Explosive new “bomb in the building” email scam

AndyIT News, IT Security

Over the past 48 hours Consider IT have seen numerous reports of a new scam demanding cryptocurrency. Unlike some similar scams which tend to focus on extorting individuals, this new scam advises there is a bomb in your building and to pay $20,000 by the end of the day for it not to explode!

 

Understandably this has caused some concern and waste of emergency services time. The typical content of the email appears as follows – with a unique bitcoin address per email.

 

“There is the explosive device (Hexogen) in the building where your company is located. My recruited person constructed the bomb under my direction. It can be hidden anywhere because of its small size, it can not destroy the structure of the building, but in the case of its detonation there will be many victims.

My man keeps the territory under the control. If he notices any strange behavior, panic  or policemen the device will be exploded.

I can call off my mercenary if you make a transfer. $20’000 is the price for your safety and business. Tansfer it to me in BTC and I warrant that I will withdraw my mercenary and the bomb will not detonate. But do not try to deceive me- my assurance will become valid only after 3 confirms in blockchain network.

 

Here is my BTC address – xxxxxxxxxxxxxxx

 

You have to solve problems with the payment by the end of the workday. If you are late with the transaction the bomb will explode.

Nothing personal, if you don’t send me the bitcoin and a bomb detonates, next time other companies will pay me more bitcoins, because it is not a one-time action.

For security and anonymity ,  I will no longer enter this email account. I check my Bitcoin address every 20 minutes and after receiving the transaction I will order my man to leave your area.

 

If an explosive device blows up and the authorities see this email-

We arent terrorists and do not assume any  responsibility for acts of terrorism in other places.”

There are examples of minor changes in text, such as the material used in the bomb. The Register reports that several American police stations have already issued statements on the hoax – “Police in Chicago, Illinois, Montgomery County, Maryland, San Francisco, California, Los Angeles, California and Washington, DC, among others, have issued similar statements indicating the emailed threat has been distributed nationwide.”

As has the FBI

FBI aware of email based bomb threats

https://twitter.com/FBI/status/1073355671662456832/

Consider IT have yet to see this hoax sent to a company in the UK, though we expect it won’t be long before they start to surface.

 

On perhaps a lighter note – another recent email scam that has concerned a few of our clients is the ‘sextortion’ scam. In recent years many high profile websites have had their user’s login details leaked – including email and password. These databases became publicly available on the internet and can be used to enumerate authentication against websites, or in this case send mass emails to the leaked victims.

This attack leverages the assumption that people re-use their passwords across different websites and services.

The scammer sends a variation of the following email

“I do know [leaked password here] one of your pass word. Lets get straight to the purpose. You may not know me and you are probably wondering why you are getting this email? There is no one who has compensated me to check you.

 

actually, I placed a software on the adult videos (porno) site and you know what, you visited this web site to have fun (you know what I mean). When you were watching video clips, your internet browser initiated working as a Remote Desktop having a keylogger which provided me with accessibility to your display screen and cam. Right after that, my software collected every one of your contacts from your Messenger, social networks, as well as email . Next I made a video. First part displays the video you were viewing (you’ve got a fine taste rofl), and next part shows the view of your webcam, & its you.

 

You have got two different options. We should explore these types of options in particulars:

 

1st option is to disregard this email message. Consequently, I will send your very own video to every single one of your contacts and also visualize regarding the humiliation that you receive. And likewise in case you are in an affair, just how this will affect?

 

In the second place choice should be to give me $2000. Lets name it as a donation. Subsequently, I will straight away eliminate your videotape. You could carry on with your life like this never took place and you will never hear back again from me.

 

You’ll make the payment by Bitcoin (if you don’t know this, search “how to buy bitcoin” in Google).

 

BTC Address to send to:xxxxxxxxxxxxxxxxx

[CASE sensitive so copy and paste it]

 

In case you are making plans for going to the authorities, look, this email message cannot be traced back to me. I have covered my steps. I am just not looking to ask you for a whole lot, I just like to be compensated.

 

You have one day to pay. I have a special pixel within this e mail, and now I know that you have read through this email message. If I don’t get the BitCoins, I will certainly send your video to all of your contacts including friends and family, coworkers, and so on. Nonetheless, if I do get paid, I will erase the video immediately. If you want evidence, reply Yeah! then I definitely will send out your video recording to your 5 friends. This is the non-negotiable offer thus please do not waste my personal time and yours by replying to this mail.”

Clever, though some clients were understandably concerned upon receiving this email! If you want to check if your password has been leaked you can use Troy Hunt’s Have I been Pwnd? service to check your email address against the exposed databases. Another nice feature is you can also enter your companies domain name to receive a notification should anyone in your company have their password leaked.