“$20,000 is the price for your life and business.” So read the December 13th spam email from criminals trying to extort money from millions of businesses around the world. As of this writing, they have not been successful in getting any money, according to experts following the scam. But this does not mean that the attackers have not had any impact. In fact, they may have inadvertently exposed a weakness which they or others can exploit in the future.
When the scam first appeared, it caused panic among a number of businesses and organizations. Police bomb squads were called out, government buildings, businesses and hospitals were evacuated, and some schools were closed. Transportation in a number of cities was disrupted.
Detroit District Court Building Evacuated
The panic was felt in every large city across the US and was severe enough for police departments to issue statements over Twitter to calm people down.
Make no mistake about it. The criminals never intended for this to happen. This unsophisticated scam was only designed to make some money, and though it failed in this respect, it showed them that they had a powerful tool in their arsenal if they were clever enough to learn how to use it.
Cisco Talos has linked the bomb threat scam to the same people behind the successful sextortion scam which told victims they had compromising videos of them visiting porn sites. The scammers threatened them with exposure to friends and colleagues if they were not sent money in Bitcoins.
I reported on this scam when it first appeared in Australia and spread to the Middle East. I expected, at that time, that it would eventually appear in the US and become more sophisticated. It did. In its latest incarnation, the sextortion scammers actually target individuals whose passwords they claim to have. In fact, they may really have these passwords, but it doesn’t mean that they also have incriminating videos. They just want to make their scam look more authentic.
But, you might rightly ask, how did they manage to get the email addresses and passwords for this scam? The fact is that email addresses are pretty easy to get. Marketers get them all the time and hackers often release their hacked databases. Passwords are a different story. They can also be dumped but usually some payment is required. There is, however, one place on the deep web that offers a searchable password database. You type in the email address or username, and they will give you the password. I mention this because my email was listed among the 1.4 billion. It was, however, a password that I used over 10 years ago.
I also tested some emails from the DNC hack and the John Brennan hack, since these are readily available. Sure enough, I found several passwords of high profile people. Hopefully, they have changed their passwords. However, even if they did, wouldn’t they think twice about getting an extortion email from someone who had a valid password, even if it was outdated? The scammers sure hope so.
In my opinion, the bomb extortion scammers did not expect and did not want to create the havoc that they did. People who are scammed are often afraid to report the scam that tricked them because they are afraid of looking stupid. This is what scammers want. They want the money with no attendant problems. They would prefer not to draw attention to themselves and, by extension, draw the attention of law enforcement agencies. To prove my point, Cisco Talos has reported that the scammers have shifted from bombstortion back to threatening to harm individuals. Victims must now pay in order to stop from having acid thrown in their faces. Nice guys.
But the damage has been done. Closing down organizations and misleading police and fire departments can lead to real problems. While the police are responding to fake bomb threats, other criminal investigations may have to be put on the back burner. Organizations lose money for the time it takes the bomb squads to scour their buildings sand declare them safe. Vital infrastructure can be disrupted. What if the bomb threat was received by an airport?
The bad news is that this scam could serve as a proof of concept for those who would like to do harm to the US or any country. Bomb threats arriving with legitimate credentials at multiple email accounts at the same time could give the appearance of an organized attack. Targeted attacks on vital infrastructure could be particularly disruptive. The false attacks themselves could distract from a real attack that may be planned. In short, Pandora’s Box has been opened.
The bombstortion attacks ask for money and, as such, give themselves away. They can be dismissed as scams and nothing more. However, if you were responsible for running a large organization, could you ignore a bomb threat if no money was mentioned? You may think that the threat had a 90% chance of being fake, but could you take that risk? That’s what’s so disconcerting about this current scam. It showed those with malevolent intentions just what can be done with a bit of manipulation.
So, it’s quite possible that the bomb extortion scam has come to an end, but it just may have introduced something a bit more serious.