Sextortion Gang Found To Be Behind Email Bomb Threat Spree

Cisco Talos believes it has tied a recent wave of emailed bomb threats to the same group that was conducting a sextortion campaign earlier this year, and revealed that most recent campaign was a financial bust for the malicious actors.

A nationwide wave of bomb threat emails demanding a bitcoin payment to halt the explosion were received by schools, government agencies and private organizations yesterday. In no case was an explosive device found or detonated. Talos believes what took place was conducted by the same group that has been conducting sextortion scams over the last three months.

Jaeson Schultz, Cisco Talos technical leader, noted there are many similarities between the bomb threat emails and sextortion/extortion attacks Cisco Talos has monitored previously. Some of the subject headers used in the bomb threats, including “You’re my victim” and “Your life in your hands” were previously used in the sextortion emails. Additionally, the written text between the two is similar and when the IP addresses behind the bomb threats were studied, messages from early October that were from a sextortion attack were found.

“For that reason, we believe that these bomb threats likely come from a group that has also conducted sextortion attacks. The group does not have a specific name to our knowledge,” he told SC Media.

One of the bomb threat emails.

It also appears the entire effort was a financial bust, as Talos found 17 distinct bitcoin addresses used with the bomb threats. Only two had a positive balance due to deposits made on December 13 and in each case, the amount was less than a dollar.

Talos researchers also believe the attackers compromised credentials for a specific website from which they launched the emails.

“So far, all of the samples Talos have found to be associated with the bomb threat attack were sent from IP addresses belonging to the domain registrar and hosting company reg.ru, suggesting that the attackers, in this case, may have compromised credentials for domains that are hosted at this particular domain registrar,” the Talos report said.

While Talos did find the details behind the campaign, the amateurish delivery gave it away as nothing more than a poor attempt at extortion from the start.

AppRiver researchers first saw these emails on December 13. “In these emails, the senders inform recipients that their “recruited mercenary” has placed an explosive device inside their building which they plan to detonate unless a Bitcoin payment in the amount of $20,000 is made to the BTC address provided in the message,” AppRiver told SC Media in an email.

“This spam campaign is pure extortion, plain and simple. It’s not very advanced and doesn’t require much social engineering or any hacking whatsoever, said Paul Bischoff, privacy advocate with Comparitech.com. “In fact, it seems very poorly thought out if the aim was actually to make someone pay up. Even though bomb threats are scary, this is amateur scamming.”

The emails caused evacuations and searches by local law enforcement, which have not turned up any explosive devices. The FBI and local police agencies are reporting that they do not consider the threats credible.