The year 2014 may well go down in the history books as the year that extortion attacks went mainstream. Fueled largely by the emergence of the anonymous online currency Bitcoin, these shakedowns are blurring the lines between online and offline fraud, and giving novice computer users a crash course in modern-day cybercrime.
At least four businesses recently reported receiving “Notice of Extortion” letters in the U.S. mail. The letters say the recipient has been targeted for extortion, and threaten a range of negative publicity, vandalism and harassment unless the target agrees to pay a “tribute price” of one bitcoin (currently ~USD $561) by a specified date. According to the letter, that tribute price increases to 3 bitcoins (~$1,683) if the demand isn’t paid on time.
The ransom letters, which appear to be custom written for restaurant owners, threaten businesses with negative online reviews, complaints to the Better Business Bureau, harassing telephone calls, telephone denial-of-service attacks, bomb threats, fraudulent delivery orders, vandalism, and even reports of mercury contamination.
The missive encourages recipients to sign up with Coinbase – a popular bitcoin exchange – and to send the funds to a unique bitcoin wallet specified in the letter and embedded in the QR code that is also printed on the letter.
The letters all say the amounts are due either on Aug. 1 or Aug. 15. Perhaps one reason the deadlines are so far off is that the attackers understand that not everyone has bitcoins, or even knows about the virtual currency.
“What the heck is a BitCoin?” wrote the proprietors of New Hampshire-based 900 Degrees Neapolitan Pizzeria, which posted a copy of the letter (above) on their Facebook page.
Sandra Alhilo, general manager of Pizza Pirates in Pomona, Calif., received the extortion demand on June 16.
“At first, I was laughing because I thought it had to be a joke,” Alhilo said in a phone interview. “It was funny until I went and posted it on our Facebook page, and then people put it on Reddit and the Internet got me all paranoid.”
Nicholas Weaver, a researcher at the International Computer Science Institute (ICSI) and at the University California, Berkeley, said these extortion attempts cost virtually nothing and promise a handsome payoff for the perpetrators.
“From the fraudster’s perspective, the cost of these attacks is a stamp and an envelope,” Weaver said. “This type of attack could be fairly effective. Some businesses — particularly restaurant establishments — are very concerned about negative publicity and reviews. Bad Yelp reviews, tip-offs to the health inspector..that stuff works and isn’t hard to do.”
While some restaurants may be an easy mark for this sort of crime, Weaver said the extortionists in this case are tangling with a tough adversary — The U.S. Postal Service — which takes extortion crimes perpetrated through the U.S. mail very seriously.
“There is a lot of operational security that these guys might have failed at, because this is interstate commerce, mail fraud, and postal inspector territory, where the gloves come off,” Weaver said. “I’m willing to bet there are several tools available to law enforcement here that these extortionists didn’t consider.”
It’s not entirely clear if or why extortionists seem to be picking on pizza establishments, but it’s probably worth noting that the grand-daddy of all pizza joints — Domino’s Pizza in France — recently found itself the target of a pricey extortion attack earlier this month after hackers threatened to release the stolen details on more than 650,000 customers if the company failed to pay a ransom of approximately $40,000).
Meanwhile, Pizza Pirates’s Alhilo says the company has been working with the local U.S. Postal Inspector’s office, which was very interested in the letter. Alhilo said her establishment won’t be paying the extortionists.
“We have no intention of paying it,” she said. “Honestly, if it hadn’t been a slow day that Monday I might have just throw the letter out because it looked like junk mail. It’s annoying that someone would try to make a few bucks like this on the backs of small businesses.”
A GREAT CRIME FOR CRIMINALS
Fueled largely by the relative anonymity of cryptocurrencies like Bitcoin, extortion attacks are increasingly being incorporated into all manner of cyberattacks today. Today’s thieves are no longer content merely to hijack your computer and bandwidth and steal all of your personal and financial data; increasingly, these crooks are likely to hold all of your important documents for ransom as well.
“In the early days, they’d steal your credit card data and then threaten to disclose it only after they’d already sold it on the underground,” said Alan Paller, director of research at the SANS Institute, a Bethesda, Md. based security training firm. “But today, extortion is the fastest way for the bad guys to make money, because it’s the shortest path from cybercrime to cash. It’s really a great crime for the criminals.”
Last month, the U.S. government joined private security companies and international law enforcement partners to dismantle a criminal infrastructure responsible for spreading Cryptlocker, a ransomware scourge that the FBI estimates stole more than $27 million from victims compromised by the file-encrypting malware.
Even as the ink was still drying on the press releases about the Cryptolocker takedown, a new variant of Cryptolocker — Cryptowall — was taking hold. These attacks encrypt the victim PC’s hard drive unless and until the victim pays an arbitrary amount specified by the perpetrators — usually a few hundred dollars worth of bitcoins. Many victims without adequate backups in place (or those whose backups also were encrypted) pay up. Others, like the police department in the New Hampshire hamlet of Durham, are standing their ground.
The downside to standing your ground is that — unless you have backups of your data — the encrypted information is gone forever. When these attacks hit businesses, the results can be devastating. Code-hosting and project management services provider CodeSpaces.com was forced to shut down this month after a hacker gained access to its Amazon EC2 account and deleted most data, including backups. According to Computerworld, the devastating security breach happened over a span of 12 hours and initially started with a distributed denial-of-service attack followed by an attempt to extort money from the company.
A HIDDEN CRIME
Extortion attacks against companies operating in the technology and online space are nothing new, of course. Just last week, news came to light that mobile phone giant Nokia in 2007 paid millions to extortionists who threatened to reveal an encryption key to Nokia’s Symbian mobile phone source code.
Trouble is, the very nature of these scams makes it difficult to gauge their frequency or success.
“The problem with extortion is that the money is paid in order to keep the attack secret, and so if the attack is successful, there is no knowledge of the attack even having taken place,” SANS’s Paller said.
Traditionally, the hardest part about extortion has been getting paid and getting away with the loot. In the case of the crooks who extorted Nokia, the company paid the money, reportedly leaving the cash in a bag at an amusement park car lot. Police were tracking the drop-off location, but ultimately lost track of the blackmailers.
Anonymous virtual currencies like Bitcoin not only make it easier for extortionists to get paid, but they also make it easier and more lucrative for more American blackmailers to get in on the action. Prior to Bitcoin’s rise in popularity, the principal way that attackers extracted their ransom was by instructing victims to pay by wire transfer or reloadable prepaid debit cards — principally Greendot cards sold at retailers, convenience stores and pharmacies.
But unlike Bitcoin payments, these methods of cashing out are easily traceable if cashed out in within the United States, the ICSI’s Weaver said.
“Bitcoin is their best available tool if in they’re located in the United States,” Weaver said of extortionists. “Western Union can be traced at U.S. cashout locations, as can Greendot payments. Which means you either need an overseas partner [who takes half of the profit for his trouble] or Bitcoin.”