Fraudulent Android app developers have been discovered trying to manipulate Google’s Play Store security by removing suspicious code before adding it back in to see what trips detection systems.
The behaviour was noticed by security company White Ops in two previously fraudulent apps, which it says raises an interesting question: if a fraudulent app developer deactivates the part of an app that makes its behaviour fraudulent, is that app still a fraud app?
The apps were among a small haul of 38 beauty-themed apps the company detected from the same developer which were reported to Google for bombarding users with unwanted ads.
As well as serving out of context ads at every opportunity, the apps also sent users to websites and made it difficult to de-install the apps using techniques such as hiding icons from the home screen and apps folder.
But how did the apps get there in the first place?
This has become a bit of an issue for Google’s security team in recent years. A security vendor or researcher spots multiple apps on the Play Store doing something bad, tells Google, which eventually removes the apps after confirming they’re malevolent.
Of course, uploaded apps are monitored by Google’s automated security checks before being accepted but this system can be bypassed, as the steady but unchecked stream of bad app discoveries confirm.
It’s not as hard to beat detection systems as it should be. Malicious developers have a range of techniques such as binary packing and even Arabic Unicode to hide malicious code in ways that are hard to spot without employing humans to look at each app and update.
Sometimes, apps contain no fraudulent code at all and simply exploit loopholes in Google’s licensing to do sometimes outrageous things such as charge users hundreds of dollars to continue using them.
But the bigger failure here isn’t that apps are able to sneak on to the Play Store but how long they remain there.
In this incident, the average time it took Google to remove apps was 17 days, with at least one left on the Play Store for three months. That doesn’t sound long until you hear that:
Even with an average of less than three weeks of time on the Play Store, the apps found an audience: the average number of installs for the apps we analyzed was 565,833.
Then the developer unexpectedly updated two apps containing malicious code so that most of the problem behaviour was deactivated.
That’s deactivated, not removed – the change was simply made using a command and control (C2) function, leaving the problem code intact but dormant inside the apps.
According to White Ops, the two tweaked apps are possibly an attempt to work out which criteria Google’s systems use to spot that apps are fraudulent.
In that scenario, the apps might be updated several times, each one activating a different part of the malicious behaviour, until Google detects its malicious intent.
Google took down the apps discovered by White Ops in 2019 but it’s hard not to be left with the impression that Google’s ongoing battle to banish bad apps has a struggle ahead of it.
This is a Halloween mask depicting the face of a bloody pig:
IMAGE: Court documents
It’s not pretty, but at least it doesn’t scurry. You can’t say the same for the other packages sent in a cyberstalking campaign allegedly orchestrated by eBay management and targeted at a Natick, Massachusetts couple who run an online e-commerce newsletter that’s sometimes critical of eBay.
According to the Department of Justice (DOJ), the mask was one of multiple threatening packages sent by the e-behemoth’s (now former) employees as part of a cyberstalking campaign to bully the couple into closing down their newsletter, the name of which was redacted in court documents. Other packages included a preserved fetal pig, live spiders, fly larvae, a funeral wreath, a book on surviving the loss of a spouse, a box of live cockroaches, and a copy of the porn magazine Hustler: Barely Legal that was addressed to the Natick couple but sent to their neighbors’ homes.
On Monday, the office of Massachusetts US Attorney Andrew Lelling announced that six former eBay employees have been charged with “aggressive” cyberstalking of the couple, including some of them coming up with an excuse to fly in to Boston in order to rent a van and drive out to Natick to conduct covert surveillance.
The criminal complaint is sealed. But according to a redacted affidavit filed by FBI agent Mark Wilson, the victimized couple are the editor (she/her) and publisher (he/him) of an online newsletter that covers e-commerce companies, including eBay.
Members of eBay’s executive leadership team followed the newsletter’s posts, and they were none too happy with its content, as court documents describe. Same goes for the anonymous comments left on the editor’s stories: one May 2015 comment called eBay execs a bunch of “liars” and “thugs” who should be jailed. A May 2017 comment called one of the eBay executives – identified as Executive 1 in court documents – as “the devil”, and an April 2018 comment called that same executive “delusional.”
In August 2019, the newsletter published an article about litigation involving eBay. The story was about how eBay had filed suit against Amazon, saying its managers had directed dozens of workers to illegally use eBay’s private messaging system to solicit sellers onto Amazon’s platform.
That, apparently, was the last straw. After the newsletter’s article about the suit was published, two members of eBay’s executive leadership team allegedly started swapping text messages suggesting that it was time to “take down” the editor. The exact wording: it’s time to “burn her to the ground.” Here’s a copy of a text conversation between James Baugh, eBay’s former Senior Director of Safety and Security, and an eBay exec identified in court documents as “Executive 2”:
Alleged “burn her down” conversation between eBay execs about targeting newsletter editor. IMAGE: FBI agent affidavit
Baugh, 45, of San Jose, Calif., was arrested on Monday and charged with conspiracy to commit cyberstalking and conspiracy to tamper with witnesses. David Harville, 48, of New York City, eBay’s former Director of Global Resiliency, was also arrested Monday morning in New York City on the same charges.
Also named in the complaint are:
Stephanie Popp, 32, of San Jose, eBay’s former Senior Manager of Global Intelligence;
Stephanie Stockwell, 26, of Redwood City, Calif., the former manager of eBay’s Global Intelligence Center (GIC);
Veronica Zea, 26, of San Jose, a former eBay contractor who worked as an intelligence analyst in the GIC; and
Brian Gilbert, 51, of San Jose, a former Senior Manager of Special Operations for eBay’s Global Security Team.
They’ve each been charged with conspiracy to commit cyberstalking and conspiracy to tamper with witnesses.
Harassment campaign step 1: creepy crawlies
As the affidavit tells it, Baugh, Harville, Popp, Gilbert, Zea, Stockwell, and others responded to the “burn her to the ground” order by executing a three-part harassment campaign.
Step 1: send her the fetal pig, et al. According to the FBI’s confidential, anonymous witnesses, the disturbing packages were inspired by a clip from a 1988 movie, Johnny Be Good, in which two friends arranged for the delivery, to their football coach’s home, of “unwanted and distracting items and people,” including $283 in pizzas, an elephant, a male stripper, a roach exterminator in full space suit gear, and Hare Krishna missionaries, all of which arrive at the same time.
Baugh’s instructions: let’s do that. He had allegedly shared a clip from the movie with some of his alleged henchmen/women. The point of the campaign was to distract the editor and make her so uncomfortable that she’d stop writing negative articles about eBay. He allegedly tasked his underlings with brainstorming more elements of the distraction campaign. Scary masks? Live insects? Porn? Check, check, check.
Baugh allegedly directed Zea and other GIC analysts to erase any ties to eBay. Thus, the analysts allegedly paid for the deliveries using prepaid debit cards and made online orders using anonymous email accounts, virtual private networks (VPNs), and mobile phones and computers specifically purchased for the harassment campaign.
(By the way, If these allegations prove true, they point to the likelihood that eBay’s security and intelligence departments don’t read Naked Security. We could have told them that a VPN doesn’t magically improve security. All it really does is to make your VPN provider into your new ISP – your “first hop” on the internet. That first hop is the one place where a single provider gets to see all your traffic, whether it’s encrypted or not. You need to trust your VPN provider. A lot. They don’t always deserve that trust, though.)
Cue the Samoan heavies
If the distraction campaign didn’t work, Baugh allegedly said during a meeting, he’d send a Samoan gang to the victims’ house. He showed his colleagues a photo of what he said was the gang: a group he described as not being “good guys.” Whatever happened then would be “out of his control,” Baugh allegedly said.
Harassment campaign step 2: messages from fake eBay sellers
The second part of the harassment campaign was to send private Twitter messages and public tweets criticizing the newsletter’s content and threatening to visit the victims in Natick. Baugh, Gilbert, Popp and another eBay security employee allegedly planned the messages to become increasingly disturbing, culminating with doxing the victims’ home address. They allegedly set up a Twitter account named @Tui_Elei to send the messages and used a skull for the profile.
Baugh allegedly told some in the group that Executive 2 supported all this, forwarding a message in which the executive complained about a commenter named Fidomaster and ‘the [Newsletter] gal,” suggesting that eBay should do “Whatever. It. Takes” to address them:
Whatever. It. Takes. email from eBay Executive 2. IMAGE: FBI affidavit
Then, the group allegedly planned to have Gilbert – a former Santa Clara police captain – approach the victims with an offer to help stop the harassment that the defendants were allegedly, secretly causing, in an effort to promote good will towards eBay, generate more favorable coverage in the newsletter, and identify the anonymous commenters.
Harassment campaign step 3: covert surveillance
According to the complaint, Harville and Zea registered for a software development conference to explain a trip to Boston on 15 August, 2019. From Boston, Baugh, Harville, and Zea (and later Popp) allegedly drove to the victims’ home in Natick several times, with Harville and Baugh intending at one point to break into the victims’ garage and install a GPS tracking device on their car.
In case they were stopped by local police, Baugh and Harville allegedly carried false documents purporting to show that they were investigating the victims as “Persons of Interest” who had threatened eBay executives. The victims spotted the surveillance, however, and told Natick police they were being followed. The police investigated, finding that Zea had rented one of the cars used by the defendants. The investigators reached out to eBay for assistance.
Aware that the police were investigating, the defendants allegedly lied to the police about eBay’s involvement while pretending to offer the company’s assistance with the harassment, and they allegedly lied to eBay’s own lawyers about their involvement.
At one point, Baugh, Gilbert, Popp, and Stockwell allegedly plotted to fabricate another eBay “Person of Interest” document that could be offered to the police as a lead on some of the harassing deliveries. As the heat closed in, with police and eBay’s lawyers continuing to investigate, the defendants allegedly deleted digital evidence that showed their involvement, further obstructing what had by then become a federal investigation. A discussion between Baugh and Harville:
Find and destroy conversation between Harville and Baugh. IMAGE: FBI affidavit
The charges of conspiracy to commit cyberstalking and conspiracy to tamper with witnesses each carry a sentence of up to five years in prison, three years of supervised release, a fine of up to $250,000 and restitution. Maximum sentences are rarely handed out, though.
Lelling called the cyberstalking campaign a “determined, systematic effort of senior employees of a major company to destroy the lives of a couple in Natick, all because they published content company executives didn’t like.”
CBS asked Lelling if further charges are in the works. One would imagine so, given that two unnamed executives are included in the complaint who had roles higher than Baugh’s. Lelling responded by saying that the investigation is “active and ongoing”.
The defendants weren’t just a few bad apples, Lelling said, given how high up in the company the orders were allegedly coming from:
I don’t think I would characterize the conduct as rogue, because as seen in the complaint, the directive to do something about this goes pretty high up the chain within eBay.
eBay’s response
eBay told CBS that it was notified in August 2019 about the alleged conduct of its employees and launched a “comprehensive investigation.” It fired all of the involved employees in September 2019.
An independent special committee formed by eBay’s Board of Directors said this in a statement:
eBay took these allegations very seriously from the outset. Upon learning of them, eBay moved quickly to investigate thoroughly and take appropriate action. The Company cooperated fully and extensively with law enforcement authorities throughout the process. eBay does not tolerate this kind of behavior. eBay apologizes to the affected individuals and is sorry that they were subjected to this. eBay holds its employees to high standards of conduct and ethics and will continue to take appropriate action to ensure these standards are followed.
Former eBay CEO Devin Wenig’s role has come into question during the investigation. Wenig resigned in September 2019, citing disagreements with the company’s board as it sought to overhaul the business.
eBay says that its internal investigation found that, while Wenig’s communications were “inappropriate,” the alleged crimes couldn’t be traced to him:
There was no evidence that he knew in advance about or authorized the actions that were later directed toward the blogger and her husband.
“However,” eBay said, as it previously announced, there were “a number of considerations leading to his departure from the company.”
Intel is adding two new exploit detection systems into its forthcoming processors.
The new technology has been at least four years in the making, according the chip giant’s recently updated specification document, which contains a “version 1.0” release date of June 2016.
Intel’s PR machine has been making waves about the system, known as CET for short, or and Control-flow Enforcement Technology in full, for a while…
…and now it’s officially out for you to take a look at. (Warning: the specification document runs to 358 pages.)
As far as we can see, the first wave of Intel processors that will include these new protections are the not-quite-out-yet CPUs known by the nickname “Tiger Lake”, so if you’re a programmer you can’t actually start tinkering with the CET features just yet.
Nevertheless, CET reminds us all that computer security is a cat-and-mouse game, where one round of security improvements provokes a change in behaviour by cybercrminals, which in turn leads to a new wave of defences, and so on.
Loosely speaking – very loosely, given that we’re summarising a 358-page document – CET aims to make remote code execution exploits harder than they are now by keeping a tighter rein on how programs behave.
More precisely, CET aims to keep an eye out for how programs misbehave, so that it’s easier to detect when a program has crashed, and therefore to stop crooks coming up with sneaky ways of crashing-yet-keeping-control-over buggy programs.
Exploiting memory errors
Errors in using memory are one of the leading causes of software bugs that lead to security holes, known in the trade as vulnerabilities.
For example, if I ask the operating system for 64 bytes worth of temporary storage, for example to generate and store a cryptographic key, but then accidentally save 128 bytes of random data into it, I’ll trample all over whatever comes next in memory.
A memory block that’s allocated for your own use is known colloquially as a buffer, so writing outside your own buffer and into someone else’s is known as a buffer overflow.
Another way that data commonly gets trampled is known as use after free, where I accidentally save data into a block of memory that I already told the operating system I didn’t need any more, and that therefore might already have been handed out to be used somewhere else.
Even if I carefully write my limit of 64 bytes and avoid a buffer overflow error, I’m still writing where I shouldn’t.
So even though a use-after-free bug isn’t technically referred to as an overflow, you can think of it that way because I am writing 64 bytes to a buffer where I am currently supposed to write no bytes at all.
Memory safety
Memory safety bugs, as they’re called in general, are an obvious cybersecurity risk because they mean that an attacker might be able to craftily alter data that some other part of the program assumes it can trust and therefore later relies upon.
The danger posed by a memory error of this sort depends, of course, on what got trampled.
If the memory bytes that were overwritten contained an error message that only ever gets printed under highly unusual circumstances, then the bug might not be noticed for years, and even if it shows up, the only bad side effects might be to cause an error to go unreported (or be reported incomprehensibly).
But if the memory that got trampled contains any data that the software later relies upon to control the flow of execution in the program, then an attacker can very possibly find a way to abuse that bug to implant malware.
Defending against memory bugs
There are two main ways that memory overwrite bugs can be exploited to divert execution.
One relies on modifing what’s known as the stack, a block of memory that the CPU uses (amongst other things) to keep track of subroutine calls in software.
When you call a program subroutine, for example getch(), which reads in the next input character, usually from the keyboard, the processor keeps track of where you CALLed it from so that the subroutine can simply run a RETurn instruction to get back where it was before, to the next instruction after the CALL.
So, if you can mess with the stack, you can often mess with the next RET instruction so the program doesn’t go back where it came from but instead heads off into unauthorised territory of your choice.
Another sort of bug involves modifying the memory location used by a JMP or CALL instruction to tell it where to go next – instead of diverting a program when it returns from a subroutine, you divert it when it tries to call or jump to one.
Various protections already exist agains this type of trick, notably DEP and ASLR.
DEP stands for Data Execution Prevention and it assumes that when attackers modify a RETurn address, or a CALL or JMP destination, they’ll need to divert execution to a chunk of code – known as shellcode – that they supplied themselves, typically as part of the data they sent to the errant program in the first place.
But modern CPUs can flag data buffers as “not for execution”, which prevents shellcode supplied as data from running even if attackers manage to RET, JMP or CALL to it.
Crooks responded to DEP by using two-stage shellcodes where the first part relies on stringing together code fragments already loaded into memory, for example as part of the running program or one of the DLL files it uses.
These “already executable” fragments, known in the jargon as gadgets, don’t need to do a lot – typically, they’ll just tell the operating system to switch the buffer where the rest of the shellcode resides from “no execution allowed” to “this data is allowed to run as code”.
Then, simply jumping to the second part of the shellcode completes the takeover.
(Note that the gadgets were never intended to be used in this way – the crooks typically comb through system DLLs and hunt for byte sequences that just happen to decompile to useful code snippets such as ADD THIS or COMPARE THAT, even if the gadgets are themselves part of other instruction sequences.)
Of course, to misdirect a running program so it transfers control to an “already executable” gadget, the attacker needs to know what memory addresses those gadget bytes are loaded at.
Fifteen years or so ago, that was trivial because every version of Windows loaded its standard set of system DLLs at the same memory addresses every time, so if the crooks could figure out an exploit that knew where to weave around in memory on their test computer…
…it would work on your computer, too, assuming you had the same version of Windows.
ASLR, short for address space layout randomisation, made that much harder, because Windows, and all other mainstream operating systems, now load programs at different locations every time you reboot.
The crooks can easily guess which Windows version you have, but they can’t easily guess which gadgets are at what memory addresses on your computer.
ASLR still not perfect
One problem with ASLR is that if attackers can somehow figure out the memory addresses that are being used on your computer right now, even though they were randomly chosen, they can modify their attack automatically simply by adjusting all gadget addresses in their exploit to suit.
Unfortunately, information about system memory allocation sometimes leaks out due to other, innocent sounding bugs known as information disclosure flaws.
For example, some programs write log files that are intended to be helpful if ever you need support, accidentally including useful but supposed-to-be-secret data such as System version data found at address 0x7DEE.... or KERNEL DLL loaded at 0x7EE3.....
In other words, the memory layout information that crooks aren’t supposed to be able to figure out for program X might already have been blurted out by program Y.
Enter CET
Intel’s new hardware solution aims to go beyond ASLR and takes two forms, called the shadow stack and indirect branch tracking (IBT).
The implementation is complex but the concepts are simple:
The shadow stack will keep two copies of every memory address that a subroutine might RETurn to. One will be stored where it always was, still vulnerable to buffer overflows. The other return address will be saved on the shadow stack, where a buffer overflow can’t (or isn’t supposed to be able to) reach it. Whenever a subroutine tries to RETurn, the two stacks will be compared. If they differ, the return address on the regular stack must have been modified incorrectly. In theory, this will detect and prevent both accidental crashes and deliberate exploit attempts.
The IBT system will introduce a new machine code instruction called ENDBRANCH. Programs that want to make use of IBT can compile these instructions into their code at every point where a JMP or CALL is permitted to arrive – creating an allowlist, if you like, of legitimate branch targets. Any JMP or CALL that’s modified to end up somewhere else, such as at a “code gadget” picked by an attacker, can be detected and blocked. Crooks should therefore find it somewhere between very hard and impossible to find code gadgets that do what they want.
In case you’re wondering how IBT will work in a backwards compatible way, Intel carefully chose an instruction bytecode for ENDBRANCH that executes as a NOP, short for “no operation” (i.e. an instruction that does nothing except use up a tiny amount of time and memory) on older CPUs.
So software recompiled for CET-capable processors in the next year or so will still work correctly on older computers.
Is this the end of exploits?
No.
As Intel’s own press release points out, “No product or component can be absolutely secure. Your costs and results may vary.”
Having said that, we suspect that CET will, in general, make things harder for the crooks, so we look forward to it being more widely available.
Following Friday’s fatal police shooting of Rayshard Brooks – a 27-year-old Black man who fell asleep in a fast-food drive-in lane in Atlanta and was shot while running from police who tried to tase him – hackers affiliating themselves with the Anonymous hacktivist collective may have briefly taken down the website for the city’s police department.
The AJC reports that the outage happened around 8:30 a.m., following an announcement from a Twitter account branded Anonymous USA.
Of course, the connection between an Anonymous-branded warning and an outage could be simple coincidence. We don’t know what really took the site down. It could have been hacktivists triggering a distributed denial-of-service (DDoS) attack, an onslaught of web traffic flooding the site in the wake of yet another newsworthy police killing, or something as simple as server failure.
As was true prior to a resurgence of protest-related social media interest in Anonymous in these days of Black Lives Matter (BLM), saying that “Anonymous” did it isn’t saying much. As the Anonymous USA account itself explains:
#Anonymous is not a group, not an organization. Anonymous is an idea. Anyone can join us. There is no official account.
Regardless of how amorphous the Anonymous “idea” is and how iffy it is to lay credit on the hacktivist group, this might not be the first strike to come from Anonymous-affiliated hackers with sympathy for the BLM movement.
On 25 May, the killing of George Floyd while in custody with Minneapolis police sparked nationwide protests and outrage. Three days later, Anonymous hackers posted a video that threatened to “expose the many crimes” of Minneapolis police.
The following Saturday, the Minneapolis PD site and the parent City of Minneapolis site apparently suffered a DDos attack that lasted, sporadically, into at least Sunday morning.
As Variety reported at the time, the @LatestAnonNews Twitter account – which claims to be run by “multiple Anons” – didn’t explicitly take credit for the Minneapolis outages. It did, however, retweet posts linking Anonymous with BLM and #GeorgeFloydProtests.
In the immediate aftermath of Floyd’s killing, when the initial protests were concentrated in Minneapolis, Minnesota Gov. Tim Walz claimed that state networks had been subjected to “a very sophisticated denial of service attack on all state computers.” Such attacks don’t require a lot of skill, however, and can be launched with push-button ease or by simply renting from a DDoS-for-hire service.
At any rate, following Friday’s killing of Rayshard Brooks, Anonymous-affiliated hackers – or, perhaps, hackers sympathetic to BLM, or any hackers exploiting the climate of rage – may have turned their attention to the website of the Atlanta Police Department (APD).
A Wendy’s restaurant employee had called the police after Brooks fell asleep in a drive-through lane, blocking other drivers and forcing them to drive around his car.
An exchange between responding police and Brooks escalated. Police tried, and failed, to tase Brooks, but he got hold of the Taser, ran, and fired it at pursuing officers. (If you’re curious about how effective a Taser is when you’re not close to your target, a vendor’s FAQ explains that a consumer-grade Taser shoots 15 feet, while police-grade Tasers can shoot upwards of 30 feet to disable a target.)
An officer fired two shots into Brooks’s back. A medical examiner deemed the shooting to be homicide, and the officer believed to be responsible was fired. Over the weekend, Brooks’s death reignited protests in Atlanta over racism and police brutality that had been triggered by Floyd’s death weeks earlier.
Zak Doffman – founder and CEO of Digital Barriers, which develops advanced surveillance for defense, national security and counter-terrorism – wrote an in-depth article for Forbes about the problem of attribution when it comes to Anonymous and what might or might not be its members’ responsibility for the DDoSes against the two police departments’ sites.
Doffman said that the attack is “an embarrassment” for Atlanta, coming as it does two years after the city bought $2.6 million worth of emergency contracts to claw back its systems after a SamSam ransomware attack brought the city to its knees, destroying years of police dashcam video.
I was able to access www.atlantapd.org on Monday, 15 June. But at least earlier in the day, Doffman said that he couldn’t get through except when using a VPN through a US server, as the site wasn’t accepting connections from outside the US. That suggests that an attack may have come from outside the country, he said:
Attributing any such action to Anonymous is impossible, given the nature of its loosely affiliated organization. But, because self-styled members can essentially join the cause simply by saying they are doing so, it makes any action claimed by an Anonymous affiliate essentially attributed. The fact that the Atlanta PD website has limited access suggests that any attack may have come from outside the U.S.
He said that following the MPD attack, there have been other Anonymous claims, including those about disrupting police radio systems. The Associated Press, citing a 1 June Department of Homeland Security assessment, has reported that during a 31 May protest in Dallas, “unknown actors” disrupted the police department’s unencrypted radio frequency with music.
As The Hill reports, some police departments have switched to encrypted communications, citing the need to keep criminals from listening in on police radio channels through phone apps – a move that’s been criticized by media outlets that say it will potentially conceal public safety information from the public.
Sextortion, also known as “porn scamming“, is where the crooks send you an email claiming to have a video of you watching porn that they’ve acquired by implanting malware on your computer.
We suspect that you’ve not only heard of it but also received these odious and scary emails yourself – scary because no matter whether the crooks really have a video or not, the emails sign off with an aggressive blackmail demand for money…
…or else the video goes to all your family and friends.
The extortion amount varies, but it’s typically about $2000, payable via Bitcoin to a cryptocoin wallet specified in the email.
The idea is that if you pay up, the crooks will stop hounding you, delete the video and move on to another victim.
The thing is, there isn’t a video – after all, if there were, surely the crooks would send you a clip or still image from it as proof?
The criminals are just hoping that a few of the victims who receive their emails will pay up anyway out of fear, and at least some people do.
Indeed, a SophosLabs report published earlier this year found that although porn scamming crooks aren’t pulling in the millions-of-dollars-a-time that some ransomware gangs seem to be getting away with, sextortion scammers have nevertheless been pulling in as much as $100,000 a month simply by telling people to pay up.
You’re probably not terribly surprised, then, to hear that the sextortion crooks are now turning their hands to what we’re calling “breachstortion”.
Instead of claiming to have infected your computer and made off with video filmed from your own webcam, the crooks are claiming to have hacked your website and made off with your data.
As you probably know, ransomware crooks are no longer just scrambling your data and demanding you to pay up to get it back.
They’re now upping the ante by stealing your data first and only then letting loose with their ransomware to scramble it all.
That way the crooks can hit you up with a double reason to pay up: buy back the decryption key and prevent us from telling the world we hacked you.
So the “breachstortion” crooks are copying this data breach-based approach, except that they’ve not actually hacked your network or your computer at all – it’s all a pack of outright lies:
Subject: Your Site Has Been Hacked
PLEASE FORWARD THIS EMAIL TO SOMEONE IN YOUR COMPANY WHO IS ALLOWED TO MAKE IMPORTANT DECISIONS!
We have hacked your website [URL REDACTED] and extracted your databases.
How did this happen?
Our team has found a vulnerability within your site that we were able to exploit. After finding the vulnerability we were able to get your database credentials and extract your entire database and move the information to an offshore server.
What does this mean?
We will systematically go through a series of steps of totally damaging your reputation. First your database will be leaked or sold to the highest bidder which they will use with whatever their intentions are. Next if there are e-mails found they will be e-mailed that their information has been sold or leaked and your [URL REDACTED] was at fault thusly damaging your reputation and having angry customers/associates with whatever angry customers/associates do. Lastly any links that you have indexed in the search engines will be de-indexed based off of blackhat techniques that we used in the past to de-index our targets.
SophosLabs has received quite a few emails along these lines, some as recently as today and others going back one or two months.
In all of them, the crooks give you five days to pay up by sending cryptocurrency to a Bitcoin wallet given in the email.
The amounts we’ve seen vary from $1500 to $2000 (for what it’s worth, the most recent sample we saw had the lowest price).
There are no email or website contact details in the message – the crooks tell you not to bother replying to the email at all, and there’s no website where you can trace your payment and see whether they’ve received the money.
Ironically, as the crooks themselves point out, “please note that Bitcoin is anonymous and no one will find out that you have complied.”
Presumably that’s meant to set your mind at rest by convincing you that the act of paying will not itself draw attention to your “breach”, even though it means you’re relying entirely on the crooks to keep track of which payments were made to “protect” which website’s data.
What to do?
When ransomware crooks hit your network, you typically have no doubt about what just happened – in fact, the ransom demand typically ends up saved in a file right there on your desktop, often with a dramatic change in wallpaper to draw your attention to the attack.
In this case, there’s none of that – not least because there was no malware, no hack, no attack other than the extortion email.
As in the case of porn scams, the crooks don’t have your data, and so paying up is pointless.
Of course, in both sextortion and breachstortion cases, the claims the that crooks make are technically possible: webcams really do sometimes get hijacked by malware; and data breaches really do happen when crooks sneak in due to an unpatched security bug.
That raises the tricky question, “But what if it is true after all and the crooks really do have that video of me/all the data from my network?”
Well, even if you decide to believe the bluffers in cases like this, or have $2000 to spend and figure you might as well be safe than sorry, we nevertheless urge you not to pay up.
Firstly, if these crooks really did get your files, how do you know someone else didn’t get them too (we frequently write about crooks getting hacked by other crooks, after all), or how can you tell that the crooks didn’t already sell them on?
Secondly, what if they come back next week, next month or even next year, when the stakes are even higher?
