E-Mail Extortion: A Sordid Tale

I have a paranoid security team. Which is good. I also have paranoid users who don't trust security people. Which is not so good. I discovered this a few years back when a co-worker came into my office, red in the face, eyes puffy and greatly upset. "What on earth is the problem?" I asked in my best official-yet-caring management voice. Between sobs, she explained that, a week earlier, she had gotten an e-mail about the then upcoming Olympics in Greece.

Since her nephew was hoping to be on the US track team, my co-worker was hoping to learn something that might help him. It took a while for a webpage to open up, but when it did, she read all about Greece and the Olympics.

Two days later, she got an e-mail from an unknown address asking for $50 (about Rs 2,750) or they would tell her management that she had been surfing pornography sites. They even said they could prove she had downloaded child pornography!"They even told me which directory it was in on my computer," she cried.

"And sure enough, when I looked there, I found the most disgusting pictures," she added, sobbing.

This was one of the most conservative people I know, and of course she would never do such a thing. She had even asked me once if it was OK to write a personal letter on her desktop and print it off on one of our laser printers.

The Olympic site was immediately suspect to her because it had taken so long to load the pages. "My computer is never that slow," she said.

"Did you pay them?" I asked.

"No," she said. "But they sent another e-mail this morning reminding me I had only two days left to pay them. So I figured I'd better talk to you about it."

Unfortunately, security sometimes involves dealing with scumbags who prey on others. I knew immediately that this was an extortion attempt, and calmed her fears. And, as I said, we have a pretty good security crew. Wonderfully paranoid. So I set them on a path to track down the offending organization and get to the bottom of what was going on.

First reports came rolling in almost instantly. My co-worker had kept all her e-mails from the extortionist, and had not turned off her system since the files were transferred to it, so the IS people had a pretty good look at logs and files to find out what they could reconstruct and get some ideas. They could see that she had, indeed, gotten the e-mail and then clicked on the URL, just as she said.

Logs on her system showed an FTP file transfer from an IP address in Bulgaria. In all, there were three files that were named the same as the three we found on her system. They also found some text and GIF files about Greece. The system keeps 20 days' worth of file caches on what users have viewed on the Web, and if you know where to go on the system, you can see all of it.

The team copied everything to a CD. They also copied her Internet and website caches to CD in case we needed them later. They made a complete copy of her hard drive and burned that to a DVD.

"Looks as if things happened just as she said," the internal information security manager told me.

After that, we checked her e-mail client and the server backups. She had received an e-mail two days after the initial message asking for money and a credit card number. Luckily, she didn't give them one.

Here's the interesting part, though. When we were checking the firewall access logs, we found that the same IP address was active 27 times that day to other end-user systems on our network. Twenty-seven times! We did some checking and found that at least 15 other employees were hit with the same scam on the same day.

Why hadn't anyone told us? I was completely aghast.

That's when I learned about the paranoid users. Some knew it was a scam, but some were truly afraid of losing their job. A few confessed to visiting porn sites on their computer at home and thought this was related. Three employees responded to the threat by divulging credit card numbers and now have problems with charges on their card.

We told them what was going on and had them call their credit card companies right away.

Then we put some blocks in our e-mail filters to kill off any more e-mails like that one. We blocked the IP addresses from FTP and Web access in case the same culprits try it again. We decided to do the same procedure again if they change addresses or e-mail message types.

Filtering is a very on-or-off type of experience. We don't usually pick up any changes in the attack automatically, and so we decided to see a sample to tune the filters and kill off other variants of the message as well. It was the same problem we had with the spam filters. Spammers have an easy time tweaking messages to get around any filters we set up.

What fun. Security gets messy when it involves employees' privacy and protection from things like this. I have had to deal with the lovelorn stalker e-mail and the vicious ex-spouse mail several times.

This was my first extortion scam, but it turned out, it wasn't the first that my company dealt with.

"We have this down to a science," my security team told me proudly.

"What do you mean by that?" I asked. "Why haven't I known about the others?"

"They happened before you came to work here," they explained. But they happened.

Apparently, we've had get-rich-quick schemes, extortion by people claiming to know where users live and to be watching them, and one that targeted parents and claiming that their kids were being watched. All kinds of awful nonsense. "We usually put in the blocks, save the data to CD, call the FBI and send them copies of what we find," they told me. "It's like a fire drill for us now. We know what to do automatically."

"How often does something happen?" I wondered.

"Oh, probably 10 or so times a year...."

It seems it happens a lot more often than most people think. Most companies don't have an internal information security department to investigate and block this stuff, and many employees never say anything about it for fear of losing their job. One of my fed buddies told me that the government estimates that several million dollars are lost by employees every year to this sort of activity.

I arranged for a company meeting to let everyone know what was going on and what we were doing about it. At the end of the meeting, I asked why it was that almost 30 people knew and yet only one came forward to tell us.

"We were afraid of losing our jobs," said one employee.

"Why was that?" I asked.

"Because the former CSO had several people fired because she suspected falsely that they had visited porn sites. Some of us went to bat for them and told her they didn't do it, but she insisted that their activities were chronic and that she had logs off the Web filtering system that proved they were chronic offenders," the employee answered.

Several others chimed in: "We can't trust the security department to hear our side of the story, so it's better to keep quiet."

Checking back with the security teams, I found out that the rumors were true about my predecessor and that people were fired for what she thought was porn-surfing during office hours on company equipment.

The technology staff tried to explain to her that what she thought was surfing was really those pop-up browser ads for porn sites. Some legit websites allow sponsored pop-ups for the porn-ad industry, and those erroneously make it look like the employee is frequenting porn sites.

Sometimes, the pop-ups keep coming up and that means that their activities look repetitive toward a porn IP address that they may never have actually visited on their own. But the former CSO wouldn't take the time to listen, so some employees got fired for visiting porn sites they never actually visited.

Well, at least I now know why I've been treated as The Great Unwashed by some employees. Many security tyrants out there don't consider all angles to a potential security problem. And that's worrying.

At least, my co-worker's problem with pornography was solved, and the employees know that I am not the Ogre of Security Departments Past. Let's hope that will stick with them for a while.

Nevertheless, I'll need to continue to educate employees about security and try to figure out how to get them to trust my new security regime.

This column is written anonymously by a real CSO. Send feedback on this column to editor@cio.in.

Join the CSO newsletter!

Error: Please check your email address.
Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Anonymous

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts