SpiderLabs Blog

Spam Masters of Extortion, Illusion and Evasion

Written by Dr. Fahim Abbasi | Jan 21, 2019 3:13:00 PM

In 2018 we saw a rise in sextortion scams in which cyber-criminals notified their victims via email that they have hacked or infected the victim’s computer with malware. Or the perpetrators had procured evidence in the form of personal recordings of the victim performing sexual acts or having illegal files of sexual content on their computer. The scammers then threatened to publicly expose the victim unless a ransom demand is paid in cryptocurrency (bitcoin) within a given time. The scammers used spam template randomization to automatically change subject and sentences in the body of the message and hence created several permutations of the extortion message to evade detection.

We observed the evolution of these messages throughout the year from January till December, as the scammers attempted multiple campaigns throughout the year. The early extortion messages in Q1 of 2018 were short and simple messages that used poor English. Since then the subsequent waves of sextortion messages used complex permutations of the original message to evade email filters. Initial messages were plain text after which HTML messages started to make rounds, hence this cat and mouse game continued for Q2 and Q3 of 2018. In the last quarter of 2018 the scammers scaled up in both obfuscation and distribution leading to waves of highly obfuscated sextortion emails sent out en masse via big spam botnets. This was followed by a change in extortion theme from extortion via bogus bomb threats to extortion via exposing a cheating partner threat.

Sextortion message common themes:

  • In one of the campaigns stolen email credentials were used to send out convincing extortion emails. The scammers used the additional lure of hacking the victim’s computer and using its webcam to record compromising videos of sexual nature of the victim, with an extortion note that the videos would be released to the victim’s contacts unless the ransom was paid into a bitcoin address/account.
  • Email account credentials previously harvested from existing password dumps of compromised accounts were weaponized to gain a psychological advantage over the victim. Victim’s username and password displayed in both the subject line and message body.
  • Victim threatened not to contact the police.
  • Victim informed of a tracking pixel placed in the message that informs the scammer that the email message has been read.
  • Bitcoin addresses were used to ask for ransom. Monitoring these bitcoin addresses via the Bitref service revealed that several transactions were made to these addresses. Some recent accounts that were distributed in December 2018 are shown here:

    • 1HjeDCAaEdd5JRDPHVgmLsCC7DsyHhYwM1:
      • Transactions: 21
      • Balance: 3.14 bitcoins
    • 1292tZj4921PqE1ikjd4m5hmZd4RuVzdpF
      • Transactions: 4
      • Balance: 0.67 bitcoins
    • 1MbdGY1LVr6gEjyN3Rok5HQDQcjWbYmLds
      • Transactions:5
      • Balance: 0.4 bitcoins
    • 182PJESsEWbuJ8PEgfM58p64jbok3i1gNU
      • Transactions: 32
      • Balance: 4.7 bitcoins
    • November BTC address: 1B1Vov1LTLGLcVG3ycPQhQLe81V67FZpMZ
      • Transactions: 18
      • Balance: 1.95
    • The messages were simple but written in poor English.
    • Scammers distributed these messages in multiple campaigns with varying volume across the year. Some of these messages were also sent out using big spam botnets

Screenshots of these sextortion emails can be seen here:



Header Analysis

Analyzing these extortion spam campaigns, it becomes evident that they are independent campaigns carried out across different time intervals with varying configurations. Majority of the campaigns used spoofed email addresses in the header From field, while for some campaigns the scammers used free webmail services like Outlook, Yahoo and others to send the spam messages. Russian email providers like mail.ru were also used. Subject randomization was mostly used as part of the spam template and often catchy subjects were used to lure the victim to open the message including subjects containing the victim’s account credentials.

Obfuscation used by Scammers:

We observed waves of these sextortion messages throughout the year, however, in the last quarter of 2018 Cybercriminals distributed advanced obfuscated sextortion messages in a spray and pray fashion over several intermittent weeks in an attempt to evade detection. The obfuscaton used by some of these messages is discussed here:

Obfuscated HTML and plain text

In first week of November 2018 we observed a new wave of sextortion messages spammed out at mass via a spam botnet. The message bodies were base64 encoded as shown in figure and contained both a base64 encoded plaintext part as well as a base64 encoded HTML part.

After decoding the plaintext message and viewing the raw data we observe that random characters appear between characters within a word of the message.

Moving on to the HTML part of the message, note the message is legible when loaded in a mail client like Thunderbird.

However, when we highlight the message with the mouse we can see random characters intermittently appended to the message for obfuscation and evasion.

Next, we analyzed the HTML of the message and discovered some interesting obfuscation tactics. The HTML part of the message uses a combination of (a) character insertion within the characters of a word as well as (b) character insertions between words.

We observed that the scammers inserted the zero-width non-joiner (ZWNJ) character, which is a non-printing character, inserted randomly and intermittently between the characters of the word. It can be seen in the image as the string “&#8204”. For the characters inserted between words, the scammers use the oldest trick in the illusionist’s handbook i.e. to insert white colored characters. On a white background these ghost characters are not visualized to the naked eye, however, on highlighting the text of the message using the mouse one can see the random characters visible. The HTML code is shown below. The highlighted message showing the hidden/ghost characters is shown above. The message is crafted using this method to evade detection by various text detection algorithms.

The visibility of these characters also varies with mail clients. MS outlook for example does not show these hidden characters even after highlighting the message.

Obfuscation via simple character insertion

In yet another campaign the attackers used an intermittent character insertion technique, where they inserted the characters “=9D” intermittently between the letters within a word of the message. Note is that these messages were encoded with the windows-1256 character set. Looking up the windows-1256 table for the code ‘9D’ we find that this is yet again the zero width non-joiner (ZWNJ) character. This is the reason why the mail client, even after loading the message,doesn’t show the hidden characters as they are rendered as a non-printable character between the words.

Using such encodings there are a multitude of encoding possibilities for the scammers to use to evade detection by text detection algorithms.

Notice the ascii characters ‘=9D’ visible intermittently between characters

Bogus Bomb Ransom Threats

In December 2018 we observed a variation in the extortion message. This time the scammers resorted to yet another explosive theme, i.e. literally a bomb threats with a ransom demand. The scam message starts with a description of an explosive device that the scammer planted in the building of the victim’s place of work or business and the scammer threatens to detonate the device unless a ransom is paid. The ransom as expected is demanded in bitcoin.  The scammers used spam template randomization to automatically change subject and sentences in the body of the message and overall the English used was poor. The overall message flow follows a similar template to the sextortion messages and there are reports of the same bitcoin account used in one instance. A screenshot of one such bogus bomb extortion message is shown below:

These bogus bomb extortion message caused some consternation, even making headline news in some countries, but at the end of day, it was just a variation on the theme the scammers have been running for months.

Cheating scam

Another recent variation of the extortion scam was witnessed in December 2018. This time the scammers ran with the ‘cheating on your partner’ theme, where the victim is blackmailed into sending extortion money otherwise their loved ones would receive photos of the victim’s affair.

Conclusion

Scammers utilize a myriad of techniques to scam their victims. For these extortion campaigns they resorted to play upon human psychology by threatening their victims using fear of public shame as a tool. The threats involve the release of victim’s private videos of sexual nature. The scam looks convincing as the scammers send the victims their passwords with a message that they hacked the victim’s computer.

These scam messages were distributed via a mix of sources, where some of them were distributed en mass via big spam botnets. The scammers used spam template randomization to automatically change subject and sentences in the body of the message, hence creating numerous permutations. These messages are distributed in a spray and pray fashion in hopes that vulnerable victims would fall prey to the scam and pay the scammers via bitcoin. Monitoring the bitcoin wallets and addresses one can see that several transactions are made over a period, making it fruitful for the scammers. Advanced obfuscation methods are now being employed by the scammers to evade email scam detection filters. Newer themes for extortion are continually being pushed out in hopes for lucrative returns.

The Trustwave Secure Email Gateway successfully detects and blocks such messages at the gateway. We advise customers to keep their system updated with the latest threat mitigation and educate employees to detect such scams and do not respond to them or transfer any money.