Last Time in the BEC Taxonomy Series…
Proofpoint researchers in the third of the Business Email Compromise (BEC) taxonomy series delved further into the Theme tier of the Email Fraud Taxonomy framework (Figure 1), focusing on payroll redirect schemes and how they can be some of the simplest, but still costly, email fraud attacks. Now we will explore another theme category, extortion, which has the potential to elicit the most fear, anxiety, and sense of urgency from victims out of all the email fraud themes addressed in our taxonomy.
Figure 1. Email Fraud Taxonomy Framework.
What is Extortion?
Extortion as it relates to email fraud is any email-originated demand in which a good, service, or payment is requested to prevent destruction of property, violence, or release of confidential, embarrassing, or compromising information. Extortion has several subtypes, including:
Data Release: This is any attempt in which a threat actor has accessed or claims to have accessed sensitive data, customer information, or trade secrets. The threat actor essentially holds this valuable information hostage in return for a sum of money. The threat actor may threaten to make this information public if their demands are not met.
Distributed Denial of Service (DDoS): In this extortion attempt, a threat actor asks for money from a victim under the threat of launching a DDoS attack against the victim’s online assets. Such threats typically request payment in the form of cryptocurrency.
Physical Harm: This encompasses any attempt to extort a payment, also commonly in the form of cryptocurrency, in exchange for not physically harming the victim or their organization. Common threats under this type include bomb threats, hitmen, and murder plots.
Sextortion: This is probably the most commonplace of the extortion subtypes and includes deceitful attempts to extort a payment, likely in cryptocurrency, by threatening to release sexually related photographs or videos of the victim.
Extortion and the Email Fraud Taxonomy Framework
Extortion email fraud is the first of our themes that regularly does not use deception as a tactic or leverages just one, impersonation (per the Proofpoint Email Fraud Taxonomy Framework in Figure 1 above). In this social engineering scenario, making the email look as if it originated from the victim’s mailbox. An example of this begins with an email message from the threat actor claiming that they had hacked your computer and recorded you visiting adult content. The portions of the email with sensitive content would be made to look like they came from your mailbox. Unless you meet their ransom demands, the threat actor would threaten to release this information to your coworkers and family. Such a scenario would be mapped to the Proofpoint framework as depicted in Figure 2.