In a significant turn of events, a decade-old botnet named Phorpiex, which currently controls over 450,000 computers globally, has pivoted from its previous activities—namely deploying ransomware and cryptominers—to orchestrating sextortion campaigns. This shift involves sending millions of fraudulent emails intended to extort money from unsuspecting individuals.
The rise in email extortion has been alarming, with many users reporting a surge in sextortion emails that leverage personal and potentially compromising information to manipulate their victims. While the scale of these fraudulent communications raised questions about how these scams could persist without repercussions from email service providers, researchers from CheckPoint have uncovered a crucial piece of the puzzle.
CheckPoint’s recent findings reveal that Phorpiex has been upgraded to include a spam bot capable of utilizing compromised devices as proxy servers. This configuration enables the botnet to dispatch over 30,000 sextortion emails each hour without the knowledge of the owners of the infected devices.
The mechanics of the Phorpiex spam bot involve downloading a comprehensive list of target email addresses from a command-and-control server. Using a basic implementation of the SMTP protocol, the bot then generates sextortion messages. By randomly selecting email addresses from the downloaded database, the spam bot can generate countless emails—potentially impacting over 27 million victims in a single campaign.
To enhance the efficacy of their intimidation tactics, the perpetrators include a victim’s passwords within the subject line or body of the sextortion messages. This tactic aims to create a façade of legitimacy, convincing recipients that the sender has accessed their private information.
In reality, these email addresses and accompanying passwords typically originate from previously compromised databases, meaning the passwords displayed may not even correspond to the victims’ current accounts. Instead, they might be outdated, linking back to various online services.
CheckPoint’s observations indicate that the database from which these email addresses are harvested can contain up to 20,000 entries. Notably, in different campaigns, the researchers identified between 325 to 1,363 distinct databases on the command-and-control server, suggesting a massive and targeted outreach capability for each sextortion campaign.
The cybercriminals spearheading this campaign, sometimes labeled under the guise of “Save Yourself” malware by various security teams, have reportedly generated over 11 Bitcoins—approximately $88,000—over a five-month period from these operations. While this figure may not appear large in the grand scheme, it underestimates the actual revenue, as more extensive monitoring of earlier sextortion campaigns has not been undertaken.
Given these developments, it is pertinent for business owners to consider the broader implications. The tactics employed reflect several potential MITRE ATT&CK techniques, particularly in initial access through phishing, exploitation of vulnerabilities in system configurations, and use of compromised credential data for impersonation and manipulation.
As this evolving threat landscape continues to unfold, vigilance and robust cybersecurity measures will be crucial in mitigating similar attacks that could endanger sensitive information and overall organizational integrity. For those interested in staying informed on such critical topics, following pertinent news organizations can prove valuable in preemptively addressing potential vulnerabilities.
