse, then you need to send exactly 5 bitcoins to the following address.”
“We have some bad news and good news for you. First, the bad news, we have prepared a letter to be mailed to the following address that details all of your activities including your profile information, your login activity, and credit card transactions. Now for the good news, You can easily stop this letter from being mailed by sending 2 bitcoins to the following address.”
Written by: Gary Broadfield
Author Bio: Gary Broadfield is the head of Cartwright King’s cyber crime team. He is one of England and Wales’ foremost practitioners in the field of cyber-crime and the defence of allegations of hacking, online fraud and computer misuse.
(Security Affairs – extortion email schemes, FBI)