Cybercriminals are promising salaries of up to $360,000 a year to accomplices who seek to extort high networth individuals such as C-Level executives, lawyers, and doctors.
These bribes can be even higher for those who have network management, penetration testing, and programming skills with one threat actor willing to pay the equivalent of $768,000 annually, with add-ons and a final salary after the second year of $1,080,000 per year, according to a recent report by Digital Shadows.
The “A Tale of Epic Extortions: How Cybercriminals Monetize Our Online Exposure” report detailed how digital extortionists are monetizing unwanted online exposures such as compromised credentials, vulnerabilities, sensitive data, and explicit images in sextortion attacks.
Experience extortionists are promising salaries of more than $30,000 through tutorials and recruitment claims that new recruits can make a decent living through cyber sextortion scams directed at high-worth individuals like executives, lawyers, and doctors while promising more for those with greater technical skill sets.
In addition, extortionists are adopting crowdfunding models which allow them to raise funds from the general public rather than relying on victims to give into ransom demands.
Between July 2018 and February 2019 researchers counted 89,000 email recipients of sextortion attempts, 792,000 total attempts against target emails, 92 Bitcoin addresses that received payments and $332,000 total extortion payments received.
High-Tech Bridge CEO Ilia Kolochenko said these numbers undermine the long term sustainability of commercially-motivated bug bounties and that we will likely see a decline of skilled people involved in crowd security testing as they can either find a highly competitive salary in the industry, or alternatively shift to the dark side.
“Shadow economy is not subject to governmental control or regulation anymore.” Kolochenko said. “In the past, cybercriminals were restrained by money laundering difficulties in the cyber space, but with the rise of cryptocurrencies virtually any illicit income of any size can be legalized without legal ramifications.”
Kolochenko added that highly competitive salaries and other forms of remuneration in cyber gangs are widely spread and have been for a while.
He went on to add that unlike inefficient cybersecurity startups looking for the next investment round as a universal resort for any past failures cybercriminals are very well organized, disciplined and managed with a sole objective to maximizing their short term profit as opposed to “becoming a unicorn or running a successful IPO in ten years.”
In order to minimize the effects of potential extortion attempts researchers recommend that victims don't respond to sextortion emails, use HaveIBeenPwned to find previously breached accounts, and develop a ransomware playbook.
In addition, threat actors should look to shrink their potential attack surface, apply best practices for user permissions, secure email end-users, and submit a complaint to the FBI’s IC3 if contacted by criminals.