Phorpiex Botnet Reinvents Itself as Sextortion Email Distributor

The Phorpiex (aka Trik) botnet has been active for nearly a decade and operates more than 500,000 infected hosts. And, according to research just released by Check Point it has recently morphed itself to generate income in a whole new way – by running large scale “sextortion” email campaigns.

Image Courtesy of Check Point Research

Evolve or Die

In the past, Phorpiex was monetized primarily by distributing other malware including GandCrab, Pony, Pushdo, and by siphoning off its host’s computing power to mine cryptocurrency. Recently, like any virus, Phorpiex evolved again by adding sextortion emails as its latest form of revenue generation.

Extortion Email on the Rise

In 2018 the FBI’s Internet Crime Complaint Center registered a 248% increase in extortion email activity. The majority of that email? Sextortion, of course! And why not? Once you have the assets in place such as an underutilized botnet, a high volume sextortion email campaign can generate a healthy passive income 24X7X365.

Leveraging a Cheap Commodity for a Novel Use

One of the more clever aspects of the sextortion scam is the use of real passwords to bolster the veracity of the email’s claims, thereby increasing the compliance rate of the victims.

Leaked credential lists that contain passwords that don’t necessarily match the associated email are very inexpensive on the black market. That’s because the combination of the two won’t give you access to a real email. However, when used as a way to scare a sextortion victim into believing you really have incriminating video or pictures of them doing something naughty, they can be pretty convincing as the income numbers show.

Here is how this inexpensive data is used in the email:

From: Save Yourself
Subject: I recorded you – ██████

Hi, I know one of your passwords is: ██████

Your computer was infected with my private malware, your browser wasn’t updated / patched, in such case it’s enough to just visit some website where my iframe is placed to get automatically infected, if you want to find out more – Google: “Drive-by exploit”.
My malware gave me full access to all your accounts (see password above), full control over your computer and it also was possible to spy on you over your webcam.

The email goes on but it is that initial “proof” that is being bought in huge quantities for very little money that makes the campaign work so well.

$22,000 a Month from 30,000 Emails an Hour

Check Point researchers have monitored the activities of the Phorpiex campaign for 5 months and during that time the campaign wallets have taken in more than 14 Bitcoins equating to a respectable $22,000 per month. Not bad for an auto-pilot business that leverages its 500,000 zombie computers to send out up to 30,000 emails an hour.

Extortion, Malware, Phishing we’ve Seen it All

At Konsultek we specialize in giving our customers peace of mind through customized security solutions that utilize the most advanced prevention, detection and response technologies available.

Have manpower or talent issues? Our managed security suite allows organizations to gain access to superb security engineers as needed without the expense and hassle of recruiting and hiring staff. Call us today to learn about how your organization’s future can become more secure.

© Copyright 2018 Konsultek