Black-hat sextortionists required: Competitive salary and dental plan

Extortionists are promising salaries of more than a quarter of a million pounds to skilled infosec folk willing to put on a black hat, according to research outfit Digital Shadows.

Those salaries are on offer to people willing to blackmail and extort money out of "high net worth individuals" – and at the upper end of the scale have even reportedly topped £840,000.

A group of mischief-makers calling themselves "thedarkoverlord" would post job advertisements "with specifications and salaries that would rival those offered by most corporate businesses. Recruits were tempted with £50,000 ($64,000) per month, with add-ons and a final salary after the second year of £70,000 ($90,000) per month," Digital Shadow said.

"Those with Chinese, Arabic or German skills could earn an added 5 per cent on their salary or commission," the firm added.

The report, titled A Tale of Epic Extortions, describes how these particular criminals target rich folk through the usual vectors of compromised credentials and scanning their known public presences for vulnerabilities, ready to deploy ransomware.

On top of that, the crims studied by the firm aren't above sextortion, the dark art of monetising sexually explicit photos and videos of a victim by threatening to reveal them publicly unless large sums of money are handed over. Digital Shadows reckoned "the scale and persistence of the campaigns rocketed over 2018", claiming to have "collected and analyzed a sample of sextortion emails in which 89,000 addresses received over 790,000 sextortion attempts".

"The extortionist provides the user with a known password as 'proof' of compromise, then claims to have video footage of the victim watching adult content online, and finally urges them to pay a ransom to a specified Bitcoin (BTC) address," said the report. "A later iteration of the campaign involves the extortionist trying to support their credibility by sending another email that refers to a Cisco ASA router vulnerability (CVE-2018-0296). The extortionist suggests that the vulnerability allowed them to access the victim's machine."

Compromised creds were found being traded on a forum called TheRealDeal, with one particular group of miscreants using the handle "thedarkoverlord" being the focus of Digital Shadows' research. Once TheRealDeal folded, thedarkoverlord reappeared on the KickAss black hat forum, allegedly selling "stolen data" to "other extortionists and fraudsters".

The infosec company also pointed to thedarkoverlord's use of crowdfunding techniques, in particular from the Hiscox insurance company hack of April 2018 where it threatened to leak information about claims brought over the 11 September 2001 terrorist attacks on the US. Digital Shadows said thedarkoverlord "began crowdfunding the publication" of decryption keys via Bitcoin, pressuring the insurance company to pay up before the great unwashed met the payment target for publication.

"In true TDO style, the use of a crowdfunding platform has allowed them to increase their publicity in the online community, while providing an additional revenue stream for their extortion antics," said the researchers.

To mitigate against such attacks and techniques, Digital Shadows recommended folks use a password manager (going with the flow of current advice to use them despite mostly theoretical weaknesses in some implementations), enable multi-factor authentication for web-facing accounts, enabling regular backups to mitigate against ransomware, and properly configuring security options on NASes. As for sextortion emails, they simply say "users should ignore these emails" while keeping a close eye out for signs that such emails are part of a mass campaign rather than specific, targeted blackmail attempts. ®