IF YOU HAVE SAMPLES OF THE EMAIL, PLEASE REPORT THEM
The more emails we have to analyze, the better our understanding of this threat will be. While reporting to the FBI's IC3.gov is a great idea, and highly encouraged, that hides the details from security researchers such as myself. One great place to report any type of fraudulent bitcoin activity is "BitCoinAbuse.com". If you decide to report there, please extract the sending IP address and the email Subject from your spam and include them as part of the report. We can cluster on both of those things. (Including the bitcoin address used is a given.)Extracts taken from BitCoinAbuse.com follow below. You can read the original reports yourselves here:
- https://www.bitcoinabuse.com/reports/15qH84uLC49CmC6jRE958Qjcf9WRZ2rMuM
- https://www.bitcoinabuse.com/reports/1CF9VQhwjJutPxwVq5QLFA7j7baq4RDb3w
- https://www.bitcoinabuse.com/reports/1BTuxsCpAGtCzcszvFV2g4beqAZ2AUnyFh
- https://www.bitcoinabuse.com/reports/1Hov6Xo2Bss7K3p56gGKfy7UGY37TfXG2k
- https://www.bitcoinabuse.com/reports/1AgKqK3LHyJuLKzbK2wd4nuxAJ2GJ84maZ
- https://www.bitcoinabuse.com/reports/1LrZorkdqzPsg8JaGLwjLwg35viiH1Sv9v
- https://www.bitcoinabuse.com/reports/1893DMwnrq9vA6JmQBdyWRKecArDAUTcGR
- https://www.bitcoinabuse.com/reports/14Rz7W71sXwmnwqZHLvXSf5s1vmpp9viFb
- https://www.bitcoinabuse.com/reports/1PcFPuZeEfuCCbdPu69nzUCvzsqu967xNm
- https://www.bitcoinabuse.com/reports/1CDs3JXUU6wNmndAF7EFcrJ6GGSYRKXd7w
- https://www.bitcoinabuse.com/reports/19nShJMkTbP6VCVaoAjzzTQuXLPzXH1Qb7
- https://www.bitcoinabuse.com/reports/161JE4rHfvygXUVLya8N2WFptjwon2172t
(If you have a sample of one of these emails, please consider filling out a BitCoinAbuse.com/report - but please make sure to include the SENDING IP ADDRESS from the email headers!)
Email Bodies contain Spam-template randomization
Here are extracts from many of the spam messages. Note for example the [man | mercenary | recruited person] and [tronitrotoluene | Hexogen | Tetryl] substitutions. Or the [suspicious | unnatural | strange] [activity | behavior] or the [power the device | device will be blown up | power the bomb]. This is very characteristic spam behavior.Subjects reported by the NCFTA include:
Subject: Better listen to me
Subject: Bomb is in your building
Subject: Do not panic
Subject: Do not waste your time
Subject: Dont get on my nerves
Subject: I advise you not to call the police
Subject: I've collected some very interesting content about you
Subject: keep calm
Subject: My device is inside your building
Subject: Think about how they can help you
Subject: Think twice
Subject: We can make a deal
Subject: You are my victim
Subject: You are responsible for people
Subject: Your building is under my control
Subject: Your life is in your hands
Subject: Your life can be ruined, concentrate
Subject: You're my victim
(If you have examples of other Subjects, please share them in the comments section)
Hello. There is the bomb (tronitrotoluene) in the building where your company is located. It is constructed under my direction. It has small dimensions and it is hidden very carefully, it is not able to damage the supporting building structure, but you will get many wounded people if it detonates. My recruited person is controlling the situation around the building. If he notices any strange activity or policemen the device will be blown up. I want to propose you a deal. $20'000 is the value for your safety. Pay it to me in BTC and I assure that I have to withdraw my recruited person and the bomb will not explode. But do not try to deceive me- my assurance will become actual only after 3 confirms in blockchain. It is my btc address : 15qH84uLC49CmC6jRE958Qjcf9WRZ2rMuM
Good day. My mercenary hid an explosive device (Hexogen) in the building where your business is conducted. It was assembled according to my instructions. It is compact and it is hidden very carefully, it is impossible to damage the structure of the building by this bomb, but in case of its explosion you will get many victims.My mercenary is watching the situation around the building. If he notices any suspicious behavior, panic or cops he will blow up the bomb.I want to propose you a bargain. You transfer me 20'000 usd in BTC and the bomb will not explode, but don't try to deceive me -I guarantee you that I have to withdraw my man only after 3 confirmations in blockchain network. It is my Bitcoin address : 1LrZorkdqzPsg8JaGLwjLwg35viiH1Sv9v You must send bitcoins by the end of the working day.
My mercenary has carried an explosive device (Tetryl) into the building where your company is located. It was assembled under my direction. It can be hidden anywhere because of its small size, it is impossible to destroy the building structure by this explosive device, but if it detonates there will be many victims. My recruited person is watching the situation around the building. If he sees any unusual behavior or policemen he will power the device. I would like to propose you a deal. 20.000 dollars is the cost for your life. Tansfer it to me in BTC and I ensure that I will call off my man and the bomb will not explode. But do not try to fool me- my warranty will become valid only after 3 confirms in blockchain network. Here is my BTC address - 15qH84uLC49CmC6jRE958Qjcf9WRZ2rMuM You have to pay me by the end of the working day, if you are late with the payment the device will explode.
Good day. I write you to inform you that my mercenary hid an explosive device (lead azide) in the building where your company is located. My recruited person constructed a bomb under my direction. It can be hidden anywhere because of its small size, it can not damage the supporting building structure, but you will get many victims in case of its explosion. My mercenary keeps the territory under the control. If he notices any unnatural behavior or emergency he will power the bomb. I can call off my man if you make a transfer. 20'000 usd is the price for your safety. Pay it to me in Bitcoin and I guarantee that I will call off my mercenary and the device will not detonate. But do not try to cheat- my assurance will become valid only after 3 confirmations in blockchain.
Good day. There is a bomb (tronitrotoluene) in the building where your company is conducted. My recruited person constructed the explosive device according to my instructions. It can be hidden anywhere because of its small size, it is impossible to destroy the structure of the building by my explosive device, but in case of its explosion you will get many victims. My man keeps the territory under the control. If any unnatural behavior, panic or emergency is noticed the device will be blown up. I can call off my recruited person if you make a transfer. 20'000 usd is the price for your safety. Tansfer it to me in Bitcoin and I ensure that I will withdraw my mercenary and the bomb won't explode. But do not try to deceive me- my warranty will become valid only after 3 confirms in blockchain network. My payment details (Bitcoin address): 1CDs3JXUU6wNmndAF7EFcrJ6GGSYRKXd7w
My man hid a bomb (lead azide) in the building where your business is conducted. It was constructed according to my guide. It is small and it is hidden very well, it is impossible to destroy the supporting building structure by this explosive device, but you will get many victims in the case of its detonation. My mercenary keeps the territory under the control. If any unnatural activityor emergency is noticed the bomb will be blown up. I would like to propose you a deal. You transfer me $20'000 in Bitcoin and explosive will not explode, but do not try to cheat -I warrant you that I will call off my man solely after 3 confirmations in blockchain network.
Hello. There is the bomb (lead azide) in the building where your business is conducted. My man built the explosive device according to my instructions. It is compact and it is hidden very carefully, it is impossible to damage the structure of the building by this explosive device, but if it detonates you will get many victims. I would like to propose you a bargain. 20.000 dollars is the cost for your life. Pay it to me in BTC and I guarantee that I have to call off my man and the device will not explode. But do not try to cheat- my guarantee will become valid only after 3 confirmations in blockchain network.
My man has carried the explosive device (tronitrotoluene) into the building where your business is conducted. My recruited person constructed the bomb according to my guide. It can be hidden anywhere because of its small size, it can not destroy the supporting building structure, but in the case of its detonation there will be many wounded people. My man is controlling the situation around the building. If any unnatural activity, panic or policeman is noticed the device will be blown up.
I write you to inform you that my recruited person carried the explosive device (Tetryl) into the building where your business is located. It is assembled according to my instructions. It can be hidden anywhere because of its small size, it is impossible to destroy the building structure by this bomb, but in case of its explosion there will be many victims. My man is controlling the situation around the building. If he sees any suspicious activity, panic or emergency the device will be exploded. I can withdraw my mercenary if you make a transfer. You transfer me 20.000 dollars in Bitcoin and the device will not detonate, but don't try to fool me -I ensure you that I will withdraw my recruited person only after 3 confirmations in blockchain. Here is my BTC address - 161JE4rHfvygXUVLya8N2WFptjwon2172t
These were EVERYWHERE - NOT targeted
Dozens of law enforcement agencies tweeted about these threats being received in their local area. If you are aware of such "official" tweets, please leave a link to the Twitter Status report in the comments section below.
Even AFTER it was well known that these were hoaxes, many law enforcement agencies continued to respond with full bomb squad roll-outs. Given the history in Oklahoma City, this was especially understandable there, but wasted a tremendous amount of resources as they responded to AT LEAST thirteen threats just in that city!
Here are a few examples, and then a longer list in Table form:
Even AFTER it was well known that these were hoaxes, many law enforcement agencies continued to respond with full bomb squad roll-outs. Given the history in Oklahoma City, this was especially understandable there, but wasted a tremendous amount of resources as they responded to AT LEAST thirteen threats just in that city!
Here are a few examples, and then a longer list in Table form:
https://twitter.com/HsvPolice/status/1073310129284661254 |
https://twitter.com/PelhamPoliceAL/status/1073323648436658176 |
https://twitter.com/TulsaPolice/status/1073309200967761923 |
https://twitter.com/houstonpolice/status/1073320693507506177 |
In fact, every sending IP we have seen at Cisco Talos from the bomb threat email attack was sent through IP space owned by reg.ru. The OSINT IoC data gathered in the Extortion-Scam.pdf sent by NCFTA included at least one BTC address that was used in sextortion, but NOT (AFAICT) in the actual bomb campaign. 1P55eXM8gxmwjSbqEpBWLBBvJQ7C1BmRH3
ReplyDeleteThat's great information! Thank you! Talos is doing a great job as usual!
DeleteA couple of those email subjects from NCFTA also look like they are the "we made a video of you watching porn" instead of the bomb ones. Will ask for clarification.
Delete