‘Aaron Smith’ Sextortion Scam Appears To Leverage On The Necurs Botnet Infrastructure

 “Talos extracted all messages from these two sextortion campaigns that were received by SpamCop from Aug. 30, 2018 through Oct. 26, 2018 — 58 days’ worth of spam.” reads the analysis published by Talos.

Every message sent as a part of these two sextortion campaigns contains a From: header matching one of the following two regular expressions:

From =~ /Aarond{3}[email protected]/

From =~ /[email protected]{3}.edu/ “


In total, SpamCop received 233,236 sextortion emails related to these “Aaron Smith” sextortion campaigns. The messages were transmitted from 137,606 unique IP addresses. The vast majority of the sending IP addresses, 120,659 senders IPs (87.7 per cent), sent two or fewer messages as a part of this campaign. “


As indicated by them, every sextortion spam message incorporates an installment request that arbitrarily differs from $1,000 up to $7,000 and the quantity of distinct email addresses targeted in the campaigns was 15,826, every beneficiary accepting by and large a 15 sextortion messages. In one case, a beneficiary alone got 354 messages.

Researchers found that around 1,000 sending IP addresses utilized in the Aaron Smith campaigns were additionally engaged with another sextortion campaign dissected by the experts from IBM X-Force in September and that ultimately leveraged the Necurs botnet as well.

Some of the top nations sending sextortion messages incorporate Vietnam (15.9 per cent), Russia (15.7 per cent), India (8.5 per cent), Indonesia (4.9 per cent) and Kazakhstan (4.7 per cent).

Leave a Reply