Check Point Specialists toldthat they were able to discover one of the reasons for the increase in the number of spam emails related to the so-called “sexual extortion”. In English, the term sextortion, derived from the words sex (“sex”) and extortion (“extortion”), is used to denote such activity. This tactic involves intimidating users: scammers send spam, in which they try to convince their victims that they have some incriminating images or videos, and demand a ransom.
As it turned out, the operators of the Phorpiex botnet (aka Trik) are actively engaged in sexual extortion. Researchers write that bulk mailings account for up to 27 million emails in a single campaign, meaning some Phorpiex-infected machines send up to 30,000 malicious emails per hour. Over five months of observation, Cheak Point analysts tracked more than 14 bitcoins (approximately $ 115,000), which victims of extortion transferred as ransoms to Phorpiex operators.
Currently, the Phorpiex botnet includes approximately 450,000 infected computers running Windows. Interestingly, Phorpiex was first discovered more than ten years ago. At the dawn of its existence, the malware worked like a worm, which spread via removable USB drives and storage devices, as well as through private messages Skype and Windows Live Messenger. These initial malware variants were mostly tracked under the name Phorpiex, while the botnet is now more commonly referred to as Trik.
From the very beginning, Phorpiex used infected computers to send spam, and not to steal data from infected hosts and not to deploy second-level malware, for which botnet operators could charge money. Over its very long history, Phorpiex has been distributing almost all the main types of malware: from banking Trojans to ransomware, from infostealers to pharmaceutical spam. In this light, it is not surprising that botnet operators have turned their attention to sexual extortion, because now it is a very popular trend in the criminal world.
An interesting feature of Phorpiex ransomware campaigns is that in their messages, attackers not only claim to have videos compromising the victim, but also their passwords. As evidence, the ransomware cites one of the user's passwords in the letter.
It is not known where exactly the scammers get the recorded data of their victims, but the researchers note that all the email addresses to which the ransomware spam is sent can be found in the bases of the leak aggregator Have I Been Pwned. That is, previously these users were victims of data leaks. Obviously, at the disposal of the attackers there are many once leaked databases, from where they draw information.