You are responsible for people.’
It was one of a dozen or so subject lines that shouldered their way into people’s inboxes across the world last week, bringing with it a sobering threat of violence via bomb threat.
For the past year Forcepoint Security Labs have been monitoring a persistent strain of hoax emails attempting to blackmail or otherwise extort their recipients. This type of email has been widely reported, and the sheer scale indicates that it can’t be taken as anything but an empty threat.
Violence as a motivator
However, one of last week’s campaigns brought with it a significant change: instead of sending wild (and occasionally lurid) threats of embarrassment, the perpetrators were threatening victims with bomb and acid attacks.
These hoaxes attempt to gain some credibility by mentioning explosive chemical names (e.g. hexogen, lead azide, trinitrotoluene, tetryl). These messages further included a higher than previously recorded demand of $20,000 – presumably as the perpetrators now expected to be targeting organisations with more money at their disposal than the individuals targeted by previous campaigns.
However, the complete lack of specific information about the victim within the email is the first suggestion that all is not as it seems, and inspection of the campaign overall reveals a template email sent to many different companies across the world.
Non-specific phrases such as ‘the building where your company is located’ and ‘you must send money by the end of the working day’ highlight the catch-all nature of the emails and would imply a bizarre lack of knowledge on the part of the perpetrator in the case of a real bomb threat.