June 26, 2014

The year 2014 may well go down in the history books as the year that extortion attacks went mainstream. Fueled largely by the emergence of the anonymous online currency Bitcoin, these shakedowns are blurring the lines between online and offline fraud, and giving novice computer users a crash course in modern-day cybercrime.

An extortion letter sent to 900 Degrees Neapolitan Pizzeria in New Hampshire.

An extortion letter sent to 900 Degrees Neapolitan Pizzeria in New Hampshire.

At least four businesses recently reported receiving “Notice of Extortion” letters in the U.S. mail. The letters say the recipient has been targeted for extortion, and threaten a range of negative publicity, vandalism and harassment unless the target agrees to pay a “tribute price” of one bitcoin (currently ~USD $561) by a specified date. According to the letter, that tribute price increases to 3 bitcoins (~$1,683) if the demand isn’t paid on time.

The ransom letters, which appear to be custom written for restaurant owners, threaten businesses with negative online reviews, complaints to the Better Business Bureau, harassing telephone calls, telephone denial-of-service attacks, bomb threats, fraudulent delivery orders, vandalism, and even reports of mercury contamination.

The missive encourages recipients to sign up with Coinbase – a popular bitcoin exchange – and to send the funds to a unique bitcoin wallet specified in the letter and embedded in the QR code that is also printed on the letter.

Interestingly, all three letters I could find that were posted online so far targeted pizza stores. At least two of them were mailed from Orlando, Florida.

The letters all say the amounts are due either on Aug. 1 or Aug. 15. Perhaps one reason the deadlines are so far off is that the attackers understand that not everyone has bitcoins, or even knows about the virtual currency.

“What the heck is a BitCoin?” wrote the proprietors of New Hampshire-based 900 Degrees Neapolitan Pizzeria, which posted a copy of the letter (above) on their Facebook page.

Sandra Alhilo, general manager of Pizza Pirates in Pomona, Calif., received the extortion demand on June 16.

“At first, I was laughing because I thought it had to be a joke,” Alhilo said in a phone interview. “It was funny until I went and posted it on our Facebook page, and then people put it on Reddit and the Internet got me all paranoid.”

Nicholas Weaver, a researcher at the International Computer Science Institute (ICSI) and at the University California, Berkeley, said these extortion attempts cost virtually nothing and promise a handsome payoff for the perpetrators.

“From the fraudster’s perspective, the cost of these attacks is a stamp and an envelope,” Weaver said. “This type of attack could be fairly effective. Some businesses — particularly restaurant establishments — are very concerned about negative publicity and reviews. Bad Yelp reviews, tip-offs to the health inspector..that stuff works and isn’t hard to do.”

While some restaurants may be an easy mark for this sort of crime, Weaver said the extortionists in this case are tangling with a tough adversary — The U.S. Postal Service — which takes extortion crimes perpetrated through the U.S. mail very seriously.

“There is a lot of operational security that these guys might have failed at, because this is interstate commerce, mail fraud, and postal inspector territory, where the gloves come off,” Weaver said. “I’m willing to bet there are several tools available to law enforcement here that these extortionists didn’t consider.”

It’s not entirely clear if or why extortionists seem to be picking on pizza establishments, but it’s probably worth noting that the grand-daddy of all pizza joints — Domino’s Pizza in France — recently found itself the target of a pricey extortion attack earlier this month after hackers threatened to release the stolen details on more than 650,000 customers if the company failed to pay a ransom of approximately $40,000).

Meanwhile, Pizza Pirates’s Alhilo says the company has been working with the local U.S. Postal Inspector’s office, which was very interested in the letter. Alhilo said her establishment won’t be paying the extortionists.

“We have no intention of paying it,” she said. “Honestly, if it hadn’t been a slow day that Monday I might have just throw the letter out because it looked like junk mail. It’s annoying that someone would try to make a few bucks like this on the backs of small businesses.”

A GREAT CRIME FOR CRIMINALS

Fueled largely by the relative anonymity of cryptocurrencies like Bitcoin, extortion attacks are increasingly being incorporated into all manner of cyberattacks today. Today’s thieves are no longer content merely to hijack your computer and bandwidth and steal all of your personal and financial data; increasingly, these crooks are likely to hold all of your important documents for ransom as well.

“In the early days, they’d steal your credit card data and then threaten to disclose it only after they’d already sold it on the underground,” said Alan Paller, director of research at the SANS Institute, a Bethesda, Md. based security training firm. “But today, extortion is the fastest way for the bad guys to make money, because it’s the shortest path from cybercrime to cash. It’s really a great crime for the criminals.

Last month, the U.S. government joined private security companies and international law enforcement partners to dismantle a criminal infrastructure responsible for spreading Cryptlocker, a ransomware scourge that the FBI estimates stole more than $27 million from victims compromised by the file-encrypting malware.

Even as the ink was still drying on the press releases about the Cryptolocker takedown, a new variant of Cryptolocker — Cryptowall — was taking hold. These attacks encrypt the victim PC’s hard drive unless and until the victim pays an arbitrary amount specified by the perpetrators — usually a few hundred dollars worth of bitcoins. Many victims without adequate backups in place (or those whose backups also were encrypted) pay up.  Others, like the police department in the New Hampshire hamlet of Durham, are standing their ground.

The downside to standing your ground is that — unless you have backups of your data — the encrypted information is gone forever. When these attacks hit businesses, the results can be devastating. Code-hosting and project management services provider CodeSpaces.com was forced to shut down this month after a hacker gained access to its Amazon EC2 account and deleted most data, including backups. According to Computerworld, the devastating security breach happened over a span of 12 hours and initially started with a distributed denial-of-service attack followed by an attempt to extort money from the company.

A HIDDEN CRIME

Extortion attacks against companies operating in the technology and online space are nothing new, of course. Just last week, news came to light that mobile phone giant Nokia in 2007 paid millions to extortionists who threatened to reveal an encryption key to Nokia’s Symbian mobile phone source code.

Trouble is, the very nature of these scams makes it difficult to gauge their frequency or success.

“The problem with extortion is that the money is paid in order to keep the attack secret, and so if the attack is successful, there is no knowledge of the attack even having taken place,” SANS’s Paller said.

Traditionally, the hardest part about extortion has been getting paid and getting away with the loot. In the case of the crooks who extorted Nokia, the company paid the money, reportedly leaving the cash in a bag at an amusement park car lot. Police were tracking the drop-off location, but ultimately lost track of the blackmailers.

Anonymous virtual currencies like Bitcoin not only make it easier for extortionists to get paid, but they also make it easier and more lucrative for more American blackmailers to get in on the action. Prior to Bitcoin’s rise in popularity, the principal way that attackers extracted their ransom was by instructing victims to pay by wire transfer or reloadable prepaid debit cards — principally Greendot cards sold at retailers, convenience stores and pharmacies.

But unlike Bitcoin payments, these methods of cashing out are easily traceable if cashed out in within the United States, the ICSI’s Weaver said.

“Bitcoin is their best available tool if in they’re located in the United States,” Weaver said of extortionists. “Western Union can be traced at U.S. cashout locations, as can Greendot payments. Which means you either need an overseas partner [who takes half of the profit for his trouble] or Bitcoin.”


64 thoughts on “2014: The Year Extortion Went Mainstream

    1. TheOreganoRouter.onion.it

      A lot of spammers also live in the Sunshine State

    2. George G

      Many Russians with money spend a lot of time in Florida.

  1. Eric

    The thing I don’t get are the BitCoin fanboys who think that BitCoin is a good idea for anything except for crime.

    1. reader

      “At the same time, it is said that the rightful role of government
      is to hold a monopoly on the use of force. Is it possible that in
      a fully digital world it will come to pass that everyone can see
      what once only a Director of National Intelligence could see? Might
      a monopoly of force resting solely with government become harder
      to maintain as the technology that bulwarks such a monopoly becomes
      democratized ever faster? Might reserving force to government
      become itself an anachronism? That is almost surely not something
      to hope for, even for those of us who agree with Thomas Jefferson
      that the government that governs best is the government that governs
      least. If knowledge is power, then increasing the store of knowledge
      must increase the store of power; increasing the rate of knowlege
      acquisition must increase the rate of power growth. All power tends
      to corrupt, and absolute power corrupts absolutely,[LA] so sending
      vast amounts of knowledge upstream will corrupt absolutely, regardless
      of whether the data sources are reimbursed with some pittance of
      convenience. Every tax system in the world has proven this time
      and again with money. We are about to prove it again with data,
      which has become a better store of value than fiat currency in any
      case.” geer.rsa.28ii14.txt

      Bitcoin is a way to store value. Is that now a crime?

      1. JCitizen

        I think you answered your own question with your eloquent observations about modern power. Bitcoin end-runs around established power bases. This cannot be withstood by the power brokers, they will hope it collapses. The fact that two bit hoods use it, does not bother me, but I’m sure terrorism is keeping an eye on it. I’m still not wanting to regulate it. We all accept some risk in life – freedom is risky – we need to buck up , and realize that- suck it up and drive on!

    2. Louis

      I think we should pay our taxes in Bitcoin, because ever coin has a unique identifier we can track where each individual Bitcoin goes, thus find out exactly where out tax money is spent.

    3. MoneyMatters

      You do know this site accepts donations in Bitcoin ?

      The crime element is human, not in the things humans create.

  2. SG

    CryptoLocker reminds me …

    Towards the end of last year I paid to get the Premium edition of CryptoPrevent to have automatic updates.
    Despite two follow-up emails I never received anything to enable automatic updates.

    1. Hans

      SG, I have had only a single update and would warn anyone
      against buying this service.

      I wasted $20.oo from this dink.

      1. JCitizen

        Have you complained to bleepingcomputer.com? I’d think they would be interested to hear that. Were’nt they promoting that service? Maybe I’m getting confused with another utility?!

    2. Ray

      The updates are automatic in the back round.
      I’ve posted questions and comments on Nicks site and he gets back to me quickly.

      1. SG

        I guess you are one of the lucky ones, Ray, since you get responses.

        1. I wrote to the author twice – never got a response.

        2. My laptop is still at version 4.3

        3. I just checked my desktop. It has the latest version, but this change is quite new. Certainly was not there for quite a while after June 15, the announcement date of the current version.

        4. Apparently the update requires me to restart the machine. That fact was not communicated to me until I just checked CryptoPrevent on my desktop.
        Since the update does not take effect until one restarts the machine I would have still been without updated protection had I not seen your comment and went to check the version.

        5. Excuse the ignorance, but what the heck is “back round”? Did you mean background?

        As you might guess, I am still not a happy camper.

      2. Ray

        Try posting on his web site. When you do that the replies come quickly because he monitors that pretty regularly.
        He’s answered every question I asked. Even the dumb ones. 🙂

  3. meh

    The USPS does not take extortion seriously.. I get extorted about once a week… “Pay this much or we shut off the water”..

  4. PC.Tech

    “Old-fashioned” backups to an external HD or a CD/RW disk still work fine… even though they’re a PITA.

    .

    1. uyjulian

      Don’t mount your drives to something like A: B: C: etc

      Use a ftp/other browser that does not mount your drives

    2. Ben Dover

      Apparently, not for the IRS or EPA. /eyeroll

  5. Jeff

    Lets see. The Marshall service is supposed to auction off the Silk Road’s bitcoins tomorrow, 6/27. So, It is about time to shut the digital currencies down I suppose.

    1. Chriz

      Interesting: You need a 200k deposit to bid. More than 19M$ in bit coins

  6. Network Geek

    Bitcoin is anonymous, yes – so paying this extortion demand is probably the best way to kiss your money goodbye forever, and have no hope of catching the criminal.
    BUT –
    by *not* paying the demand, the perpetrator now has to engage in other activities that ARENT anonymous. Nearly everything in the list on the paper can be traced in some way. Phone calls can be traced, Recent reports of people engaged in ‘swatting’ and getting caught are encouraging. ‘Anonymous’ reports are rarely really anonymous, and can still be traced. Vandalism isn’t even a credible threat – Who’s going to drive from Florida to New Hampshire to spray paint on a the wall of some no-name pizzeria? What isn’t outright bluffing is either non-credible threats or traceable enough to be avoided like the plague by any smart criminals (not saying these guys are smart, they’ll probably get caught soon enough).
    My advice? Don’t pay. Make them come out into the daylight, and expose themselves.

    1. Kaneda

      While not paying is definitely the only reasonable decision for the victim here, bitcoins are anonymous only as long as you don’t need to cash out. But criminals will cash out eventually, won’t they.

    2. IA Eng

      Ohhhhhhh he said expose themselves. In broad daylight?

      What happens if the crooks, or the poor saps they hire are extremely overweight and perform that act in the front of, or near the corner of the store as people approach it? A new form of social engineering tactic. Takes the desire to eat at the establishment away quite quickly.

    3. How?

      Exactly how would the action items on the extortion letter be traceable? Is there some way to ID someone who posts negative reviews, or trace calls (harassing, fraudulent delivery orders, or bomb threats) made from a pre-paid burner cell? While I agree paying is not the best answer, the business could suffer significant losses due to online reputation degradation.

      1. george

        Mikko Hypponen said that they probably create a separate wallet for each victim. Creating a Bitcoin wallet is free.

      2. george

        @How?
        Sorry, I misunderstood your question about traceability.

  7. Bryan B

    I’m guessing the perps handled the letters and licked the envelopes.

    DNA & fingerprints, anyone?

    1. theadder

      You might be shocked to know there are adhesive envelopes on the market that do not require saliva.

  8. george

    It’s probably a turning point for this type of crime, if enough people will pay, it will encourage the perpetrators and copycats to fan-out more. They may even decided to enact some threats to some of the people who did not pay and let the rumors spread to determine more victims to pay. This is a test run, if no-one will pay it will fizz-out quickly.
    Please, please, please do not pay a dime to those scumbags.

  9. Bill from Lavaboom

    @george is right. If nobody pays it wont kick off – these letters will keep getting sent only if they work and I doubt they’ll actually follow through on their threats.

  10. Stephen H

    The problem with paying, even if you’re sure it’ll save your business/data, is that you are confirming that you will pay. That is what all victims of extortion have learned – the first time is only the opening bid.

    By paying, you are telling the extortioner that you can afford to pay that amount – and they figure you can probably afford more. Perhaps a monthly “insurance” charge? Or maybe the extortioner will only hit you once a year – for an ever-increasing amount? You don’t know – all you can be certain of is that there is no reason at all for the extortioner to walk away from a paying “customer”.

  11. constructii case iasi

    What’s up i am kavin, its my first time to commenting anywhere, when i read this
    piece of writing i thought i could also make comment due to this good paragraph.

  12. OKCarl

    Crime sprees on the internet might be a symptom of a too high unemployment rate among programmers and web designers. Maybe we should survey the work place and then maybe cut back on the number of training programs.

    While I’m on the subject- when are we going to bring an end to the H 1 B Visa?

    1. IA Eng

      You’re assuming that these guys doing the extortion are IT professionals. Maybe they are, but maybe they are not. The IT work force is a pretty solid area to work in, and though I cannot tell you what the unemployment rate is for these type of people, it shouldn’t have anything to do with training programs.

      We? All that is easier said that done. Surveys typically are dated, and by the time the data is processed, years have passed and so has the validity of the data within. Talk about a waste of time and effort. Plus, no one is quick to move on the data, as people balk on trends, unless its in marketing where trends are a welcomed sight.

      If you look at the extortion examples, most can be accomplished by the script kiddies or anyone that has motivation. It doesn’t take much to put in a complaint, or write a bad review. Furthermore, these thugs can probably pay some one to do their dirty work.

      Hummmm I wonder if someone rented the Godfather movie and decided to become a modern-day Jimmy Hoffa.

  13. IA Eng

    Bryan B may have hit it on the head. But, more than likely they have an area to concentrate on.

    Hehehe. These crooks are absolutely asking to be caught. I wont go into much details, but just by poking the USPS Marshalls, these crooks better be afraid, very afraid. Anything that can tie a person to anything tangible is just enough to make this an easy task. All it takes is the motivation of the right organizations / agencies and they will coordinate efforts. These crooks will be wearing orange and be will be examples of what will happen to crooks that think they can try this sort of…..stuff.

  14. mbi

    With such large amounts at stake organized crime is or going to get involved so this may just be the tip of the ice berg. What is being threatened in the pizza extortion involves the companies presence on the Internet. This is where new laws and procedures need to be established to slow its effectiveness. Anonymity is at the crux of these extortions and if its no longer possible it will slow. The Nokia breach and payment strikes me as more the plain vanilla variety that is best left with the police.

  15. EJ

    Anonymity fuels this evil. Remove it and it reduces greatly.

  16. Brooke Bertling

    BitCoin is amazing for things other than criminal behavior. It takes monetary control away from the central banks and all the power and corruption that come with it. It gets bad press and likely all sorts of bad hacking behavior that goes with making the guys with loads of money, influence and greed who currently control the money. BitCoin is decentralized banking where in theory, nobody can take your money. It has some value, perceived by the community, but that’s more than what our fiat currency is worth today. Think about it for a while, then start up your coinbase acct!!!!

    1. BiteMyCoin

      bitcoin: the modern day fool’s gold

      lol. just keep mining for bitcoin in them thar hills. lol

    2. Neej

      In theory no one can take your money …

      Agreed but is it just me and gool ol’ confirmation bias (which I think more than likely) or do people who own Bitcoins lose it a hell of a lot. Not just talking about exchanges and online wallets but people simply losing their wallets through carelessness or data loss.

  17. Brooke Bertling

    Should have read that it makes the guys with money angry and upset! I’m willing to bet lots of the bad bitcoin press/hacks are funded by bankers!

  18. Joe Dirt

    Extortion only came around when bitcoin was invented?

    1. A guy on the Internet

      It went MAINSTREAM with Bitcoin. Of course it was around before Bitcoin.

  19. AndamanMan

    Calling this now: this is part of a government effort to inflate the popular perception of danger from cybercriminals in order to justify increased investigative powers by the police. Why would a criminal with enough sense to orchestrate such an operation target such small businesses and demand so little money?

    1. BrianKrebs Post author

      You think because they’re not asking for the moon that it’s not real? Look at the extortion scams with Cryptolocker or Cryptowall, when they have multiple computers or servers inside of an organization that is basically on its knees: They ask in most cases for just $1000 to get their files back, when some organizations probably would be willing to pay well north of that to get on with their business. The thieves have to strike a balance between greed and realism, and that’s how they come to the price.

      1. Lefty

        I don’t disagree in the least. But, at some point, folks just aren’t going to put up with this nonsense. If I’m a small business guy, I just make it public. USPS scans all first class mail. These folks don’t seem sophisticated enough to use a mail forwarder, the TOR of USPS.

    2. E.M.H.

      Because they’re small businesses and wouldn’t garner the attention that extorting AT&T or General Electric for seven figures would be. And also because the possibility of it actually working against a small business – who wouldn’t have the lawyers, financial reserves, and other resources that a large corporation would have – would be higher. A large corporation can easily counter negative rumor mongering, and probably already does for reasons other than extortion (i.e. they’re unpopular). And would have the money to deal with it too. A small restaurant? Those likely have never even faced such a problem before and certainly would be at least as strapped in fighting it as submitting to it.

      Extortion of small businesses has been a problem for such a long time now that these internet crimes are merely recent faces put onto an old crime. Hasn’t anyone nowadays heard of the mob organized “protection rackets” from the 1920s? That trope was so pervasive it made it into cinema (“Nice business you have here. Shame if anything ever happens to it…”).

      Claiming this is government orchestrated is ignoring history in multiple ways. This stuff’s been happening for a long time now; anyone in the IT field remember this paper: http://iacis.org/iis/2006/Paulson_Weber.pdf

      It’s muddle-headed thinking to make the claim that it’s not real.

      1. george

        In a big organization you probably cannot even buy a box of paperclips before the supplier is listed on the agreed vendors list.
        Before getting on that list a bunch of people have to evaluate that new supplier. Good luck getting the extortioner on the list (although it worked somehow in Nokia case). Only the small business owners have the flexibility to submit to those scams (although they obviously shouldn’t)

      2. CooolAC

        Very True, encrypting someones data and holding it for ransom has been common in Russia for years….. This is not a new phenomenon since bitcoin, imo, But Only a new to the USA maybe for those reasons, maybe because sites like paypal are not an option anymore. But then again, isn’t it usually foreigners, mainly eastern Europeans, perpetrating these crimes? Also, like Bk quoted these things are usually secret. I think more and more companies are finally admitting publicly that they have been breached nowadays.

        I think the increase in this activity has little to do with bitcoins and more to do with the internet in general. More to do with technological capabilities, especially that state actors are gaining. I think it has more to do with the same reasons there is more numerous and sophisticated viruses, and Dddos attacks in general…. There is so much more malicious activity online nowadays, with no intention of monetary gain what so ever, and I think its very related. There are many aspects of society we can blame for this, but the main issue with the internet is the disconnect with reality, and lack of compassion for fellow humans with more and more kids are growing up with these online communities raising them.
        The USA has absolutely no presence online to counter most othe propaganda the uneducated and young buy into. Al Qaeda has a bigger voice online then America does, its embarrasing.

        But this def also reminds me of the mob, and I’m also waiting for the day when we hear about organized protection rackets……Because thats exactly where this sounds like its heading soon….

        Awrsome article, this can be another movie! lol

  20. Stratocaster

    And 2014 is only half over. Stay tuned the rest of the year.

  21. Mike

    I would be in favor of funding some Hunter-Killer teams to find these people and put a bullet in their heads. But that’s just me.

    1. soberupMichael

      Ooooooh internet tough guy. Been involved in a few mass murders have you? No and thankfully everyone isn’t a psycopath like you Mikey.

      1. mike

        Relax bud, and while you’re at it, ask someone to look up the meaning of “hyperbole” and explain it to you.

  22. Robert.Walter

    Brian, your example pic looks like it was printed by an ordinary color printer. I thought that US printers were printing stegographic data in faint yellow ink on items created on such machines. Wouldn’t such criminals be apprehend able based on this (largely unknown) feature? (Or is stegographic tracing a hoax?). Thanks for your reply.

  23. derp

    But… but… pizza. Everyone like a tasty pie. I’d do chink restaurants. Tell them you saw some dogs out back one day and the next, the special tasted a bit funny xD.

  24. KrebsonSecurityFan

    Could there be a connection between the three independent pizza restaurants and their web host companies? Two of the three have independent web hosters? (Try a traceroute of the host names.)

    Also, aren’t there identifying marks printed in all color laser prints?

    This printer might be a color inkjet printer, though

  25. CJD

    Because the postal service will ACTUALLY do anything?? I contacted both them and the FBI regarding a [widespread] case of counterfeit postal money orders, explaining how I had responded to an ad for “secret shoppers” and received multiple money orders. I had all the original materials, emails, and even 2 sets of unopened groups of money orders. Offered to turn it all over to them, and to solicit further money orders from the perpetrators, if interested. I received a total of 0 responses outside the email confirmation that I had submitted a case.

    For such a small fish as this, unless it requires almost no overhead to catch them, I cant see the USPS PI doing much. Sad….

Comments are closed.