Digital extortionist offer high six-figure salaries to accomplices

News by Robert Abel

Cyber-criminals are promising salaries of up to US$ 360,000 (£275,179) a year to accomplices who seek to extort high net worth individuals such as C-Level executives, lawyers, and doctors.

Cyber-criminals are promising salaries of up to US$ 360,000 (£275,179) a year to accomplices who seek to extort high net worth individuals such as C-Level executives, lawyers, and doctors. 

These bribes can be even higher for those who have network management, penetration testing, and programming skills with one threat actor willing to pay the equivalent of US$ 768,000 (£587,011) annually, with add-ons and a final salary after the second year of US$ 1,080,000 (£825,484) per year, according to a recent report by Digital Shadows. 

The "A Tale of Epic Extortions: How Cybercriminals Monetize Our Online Exposure" report detailed how digital extortionists are monetizing unwanted online exposures such as compromised credentials, vulnerabilities, sensitive data, and explicit images in sextortion attacks.

Experienced extortionists are promising salaries of more than US$ 30,000 (£22,930) through tutorials and recruitment claims that new recruits can make a decent living through cyber-sextortion scams directed at high-worth individuals like executives, lawyers, and doctors while promising more for those with greater technical skill sets.

In addition, extortionists are adopting crowdfunding models which allow them to raise funds from the general public rather than relying on victims to give into ransom demands.

Between July 2018 and February 2019 researchers counted 89,000 email recipients of sextortion attempts, 792,000 total attempts against target emails, 92 Bitcoin addresses that received payments and US$ 332,000 (£253,790) total extortion payments received.   

High-Tech Bridge CEO Ilia Kolochenko said these numbers undermine the long term sustainability of commercially-motivated bug bounties and that we will likely see a decline of skilled people involved in crowd security testing as they can either find a highly competitive salary in the industry, or alternatively shift to the dark side.

"Shadow economy is not subject to governmental control or regulation anymore." Kolochenko said. "In the past, cyber-criminals were restrained by money laundering difficulties in the cyber-space, but with the rise of cryptocurrencies virtually any illicit income of any size can be legalised without legal ramifications."

Kolochenko added that highly competitive salaries and other forms of remuneration in cyber-gangs are widely spread and have been for a while.

He went on to add that unlike inefficient cyber-security startups looking for the next investment round as a universal resort for any past failures cyber-criminals are very well organised, disciplined and managed with a sole objective to maximising their short term profit as opposed to "becoming a unicorn or running a successful IPO in ten years."

In order to minimise the effects of potential extortion attempts researchers recommend that victims don’t respond to sextortion emails, use HaveIBeenPwned to find previously breached accounts, and develop a ransomware playbook.

In addition, threat actors should look to shrink their potential attack surface, apply best practices for user permissions, secure email end-users, and submit a complaint to the FBI’s IC3 if contacted by criminals.

This article was originally published on SC Media US.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews