Thursday's massive spam campaign that sent bomb threats to hundreds of thousands of users across the US and Canada, and caused evacuations of buildings across several cities[1], was carried out by the same group of spammers responsible for the recent wave of sextortion scams, two cyber-security firms said on Friday.
"Multiple IPs involved in sending these bomb threats also sent various types of sextortion email that we saw in the previous campaign," said[2] Jaeson Schultz of Cisco Talos.
According to AppRiver[3], the bomb threat emails and the older sextortion campaigns all came from the 194.58.X.X IP space.
The bomb threats send on Thursday tried to scare users by threating to detonate a bomb at their workplace if the victim didn't pay $20,000 worth of Bitcoin within a few hours.
The spammers behind this campaign stopped sending bomb threats on Friday, most likely realizing that this campaign won't yield any results, especially after the FBI, the police, and the media told everyone to ignore the threats and not pay the ransom demand.
And according to Cisco Talos, no one did. Schultz said that Talos discovered 17 Bitcoin addresses inside the bomb threat extortion emails, but none held any money.
"Only two of the addresses have a positive balance, both from transactions received Dec. 13, the day the attacks were distributed," Schultz said. "However, the amounts of each transaction were under $1, so it is evident the victims in this case declined to pay the $20,000 extortion payment price demanded by the attackers."
But the spammers have not given up. Talos said that as soon as their bomb threat campaign appeared to hit a dead end, the group switched to another one.
"The attackers have