On Thursday, from New York to San Francisco, businesses, universities and news agencies across the country received emails trying to extort bitcoin from them to prevent the release of videos of a compromising sexual nature. Often in such cases, people want to keep the situation quiet to avoid embarrassment. But this attack was broadcast to the world because the attackers attached bomb threats to their ransom messages.
In every threatened city across the country, police had no choice but to respond to the threats. Ultimately, they discovered there were no bombs anywhere. And it turned out the threats of extortion videos were fake as well. But all’s well did not end well because the wasted time, cost and effort extended by law enforcement and investigators was tremendous. This result may in fact have been the attacker’s goal in the first place.
Similar extortion attacks occurred earlier this year in Europe, also threatening victims with bombs or with “sextortion” – demanding ransom to avoid release of sex videos. Those threats also turned out to be fake. In May, over 400 schools in the UK received bomb threat emails. Authorities determined all these attacks were phony, but the schools were thrown into a tailspin in the process. In that case as well, it appears the mass disruption may have been the attackers’ objective.
An example of the type of emails used in Thursday’s attack is below. It’s not known who sent the emails, although some appear to have come from the same servers as the European emails sent earlier this year. The week’s senders demanded $20,000 in hard-to-track bitcoin, claiming that a “recruited mercenary” had been hired to plant bombs in buildings that would be detonated if the money wasn’t paid.
Fortunately, no bombs were found but only after many hours were expended searching and time wasted by evacuations and other disruptions.
An FBI statement said, "We are aware of the recent bomb threats made in cities around the country, and we remain in touch with our law enforcement partners to provide assistance. As always, we encourage the public to remain vigilant and to promptly report suspicious activities which could represent a threat to public safety."
Other law enforcement agencies also confirmed the threats were hoaxes, including New York Police Department Counterterrorism Bureau, and agencies from Raleigh to Chicago to San Francisco and dozens of other cities affected by these fake threats.
It’s hard to know if any money was made by the hacker’s ransom requests, but the hackers would consider the effort worthwhile if they receive even just one payment. And, it appears they consider the disruption itself worth their effort.
Atiq Raza, CEO of Virsec, a cybersecurity firm based in San Jose, California, says:
”Attacks such as this are no-brainers for cybercriminals because they are so cheap. Sending the same email to tens of thousands of people costs almost nothing and if just one pays, it's been worth it. The ease with which an attacker can craft such a large-scale disruption has ignited concern. While these Bitcoin demands seem over the top, the disruption can cost millions in police time alone, and the potential for this to escalate with copycats is always alarming."
Atiq continues, “As new extortion ideas get out there, the potential for serious, targeted attacks on high-value cyber-targets will only increase. It could be that more will come because cybercriminals are lazy and copycat attacks pop up very quickly. I expect this to pick up over the next year. Once people figure out that this is a way to extort money, they will use it.”
Read full Hoax bomb threat cyber extortion email article.
Read full Extortion email causes widespread panic article.