Arab corporate users being targeted with "fake extortion" attack

News by SC Staff

Over the weekend of 25-26th August, users across the GCC were targets of an attempted 'Fake Extortion' email campaign that passed through security filters and reached its intended victims' corporate inboxes.

Over the weekend of 25-26th August, users across Gulf Cooperation Council countries (GCC – Saudi Arabia, Kuwait, Bahrain, UAE, Qatar and Oman)  were targets of an attempted ‘Fake Extortion' email campaign that passed through security filters and reached its intended victims' corporate inboxes SC has been informed. In the extortion email the attackers claim intimate knowledge of the users' web activities on adult websites, using fear of shame and embarrassment to panic victims into making payments via bitcoin.

In the email, the attacker claims to have logged a victim's visit to a pornographic website, which has now infected the user's computer with a virus; this virus recorded the user's computer screen, as well as the individual's face via the computer's camera, and the attacker then claims to have edited the two recordings into a split-screen capture. The email suggests that the intended victim avoids embarrassment by sending a sum of money (apx £250) to the attacker's bitcoin wallet, or else the split screen will be shared with the contact's social circle, saying: “If I don't receive my Bitcoins I'll send video with you to all your contacts.” .

Mirza Asrar Baig, CEO & founder  of CTM360, a cyber-security firm from the Kingdom of Bahrain, told SC that on analysing the contents of the email sent to his clients, his team found:

·  The message states that the attacker was tracking the user's activity and extensively logging actions using software. The attacker seeks to capitalise on the individual's embarrassment and fear by threatening to leak a split-screen capture to all contacts that the attacker has collected.

·  Nearly all the different bitcoin wallets referenced in the attack had been recently set up and had either none or just a couple of transactions.  

·  The email is written in broken English to give an impression that the attacker is not a native English speaker.

·  It is likely that the attacker may have sent the adult dating or porn website link message to the same target prior to the extortion message to give further credibility to their extortion message.

·  The attacker likely collected email addresses from the many data dumps that have leaked over the last two years, especially those with user data stolen from corporations and government sectors.

·  The attacker relies on the fact that many of the users would open the email on their smartphone or notebook and hence may believe that they have been recorded by the camera in their device.

·  The message disregards the benefit of going to the police as the attacker is only going to wait for a day for the ransom money to be received and then publish the recording.

Original email:


I do not presume to judge you, but as a result of few cases, we have point of contact since now. I do not think that caress oneself is very bad, but when all your acquaintances see it- its obviously bad.

So, closer to the point. You visited the internet with ??rn, which I've seized with the deleterious soft. Then you chose video, virus started working and your device became working as dedicated desktop at once. Naturally, all cams and screen started recording instantly and then my soft collected all contacts from your device.

I message you on this e-mail address, because I've collected it with my soft, and I guess you for sure check this work address.

The most important thing that I edited video, on one side it shows your screen record, on second your cams record. Its very amusingly. But it was sophisticated .

All in all- if you want me to delete all this compromising evidence, here is my Bitcoin wallet address- 1sdVjarp83Lg-truncated (it must be without «spaces» or «=aquo;,check it). If you do not know how to use it, you can ask google or youtube for tips- its very easy. I suggest, that 310 usd will finish your problem and will destroy our touchpoint . You have one day after reading this message(I put special pixel in it, ill know when you read it). If you wont pay me, ill share the compromising with all contacts I've collected from you.

Finally, you can ask police for help, but, obviously, they will not find me for 1 day, so you will be shamed at all. Sorry for misprints, I am foreign. "

Asrar Baig told SC: “ As with all scams and blackmail incidents, the best policy is generally to not acknowledge or agree to the blackmailer's demands, as (apart from any other consideration) there is no guarantee that they will hold their side of the bargain. A useful tactic is to block strings of text associated with such emails in the corporate email gateway, so as to prevent staff from falling victim to and paying off the blackmailers - which they may do without informing the IT team. Examples of such strings include: "Here is my Bitcoin account address" and "You have one day after reading this message." Depending on the internal environment and involvement of the organisation with bitcoin, a more extreme measure would be to treat all emails containing the word “bitcoin” from untrustworthy senders as suspicious."


Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews