So-called sextortion scammers have in the past made big bucks from victims who fall for claims in spam email that someone has compromising film or footage.
Cisco’s Talos Intelligence malware researchers last year documented one group who’d made about $150,000 in two months using the scam after analyzing thousands of cryptocurrency wallets linked to a campaign whose sender was invariably “Aaron Smith”.
But that was a year ago. Today, it seems, the scammers behind that campaign aren’t having as much luck hooking victims with bogus claims they have embarrassing content about the victim.
The group in question built its sextortion mailing list from publicly available lists of breached email addresses and passwords. They then used large networks of compromised computers, largely in India, Russia, and Vietnam, to send about 250,000 spam messages to the targets claiming they possessed explicit videos of the person. The ruse back then was lucrative.
Today, the “Aaron Smith” part of the group’s handiwork has gone and has been replaced with an email subject header that supposedly is the person’s username and password for a particular account. That’s the exact same subject header a scam group was using last year, which netted USD$250,000 in Bitcoin in a matter of weeks.
Talos researchers analyzed former “Aaron Smith” group’s spamming activity over a three month period between January and March 2019. It found the group had massively ramped up spamming, sending targets one million sextortion claims in just three months.
The researchers then examined about 9,000 Bitcoin addresses linked to the campaign, which were frequently reused for multiple recipients.
Despite the huge increase in sextortion spam volumes, the researchers also found that scammers were only sending messages to about 29,000 unique email addresses, meaning that targets were receiving the same messages on average 38 times.
The repeat exposure the scam emails could flag for some users that it is a scam, but some of these repeat exposure targets could still pay up.
And some did, just not that many. Upon analyzing the 9,000 Bitcoin addresses, Talos researchers found they contained just 3.5 BTC, which converts to about USD$17,000.
“These returns are quite disappointing when compared with the $150,000 these same attackers obtained in just two months of sextortion attacks last fall,” the researchers note.
Despite, or perhaps because of, the low returns, the attackers are investing methods to bypass anti-spam filters. Recipients see the same the messages as usual, but underneath the attackers have used plain text letters, special HTML characters, and image spam or an image of the text, a trick that was common in the mid-2000s. Image spam can be handy as it’s not parsed by text-based spam filters.
But how the attackers used image spam doesn't make for "user-friendly" payment experience for targets . Comically, the email asks targets to copy and past a Bitcoin address, which is stuck inside an image and can’t be copied in the first place.
Talos researchers conclude that despite these communication failures and falling profits that web users still need to be aware that scammers know that scams work.
"Early success has led to a proliferation of sextortion spam, but profits from these types of scams are declining rapidly. Going back to their inception months ago, the adversaries have made hundreds of thousands of dollars with little more than publicly available data and some ingenuity.
"Users need to understand that these sextortion attempts are nothing but a sham, and the threat isn't backed up by real data. Unfortunately, the reality is that it is still far too easy to extort users with the threat of exposure without any real data backing it up and the bad guys are continuing to cash in on users' own paranoia."