- Experts observed two sextortion campaigns relying on the notorious Necurs botnet.
- The scammers are targeting victims whose data has previously been leaked.
Two new sextortion campaigns being distributed via the notorious Necurs botnet have recently been identified by security experts. The scammers behind these campaigns are targeting victims whose data has previously been leaked.
The scammers claim to possess compromising videos of the victim, which they threaten to release unless the victims pay up, in this case, in the form of bitcoins. The scammers also include the victims’ compromised passwords in their sextortion emails, in an attempt to legitimize their claims.
According to security researchers at Cisco Talos, the first campaign began on August 30 and the second on October 5. However, both campaigns are currently ongoing. Researchers discovered that the IP addresses distributing the scam emails came primarily from five nations - Vietnam, Russia, India, Indonesia, and Kazakhstan.
“If some of these countries seem familiar, that may be because India and Vietnam were previously identified as having exceedingly large numbers of machines that are infected with the Necurs botnet, a well-known distributor of many pieces of malware,” Cisco Talos researchers said. “Despite sending more than 233,000 email messages as part of these campaigns, the number of unique recipients was actually fairly low. Talos found only 15,826 distinct victim email addresses. This means that the attackers were sending an average of almost 15 sextortion spam messages per recipient. One unlucky victim from our dataset was contacted a staggering 354 times.”
The scammers have been demanding payments between $1,000 and $7,000. Researchers discovered 58,611 different bitcoin wallets associated with two scams. However, only 83 of these wallets had positive balances. Unfortunately, the scammerrs have already raked in over $145,000 in bitcoins.
“If you look at the number of unique bitcoin wallets and unique victim email addresses seen over time, you can see that the attackers periodically inject their ongoing campaign with fresh data. The number of unique bitcoin wallets tends to peak and then reduce over time, until it peaks again, with another fresh batch of attacker-generated bitcoin wallets,” the researchers said.
“When these kinds of spam campaigns make it into users' email inboxes, many of them may not be educated enough to identify that it's a scam designed to make them give away their bitcoins,” the researchers added. “Unfortunately, it is clear from the large amount of bitcoin these actors secured that there is still a long way to go in terms of educating potential victims.”