Phorpiex Botnet Behind Large-Scale 'Sextortion' CampaignScammers Made Over $110,000 in Five Month, Researchers Say
Scammers are tapping into the notorious Phorpiex botnet as part of a far-ranging "sextortion" scheme, which helped cybercriminals collect about $110,000 from victims over a five-month spam earlier this year, researchers with security firm Check Point revealed Wednesday.
At one point during this recent campaign, the Phorpiex botnet was sending out over 30,000 spam emails every hour to different victims, mainly in the U.S., in the hopes that someone would fall for the sextortion scam. By using this particular botnet to send out spam, researchers estimate that the attackers could have reached some 27 million potential victims, the researchers say.
In most cases, sextortion schemes typically involve a spam email that demands bitcoin or other types of virtual payments from victims in exchange for not posting their personal, intimate videos online, or revealing their pornographic video viewing habits to friends and family members.
In the case of this latest scheme involving the Phorpiex botnet, the attackers also claimed to have different combinations of victims' passwords and user names. The scammers may have pulled these credentials from various dark net sites selling personal data stolen during previous breaches, a spokesperson for Check Point tells Information Security Media Group.
The presence of legitimate usernames and passwords may have prompted more victims to pay up compared to if the sextortion scheme only relied on spam emails, the Check Point spokesperson says.
The use of stolen credentials as part of these sextortion schemes has been documented by security firms, such as Barracuda Networks, previously, although not in combination with a botnet sending out mass spamming emails (see: Sextortion Scam Wields Stolen Passwords, Demands Bitcoins).
Phorpiex is a mid-sized botnet that has been around for about a decade and is comprised of about 500,000 infected Microsoft Windows devices, according to Check Point. In previous campaigns, cybercriminals have used this particular botnet to spread other types of malware, including GandCrab, Pony and Pushdo (see: GandCrab Ransomware Partners With Crypter Service).
In addition, the Phorpiex botnet, which is also called Trik, has been used for cryptomining, the Check Point researchers say. In 2018, Proofpoint published a detailed analysis of the botnet and the various criminal groups that have rented out its capacity over the past 10 years.
The Check Point researchers note that the new sextortion activity using Phorpiex could be an experiment that happened to produce good results. "The change is relatively nascent. Typically, Phorpiex is used for different purposes. To us, it seems like it was an experiment that quickly became a proof-of-concept situation. We can expect them to scale out," the Check Point spokesperson tells ISMG.
With this sextortion scheme, the scammers collected about 14 bitcoins in total, which are worth about $110,000. This means that over five months, this low-cost scheme netted the attackers about $22,000 a month, which more than covered the cost of renting out the botnet, Check Point researchers say.
During the latest sextortion scheme, the attackers used the Phorpiex botnet to send out spam email blasts to as many victims as possible. Specifically, once a device becomes infected with the Phorpiex malware, it will first connect to a command-and-control server and then download databases filled with emails and passwords, according to Check Point.
Once that is set, the attackers will order the botnet to send out tens of thousands of emails through the Simple Mail Transfer Protocol. The botnet will also circumvent Gmail and Outlook to avoid detection, the researchers say.
This low-level but effective approach helped the botnet send out the 30,000 spam emails every hours as part of this campaign, the researchers say.
In this case, the victims would see the spam email, claiming that the attackers recorded their activities through their PC's webcam, the researchers say. While that might be fake, the attackers also included victims' passwords and users names taken from dark net sites to add a greater sense of urgency.
Overall, the Check Point researchers believe that as many as 150 different people fell for this scam.
Managing Editor Scott Ferguson contributed to this report.