X-Labs
August 21, 2017

Adult dating scammers expand to Faketortion, target Australia and France

Roland Dela Paz Security Researcher

Recently, Forcepoint Security Labs have encountered a strain of scam emails that attempts to extort money out of users from Australia and France, among other countries. Cyber-extortion is a prevalent cybercrime tactic today wherein digital assets of users and organizations are held hostage in order to extract money out of the victims. Largely, this takes in the form of ransomware although data exposure threats - i.e. blackmail - continue to become popular among cyber crooks.

In light of this trend, we have observed an email campaign that claims to have stolen sensitive information from recipients and demands 320 USD payment in Bitcoin. Below is an example of one of the emails used:

The campaign is active as of this writing. It is using multiple email subjects including but not limited to:

  • “{Three random letters}: [{recipient email}]  {date and time} Соnсеrning оur yestеrday's соnvеrsаtion”
  • “{Three random letters}: [{recipient email}]  {date and time} I havе sоmеthing that can mаке yоur lifе wоrse”
  • “{Three random letters}: [{recipient email}]  {date and time} I would not liкe tо start our knоwingaсquаintаnсе with this”
  • “{Three random letters}: [{recipient email}]  {date and time} I'm not hаpрy with yоur behаvior lately”
  • “{Three random letters}: [{recipient email}]  {date and time} Dont yоu thinк thаt your deviсе wоrкs wеird?”
  • “{Three random letters}: [{recipient email}]  {date and time} I think thаt it is not as funny for you as it is funny for mе”

The scale of this campaign suggests that the threat is ultimately empty: between August 11 to 18, over 33,500 related emails were captured by our systems.

While no threat can be completely discounted, the compromise of personal information for this many individuals would constitute a significant breach of one or more websites yet no activity of this nature has been reported or identified in recent weeks. Furthermore, if the actors did indeed possess personal details of the recipients, it seems likely they would have included elements (e.g. name, address, or date of birth) in more targeted threat emails in order to increase their credibility. This led us to believe that these are simply fake extortion emails. We ended up calling it "faketortion."

The spam domains used were observed to be also sending out adult dating scams. Below is a sample adult dating email from the same domain as above:

The following graph shows the email volume and type of campaign per day, peaking on August 15th where roughly 16,000 faketortion emails were observed:

The top-level domains of the campaign's recipients shows that the threat actors’ targets were mainly Australia and France, although US, UK, and UAE TLD’s were also present:

Protection Statement

Forcepoint customers are protected against this threat via Forcepoint Cloud and Network Security, which includes the Advanced Classification Engine (ACE) as part of e-mail, web and NGFW security products. 

Protection is in place at the following stages of attack:

Stage 2 (Lure) - E-mails associated with this campaign are identified and blocked.

Conclusion

Cyber-blackmail continues to prove itself an effective tactic for cybercriminals to cash out on their malicious operations. In this case, it appears that a threat actor group originally involved in adult dating scams have expanded their operations to cyber extortion campaigns as a result of this trend.

Meanwhile, we have observed that company emails of individuals were specifically targeted. This would have added additional pressure to would-be victims since it implies that a recipient’s work PC was infected and may therefore taint one’s professional image. It is important for users to verify claims from the Internet before acting on them. Most online attacks today require a user's mistake (i.e. falling into fake claims) before actually becoming a threat. By addressing the weakness of the human point, such threats can be neutralized and mitigated.

The Australian National University have issued a warning on this campaign.

Indicators of Compromise

Malicious Registrant

revgenich[@]yandex[.]ua

Spam Domains

playpokemongo[.]top
schelkino[.]top
giroscooters[.]top
younggirlphotos[.]xyz
softdownloader[.]xyz
likepro[.]xyz
pornostul[.]xyz
pornoperiscop[.]xyz
poskidke[.]xyz
letsplayonline[.]xyz
kinohdonline[.]xyz
podeshevle[.]xyz
deshevka[.]xyz
dotview[.]xyz
visacenter[.]top
accstore[.]top
lentaua[.]com
budmastera[.]com
masterka[.]org
airport-tashkent[.]com
abdyl[.]net

About Forcepoint

Forcepoint is the leading user and data protection cybersecurity company, entrusted to safeguard organizations while driving digital transformation and growth. Our solutions adapt in real-time to how people interact with data, providing secure access while enabling employees to create value.