Sextortion scammers are now targeting potential victims with spam sent to their work emails via the Emotet botnet, a distribution channel 10 times more effective than previous ones according to research published today by IBM X-Force.
Sextortion is a type of email scam first seen in the wild during July 2018 when crooks started emailing potential targets and claiming that they have them recorded on video while browsing adult sites.
To increase their scams messages’ credibility, in some cases the scammers also include the victims’ passwords leaked with the email addresses as part of a data breach dump.
Attacking victims at work
The new Emotet-powered sextortion campaigns are over 10 times more effective than previous campaigns that were using the Necurs botnet to deliver spam to victims’ inboxes.
This drastic increase in effectiveness is due to the way Emotet works and the difference in ‘currency’ asked by sextortion spam emails delivered via the two botnets.
“First, Emotet infects users at work, versus Necurs, which typically goes to people’s webmail addresses,” the researchers explain.
“Getting an extortion email at work might be placing a lot more pressure on recipients; if they fall for the scam, they must pay up before their employers get caught in the crosshairs.”
Secondly, Emotet asks for Bitcoin ransoms, a cryptocurrency that carries a higher value than the Dashcoins Necurs spam demands.
Emotet boosts sextortion conversion rates
In the end, it is all about conversion rate percentages when it comes to choosing scam distribution channels and, in the case of Emotet, scammers to have hit the proverbial jackpot.
“With classic botnet spam, those percentages can be rather low. With targeted spam on already compromised assets, that’s almost a guaranteed infection,” the report adds.
The week-long sextortion campaign that used the Emotet botnet for dissemination was able to collect almost $60,000 from victims by targeting people in their workplace and using the fear of putting their careers at risk to trick them into paying the ransom.
This campaign funneled roughly $57,000 into the 24 different Bitcoin wallets used by the threat actors between January 23 and January 28, 2020.
In comparison, a seven-week long sextortion campaign that used the Necurs botnet — distributing sextortion email scams since November 2018 — and ended on December 3, 2019, was only able to collect $4,527 worth of Dashcoin.
“The new campaigns in which Emotet extorts email recipients do not end with the payment — they continue to infect the victim with the Emotet Trojan,” the researchers also found.
“It is likely that this campaign tool is part of what Emotet sells to other gangs, enabling them to use its infrastructure for cybercriminal activities.”
The Emotet operators have also started delivering extortion spam since January 2020, claiming that the targets’ data was stolen and dropping the Emotet Trojan using a malicious Microsoft Office document that supposedly contains further instructions.
Increased Emotet activity since January
More recently, an Emotet Trojan sample spotted by researchers at Binary Defense has added a Wi-Fi worm module allowing the malware to spread to new victims connected to nearby insecure Wi-Fi networks.
Based on binary timestamps, it’s possible that the malware has been infecting victims via wireless networks unnoticed during the last two years.
Emotet has also been observed while using the recent Coronavirus health crisis as a lure as part of a malspam campaign targeting Japan with malware payloads.
The Trojan ranked first in a ‘Top 10 most prevalent threats’ compiled by interactive malware analysis platform Any.Run in late December, with triple the number of uploads when compared to all other malware included in the top.
The Cybersecurity and Infrastructure Security Agency (CISA) issued an alert on increased targeted Emotet malware attacks during late-January urging users and admins to review the Emotet Malware alert for detailed guidance.
Recommendations to mitigate Emotet attacks:
• Block email attachments commonly associated with malware (e.g.,.dll and .exe).
• Block email attachments that cannot be scanned by antivirus software (e.g., .zip files).
• Implement Group Policy Object and firewall rules.
• Implement an antivirus program and a formalized patch management process.
• Implement filters at the email gateway, and block suspicious IP addresses at the firewall.
• Adhere to the principle of least privilege.
• Implement a Domain-Based Message Authentication, Reporting & Conformance (DMARC) validation system.
• Segment and segregate networks and functions.
• Limit unnecessary lateral communications.