Emotet sextortion campaigns are netting much more money than similar Necurs campaigns, researchers find

Emotet operators are targeting victims through their work email rather than webmail accounts

Emotet spam campaigns focused on so-called 'sextortion' have netted fraudsters considerably more than comparable Necurs campaigns, according to security researchers at IBM X-Force.

They claim to have observed a recent Emotet spam campaign netting ten times more money than a previous Necurs spam campaign.

The first instances of the sextortion email scam were noticed in July 2018 when cyber criminals started sending spam emails to potential targets, claiming that they had video clips showing victims watching adult sites. In some cases, the scammers also sent victims their passwords (leaked with their email addresses) in order to add credibility to their emails.

IBM X-Force researchers disclose details about the new sextortion campaigns in which the cyber crooks sent spam emails to potential victims via the Emotet botnet. Researchers found this Emotet spam to be more successful in terms of netting money, which was nearly 10 times than the money received by a comparable Necurs campaign.

There are two main reasons for this, the researchers said.

First, Emotet tends to target victims through their work email, versus Necurs, which typically affected webmail accounts of potential victims. Receiving an extortion message at work email normally puts more pressure on email recipients. It instils additional embarrassment in them, and pushes them to pay quickly to get rid of their problem.

Secondly, Emotet operators ask victims to pay ransom in Bitcoin, which carries a higher value than Dashcoin that Necurs spam demands.

The Necurs J38 campaign that researchers focused on in the current study lasted for seven weeks. During that period, cyber criminals sent millions of spam emails per day.

"By December 3, 2019, the J38 campaign netted Necurs about $4,527," the researchers said.

"A week-long campaign by Emotet combined a scam with the additional hit of infecting recipients with malware. Between January 23 and January 28, 2020, the campaign used 24 different Bitcoin wallets in the emails sent to potential victims."

"The campaign's total was $57,000, over 10 times more than the longer-term campaign run by the Necurs botnet."

According to researchers, many victims also decide not to pay the ransom to Emotet operators. In that case, the gang continues to infect victim's system/network with the Emotet Trojan.

Researchers believe Emotet operators probably allow other gangs to use the infected infrastructure for cybercriminal activities, and charge money in return of their service.