Law enforcement agencies across the country spent the better part of yesterday evening investigating a slew of bomb threats delivered by email to businesses and universities across the US and Canada. The hoax email warning that an explosive device was in the recipient’s place of work evoked fear among many Americans yesterday, according to KrebsonSecurity.
Different variations of the email were distributed with subject lines that read “Think Twice” or “--SPAM--My device is inside your building,” as seen in the image below. The emails demand payment in Bitcoin to have the bomb removed.
"We are aware of the recent bomb threats made in cities around the country, and we remain in touch with our law enforcement partners to provide assistance," an FBI statement read. "As always, we encourage the public to remain vigilant and to promptly report suspicious activities which could represent a threat to public safety."
In addition, the New York Police Department Counterterrorism Bureau asserted that the threats are not considered credible. Law enforcement agencies from Raleigh to Chicago and dozens of other cities also responded to threats, none of which have been substantiated.
“All it takes is one successful payout to make this scheme worthwhile for the perpetrator. This is a high-risk extortion attempt because there's no doubt it would garner significant attention from law enforcement,” said Tim Erlin, VP, product management and strategy at Tripwire.
“At this point, it's unclear if there's an additional motive beyond extortion. It is clear, however, that disruption has been a consequence. There will be an in-depth investigation into who is behind this campaign, and it's likely they'll be identified.”
The ease with which an attacker can craft such a large-scale disruption has ignited concern. “While these Bitcoin demands seem over the top, the disruption can cost millions in police time alone, and the potential for this to escalate with copycats is always alarming,” said Atiq Raza, CEO of Virsec. “As new extortion ideas get out there, the potential for serious, targeted attacks on high-value cyber-targets will only increases."
Mukul Kumar, CISO and VP of Cyber Practice at Cavirin, said that the incident should serve as a reminder to all organizations that they must conduct regular training of their employees as to the different types of threats.
"As with any trend, there is the genuine product, and there are copycats. What we have seen here would be the latter. However, given the availability of hacker tools for hire and personal data for low prices, it will become harder to separate the two. The bad guys continue to look for any vulnerabilities they can find in one’s security controls. This is just another example, with the hope that a small percentage of the targets will act on the email.”