Tag Archives: Botnets

Sextortion Botnet Spreads 30,000 Emails an Hour

Most of you have probably seen or heard of the threatening email that starts with “Hi, I know one of your passwords is: xxxxx“.  The email goes on to say that the email writer has infected the recipient’s PC, including access to the recipient’s webcam. The attacker claims, by virtue of installing the malware on the recipient’s computer, to have access to all of the recipient’s accounts and to have recorded the recipient engaging in adult activities which the attacker will share with the recipient’s address book if the recipient doesn’t fork over some money, pronto.  Of course the ransom should be paid in Bitcoin.

There are a number of variants to this email, but what is amazing is how the process works.

First, regarding the password, it is a legitimate password belonging to the recipient, but it is likely NOT obtained from hacking any computer, but rather, bought on the dark web as a result of one of the many breaches that we read about on a daily basis.

If you want to see at least some of where your passwords have been breached, go to MONITOR.FIREFOX.COM .  It asks for your email and when you enter it, you will see a report like this:

This data comes from Troy Hunt’s “Have I Been Pwned” database.  Troy has been collecting breach data for about 5 years and his database has about 8 BILLION breach records as of this writing.  All it asks for  is your email address and nothing more, so it will only report on breaches which have been associated with your email address, whether that is the userid that you use to log in with or was just part of the data compromised.

The attacker, in many cases, also claims to have video of the recipient engaging in adult sexual activities.  The attacker threatens to share this adult video with your address book.  Nothing is guaranteed, but it is unlikely that the attacker has compromised the recipient’s PC,  did capture a video or has captured the recipient’s address book.  A simple fix to this is covering your camera with a piece of tape (be careful not to get the gooey part on the camera lens or a camera slide cover available at Amazon for a couple of bucks and cover the camera when you are not using it.

More than likely, this is just a classical shakedown that mobsters have been doing for hundreds of years.

But what is more interesting is how this attack works.

The emails do not come from a single email account.

Rather, the attacker has purchased access to a botnet of compromised PCs (which, by the way, the recipient’s PC could be one of if he or she doesn’t have good cybersecurity practices in place).  Using this rented botnet of hundreds or thousands of PCs, the attacker sends out emails at the rate, in one case, of 30,000 emails per hour, which probably translates to a handful of emails per hour per compromised PC.

This makes it almost impossible to shut down, although there is a command and control (C&C) server which is feeding instructions to these compromised PCs – that is probably the best leverage point to shut it down.  Likely those C&C servers are in countries unfriendly to US law enforcement or move around frequently to make it harder to shut down.

If this one botnet is sending out 30,000 sextortion emails an hour, that translates to 250,000 emails in an 8 hour day (assuming the compromised bot turns off his or her computer at night and 750,000 emails a day if he or she leaves her computer on all the time.


If say one hundredth of one percent of those recipients pay, that translates to 75 payments per day.  If the attacker is asking, say, for $500, that translates to $37,500 a day, tax free.  Even if only 7 (one tenth of the above number) people respond a day, that translates to an annual income of $1,368,000.   From just one attacker.

THAT is why we see lots of spam.  Source: BBC