True North Networks Blog
Phony Data Theft, Like Phony Sextortion
Extortionists are sending phony threats to website owners informing them that their sites’ databases will be leaked unless they pay a ransom of between $1,500 and $3,000, BleepingComputer reports. The scammers claim to have discovered a vulnerability in the target’s website that allowed them to steal the victim’s entire “database,” and they say they’ll either sell or publish the data to destroy the site’s reputation unless the victim pays up within five days.
“We will systematically go through a series of steps of totally damaging your reputation,” the email says. “First your database will be leaked or sold to the highest bidder which they will use with whatever their intentions are. Next if there are e-mails found they will be e-mailed that their information has been sold or leaked and your site [website URL] was at fault thusly damaging your reputation and having angry customers/associates with whatever angry customers/associates do. Lastly any links that you have indexed in the search engines will be de-indexed based off of blackhat techniques that we used in the past to de-index our targets.”
These emails are effective because the threats are plausible, or at least difficult to completely disprove. The website’s administrator might not be able to determine if the vague claim is true before the deadline hits, and the threats to manipulate the site’s SEO standing would grab the attention of any website owner. Additionally, many ransomware operators are now employing similar tactics by stealing data before encrypting it in place, and then using the stolen data as leverage in their ransom demands.
However, BleepingComputer points out that the emails don’t offer any evidence that the site was hacked. If the attackers had actually exfiltrated any data, on form they would prove it by sending a sample of the data, or pointing to the vulnerability they exploited.
This scam is similar to a common sextortion technique in which a scammer claims to have embarrassing webcam footage of the recipient. The recipient has no way of knowing for sure whether the claims are true, so they might end up sending the money just in case.
People who receive these types of emails should assume the claims are bogus, and searching the Internet can provide further reassurance. In this case, BleepingComputer links to multiple examples of people posting on support forums asking if the emails are legitimate, showing that the scammers are indiscriminately sending out the same email template to many website and blog owners in the hope that some will fall for the scheme.
Caving to these types of extortionists is never a good idea. Even if your site’s data was actually stolen, paying a ransom is no guarantee that the attackers won’t sell the data anyway, and there’s nothing stopping them from coming back for more money. New-school security awareness training can teach your employees to remain calm and seek out trustworthy advice when they’re targeted with these tactics.