01:40 PM
Connect Directly

6 Recent Real-Life Cyber Extortion Scams

Companies have paid millions, shuttered their doors, and suffered downtime as malicious hackers ramp up blackmail efforts.

June has been quite the month for news of cyber extortion, ransomware, and hacking hostage taking. As cyber crooks look to new and ingenious ways to make a buck off their trade, they're increasingly holding the sword of Damocles over the heads of businesses and government agencies alike. They're doing so by stealing data and threatening public exposure, starting disruptive attacks and promising respite for a price, and encrypting data to hold it hostage until bribes are paid up.

Here are a few of the incidents that have come to light in the past few weeks.

1. Code Spaces
What happened: The code hosting company Code Spaces was put in an untenable position last week. It was hit by a DDoS attack and then extorted by a hacker who had gained control of the firm's Amazon EC2 control panel and hoped to get paid by the firm in exchange for returning control to its operations.

Fallout: Code Spaces did not play ball with the extortionists. Instead, it scurried to take back its account by changing passwords. It was thwarted by the criminal, who had created backup logins to the panel and started randomly deleting files once he saw what the company was doing. In the end, the company claimed that "most of our data, backups, machine configurations and offsite backups were either partially or completely deleted." The situation led the company to shut its doors.

2. Nokia
What happened: Cyber extortion may be a growing favorite among cyber criminals, but it isn't a new trick. In fact, news broke last week about a blackmail case dating back to 2007 that had Nokia pay millions of euros in extortion money. The Finnish phone manufacturer was being held hostage by a hacker who managed to steal an encryption key used in its prevalent Symbian operating system. The attacker threatened to make the key public if Nokia didn't meet payment demands, putting Symbian at risk of other criminals using the key to upload legitimate-looking but malicious apps to phones worldwide.

Fallout: The company did contact Finland's National Bureau of Investigation, but it still got financially soaked by a botched payoff. In a twist of events that could make a good television episode, Nokia left millions of euros in a parking lot with the hope that authorities could trace the perpetrator during the pickup. But the criminal managed to snag the cash and get away without a trace, leaving the case cold years later.

3. Feedly
What happened: The RSS feed service provider Feedly experienced widespread outages this month due to DDoS attacks that were followed up by blackmail attempts by the perpetrators, who promised to ease up if the firm paid a ransom. Feedly publicly spurned the bribe attempt and reported that it was working with other firms suffering from attacks from the same group, along with the authorities, to bring the perpetrators to justice.

Fallout: The company worked furiously with its content network provider to restore service as quickly as possible. In this particular instance, the company was able to thumb its nose at the bad guy and was up and running in a couple of hours. "We refused to give in and are working with our network providers to mitigate the attack as best as we can," Feedly CEO Edwin Khodabakchian told customers during the attack. "Please know that you data is safe and you will be able to re-access your feedly as soon as the attack is neutralized."

4. One More Cloud

What happened: Websolr and Bonsai, two search application infrastructure services provided by One More Cloud LLC, were hit late last week by a similar compromise as the one that shut down Code Spaces. The attacker compromised the services' AWS EC2 account and was looking to wreak havoc through that access.

Fallout: Unlike Code Spaces, Websolr and Bonsai were able to locate the compromised API access key quickly and revoke it immediately to prevent long-term compromise and keep a blackmailer from maintaining control over systems. As a result, One More Cloud was able to recover its data over the weekend and completely restore service.

5. Domino's
What happened: This month, the hacking group Rex Mundi went on a public blitz, claiming it had managed to steal customer records for 650,000 European Domino's Pizza customers. The group said it stole the records from the pizza chain's website, which had used only an MD5 hash to encrypt the data. Rex Mundi threatened to release those records if the company didn't pay it a ransom of €30,000 ($40,800) by Monday of last week.

Fallout: Domino's refused to comply with the hostage demands. Instead, it told customers that the stolen data did not contain financial information -- only contact details, delivery instructions, and passwords. It advised customers to change their passwords. Interestingly, Rex Mundi never made good on its threat.

6. Durham Police Department
What happened: The police department of a small New Hampshire town was struck this month by Cryptowall

Fallout: Durham refused to cooperate with the Cryptowall criminals. Selig specifically stated that not only were crime records not affected by the attack, but the department had sufficient backups to restore what was lost due to the attack, even if recovery would take some time.

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Marilyn Cohodas
Marilyn Cohodas,
User Rank: Strategist
6/24/2014 | 8:52:30 AM
Re: Two common Web application attacks illustrate security concerns
It's good to see companies saying no to these extortion scams, albeit with varying degrees of success. Code Space, of course, bore the brunt of the fallout from refusing to play ball. But its gratifying to see that Dominos and even the tiny Durham NH police department were able to stand firm.  
User Rank: Apprentice
6/24/2014 | 8:33:03 AM
Two common Web application attacks illustrate security concerns
This is alarming indeed scams such as this are bound to increase in the future unless organizations take measures to ensure their data and networks are safe and should mitigate these threats proactively with robust security and encryption . I work with McGladrey and there's a whitepaper on our website that offers useful information on the common security concerns for businesses and ways to mitigate them. "Two common Web application attacks illustrate security concerns"   @  
Christian Bryant
Christian Bryant,
User Rank: Ninja
6/23/2014 | 2:28:53 PM
Every incident like these should make each IT professional feel more responsible for the maintenance of digital asset integrity, whether as part of a security team, release team or wherever they may sit, angry and looking twice as hard for solutions.  Because these attackers are so effective right now, some companies are falling to concession.  But is concedence the  answer?  I've seen arguments for/against companies taking things into their own hands and fighting back with their own hackers, and I've seen arguments for/against the government taking more control of the Internet such that more checkpoints can be placed to offer more security to businesses (on paper, at least).  Many solutions have been proposed from architecture changes, organization changes and software implementations.  Yet here we are and these vicious attacks continue to happen.  Definitely sobering.  Companies are going to be making hard choices in the next couple years from a budget perspective and responsibility perspective in terms of how far they are willing to go to keep these attacks from happening again.
Who Does What in Cybersecurity at the C-Level
Steve Zurier, Freelance Writer,  3/16/2018
Microsoft Report Details Different Forms of Cryptominers
Kelly Sheridan, Staff Editor, Dark Reading,  3/13/2018
New 'Mac-A-Mal' Tool Automates Mac Malware Hunting & Analysis
Kelly Jackson Higgins, Executive Editor at Dark Reading,  3/14/2018
Register for Dark Reading Newsletters
White Papers
Current Issue
How to Cope with the IT Security Skills Shortage
Most enterprises don't have all the in-house skills they need to meet the rising threat from online attackers. Here are some tips on ways to beat the shortage.
Flash Poll
[Strategic Security Report] Navigating the Threat Intelligence Maze
[Strategic Security Report] Navigating the Threat Intelligence Maze
Most enterprises are using threat intel services, but many are still figuring out how to use the data they're collecting. In this Dark Reading survey we give you a look at what they're doing today - and where they hope to go.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.