Sextortion group behind bomb threat spam campaign

The mass-emailed bomb threats, which demanded bitcoin payments, seem to have come from a sextortion group.

mass-emailed bomb threats
Ludovic Bertron (Creative Commons BY or BY-SA)

The emailed bomb threats, which demanded up to $20,000 bitcoin payments from banks, courthouses, schools, universities, news outlets, and organizations for not detonating bombs — and later morphed into emailed threats to throw acid on victims — seems to have come from sextortion scammers.

Cisco Talos researcher Jaeson Schultz discovered the phony bomb threat scare campaign was an evolution of a sextortion campaign that occurred in October. He pointed out similarities between the way the emails were written, as well as the bitcoin demand.

“Multiple IPs involved in sending these bomb threats also sent various types of sextortion email that we saw in the previous campaign,” he said.

Of the 17 different bitcoin addresses used in the bomb scare scam, only two had a positive balance.

“However, the amounts of each transaction were under $1, so it is evident the victims in this case declined to pay the $20,000 extortion payment price demanded by the attackers,” Schultz said.

After the mass bomb threat campaign bombed, the attackers went back to threatening individuals — this time threatening to throw acid on the victim if the attackers did not get their demanded bitcoin payment.

Other cybersecurity news:

New Shamoon malware variant destroyed data at Italian energy firm

Last week, Italian oil services company Saipem Engineering Energy admitted that 400 of its servers were hit with a cyber attack. Come to find out, the company had been hit with a new variant of Shamoon malware. A researcher from Chronicle, the cybersecurity arm of Google owner Alphabet, discovered this variant had been uploaded to VirusTotal. While Shamoon typically is a wiper, deleting and replacing files such as it did in two attacks against Saudi Aramco, this new Shamoon variant is reported to “irreversibly encrypt the files.”

Facebook bug exposed up to 6.8M users’ private photos to devs

Facebook admitted that a photo API bug may have leaked users’ private photos for 12 days to developers. “We believe this may have affected up to 6.8 million users and up to 1,500 apps built by 876 developers,” the company said.

Facebook is “sorry this happened.” Users potentially impacted by the bug will be notified via an alert on Facebook.

Chinese hackers still breaching U.S. Navy contractors

Chinese government hackers are still going after U.S. Navy contractors. The Wall Street Journal reported on a series on incidents over the past 18 months that focused on the Chinese trying “to steal everything from ship-maintenance data to missile plans.”

U.S. ballistic missile defense systems failed cybersecurity audit

It’s not just Navy contractors who have shoddy security. U.S. ballistic missile defense systems (BMDS) recently failed a cybersecurity audit. While the Department of Defense Inspector General’s report (pdf) is heavily redacted, the IG recommended, among a long list of things, that BMDS facilities use security controls such as multifactor authentication, encrypt data stored on removable devices, and keep track of what is being copied.

Creepy spying by Taylor Swift and Amazon doorbell

From the creepy spying department, Taylor Swift used facial recognition on fans and Amazon wants to use facial recognition spying in a doorbell.

Rolling Stone reported that at the Rose Bowl venue in California, Taylor Swift concert goers, who looked up at a display featuring Swift’s rehearsal clips, had their faces captured by a hidden camera inside the display. Their images were sent to a command center to check them against a list of potential stalkers.

The ACLU is not happy about “Amazon’s disturbing plan to add face surveillance to your front door.” Thanks to a patent application with “nightmarish detail,” the ACLU found out that Amazon wants a spying doorbell “system that the police can use to match the faces of people walking by a doorbell camera with a photo database of persons they deem ‘suspicious.’ Likewise, homeowners can also add photos of ‘suspicious’ people into the system and then the doorbell’s facial recognition program will scan anyone passing their home. In either case, if a match occurs, the person’s face can be automatically sent to law enforcement, and the police could arrive in minutes.”

123456 is still the most popular yet pathetic password used in 2018

You need only glance at SplashData’s list of “Worst Passwords of 2018” to see that some people don’t seem to be getting any better at creating secure passwords. In fact, “2018 was the fifth consecutive year that ‘123456’ and ‘password’ retained their top two spots on the list. The next five top passwords on the list are simply numerical strings.” Of the 25 worst passwords, the following are the top 10 worst passwords of 2018.

  1. 123456
  2. password
  3. 123456789
  4. 12345678
  5. 12345
  6. 111111
  7. 1234567
  8. sunshine
  9. qwerty
  10. iloveyou
SUBSCRIBE! Get the best of CSO delivered to your email inbox.