Attacks/Breaches
6/23/2014
01:40 PM
Connect Directly
Twitter
Twitter
RSS
E-Mail
50%
50%

6 Recent Real-Life Cyber Extortion Scams

Companies have paid millions, shuttered their doors, and suffered downtime as malicious hackers ramp up blackmail efforts.

June has been quite the month for news of cyber extortion, ransomware, and hacking hostage taking. As cyber crooks look to new and ingenious ways to make a buck off their trade, they're increasingly holding the sword of Damocles over the heads of businesses and government agencies alike. They're doing so by stealing data and threatening public exposure, starting disruptive attacks and promising respite for a price, and encrypting data to hold it hostage until bribes are paid up.

Here are a few of the incidents that have come to light in the past few weeks.

1. Code Spaces
What happened: The code hosting company Code Spaces was put in an untenable position last week. It was hit by a DDoS attack and then extorted by a hacker who had gained control of the firm's Amazon EC2 control panel and hoped to get paid by the firm in exchange for returning control to its operations.

Fallout: Code Spaces did not play ball with the extortionists. Instead, it scurried to take back its account by changing passwords. It was thwarted by the criminal, who had created backup logins to the panel and started randomly deleting files once he saw what the company was doing. In the end, the company claimed that "most of our data, backups, machine configurations and offsite backups were either partially or completely deleted." The situation led the company to shut its doors.

2. Nokia
What happened: Cyber extortion may be a growing favorite among cyber criminals, but it isn't a new trick. In fact, news broke last week about a blackmail case dating back to 2007 that had Nokia pay millions of euros in extortion money. The Finnish phone manufacturer was being held hostage by a hacker who managed to steal an encryption key used in its prevalent Symbian operating system. The attacker threatened to make the key public if Nokia didn't meet payment demands, putting Symbian at risk of other criminals using the key to upload legitimate-looking but malicious apps to phones worldwide.

Fallout: The company did contact Finland's National Bureau of Investigation, but it still got financially soaked by a botched payoff. In a twist of events that could make a good television episode, Nokia left millions of euros in a parking lot with the hope that authorities could trace the perpetrator during the pickup. But the criminal managed to snag the cash and get away without a trace, leaving the case cold years later.

3. Feedly
What happened: The RSS feed service provider Feedly experienced widespread outages this month due to DDoS attacks that were followed up by blackmail attempts by the perpetrators, who promised to ease up if the firm paid a ransom. Feedly publicly spurned the bribe attempt and reported that it was working with other firms suffering from attacks from the same group, along with the authorities, to bring the perpetrators to justice.

Fallout: The company worked furiously with its content network provider to restore service as quickly as possible. In this particular instance, the company was able to thumb its nose at the bad guy and was up and running in a couple of hours. "We refused to give in and are working with our network providers to mitigate the attack as best as we can," Feedly CEO Edwin Khodabakchian told customers during the attack. "Please know that you data is safe and you will be able to re-access your feedly as soon as the attack is neutralized."

4. One More Cloud

What happened: Websolr and Bonsai, two search application infrastructure services provided by One More Cloud LLC, were hit late last week by a similar compromise as the one that shut down Code Spaces. The attacker compromised the services' AWS EC2 account and was looking to wreak havoc through that access.

Fallout: Unlike Code Spaces, Websolr and Bonsai were able to locate the compromised API access key quickly and revoke it immediately to prevent long-term compromise and keep a blackmailer from maintaining control over systems. As a result, One More Cloud was able to recover its data over the weekend and completely restore service.

5. Domino's
What happened: This month, the hacking group Rex Mundi went on a public blitz, claiming it had managed to steal customer records for 650,000 European Domino's Pizza customers. The group said it stole the records from the pizza chain's website, which had used only an MD5 hash to encrypt the data. Rex Mundi threatened to release those records if the company didn't pay it a ransom of €30,000 ($40,800) by Monday of last week.

Fallout: Domino's refused to comply with the hostage demands. Instead, it told customers that the stolen data did not contain financial information -- only contact details, delivery instructions, and passwords. It advised customers to change their passwords. Interestingly, Rex Mundi never made good on its threat.

6. Durham Police Department
What happened: The police department of a small New Hampshire town was struck this month by Cryptowall

Fallout: Durham refused to cooperate with the Cryptowall criminals. Selig specifically stated that not only were crime records not affected by the attack, but the department had sufficient backups to restore what was lost due to the attack, even if recovery would take some time.

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
6/24/2014 | 8:52:30 AM
Re: Two common Web application attacks illustrate security concerns
It's good to see companies saying no to these extortion scams, albeit with varying degrees of success. Code Space, of course, bore the brunt of the fallout from refusing to play ball. But its gratifying to see that Dominos and even the tiny Durham NH police department were able to stand firm.  
JaCa
50%
50%
JaCa,
User Rank: Apprentice
6/24/2014 | 8:33:03 AM
Two common Web application attacks illustrate security concerns
This is alarming indeed scams such as this are bound to increase in the future unless organizations take measures to ensure their data and networks are safe and should mitigate these threats proactively with robust security and encryption . I work with McGladrey and there's a whitepaper on our website that offers useful information on the common security concerns for businesses and ways to mitigate them. "Two common Web application attacks illustrate security concerns"   @  http://bit.ly/1c0f35M  
Christian Bryant
50%
50%
Christian Bryant,
User Rank: Ninja
6/23/2014 | 2:28:53 PM
Concedence
Every incident like these should make each IT professional feel more responsible for the maintenance of digital asset integrity, whether as part of a security team, release team or wherever they may sit, angry and looking twice as hard for solutions.  Because these attackers are so effective right now, some companies are falling to concession.  But is concedence the  answer?  I've seen arguments for/against companies taking things into their own hands and fighting back with their own hackers, and I've seen arguments for/against the government taking more control of the Internet such that more checkpoints can be placed to offer more security to businesses (on paper, at least).  Many solutions have been proposed from architecture changes, organization changes and software implementations.  Yet here we are and these vicious attacks continue to happen.  Definitely sobering.  Companies are going to be making hard choices in the next couple years from a budget perspective and responsibility perspective in terms of how far they are willing to go to keep these attacks from happening again.
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-3345
Published: 2014-08-28
The web framework in Cisco Transport Gateway for Smart Call Home (aka TG-SCH or Transport Gateway Installation Software) 4.0 does not properly check authorization for administrative web pages, which allows remote attackers to modify the product via a crafted URL, aka Bug ID CSCuq31503.

CVE-2014-3347
Published: 2014-08-28
Cisco IOS 15.1(4)M2 on Cisco 1800 ISR devices, when the ISDN Basic Rate Interface is enabled, allows remote attackers to cause a denial of service (device hang) by leveraging knowledge of the ISDN phone number to trigger an interrupt timer collision during entropy collection, leading to an invalid s...

CVE-2014-4199
Published: 2014-08-28
vm-support 0.88 in VMware Tools, as distributed with VMware Workstation through 10.0.3 and other products, allows local users to write to arbitrary files via a symlink attack on a file in /tmp.

CVE-2014-4200
Published: 2014-08-28
vm-support 0.88 in VMware Tools, as distributed with VMware Workstation through 10.0.3 and other products, uses 0644 permissions for the vm-support archive, which allows local users to obtain sensitive information by extracting files from this archive.

CVE-2014-0761
Published: 2014-08-27
The DNP3 driver in CG Automation ePAQ-9410 Substation Gateway allows remote attackers to cause a denial of service (infinite loop or process crash) via a crafted TCP packet.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
This episode of Dark Reading Radio looks at infosec security from the big enterprise POV with interviews featuring Ron Plesco, Cyber Investigations, Intelligence & Analytics at KPMG; and Chris Inglis & Chris Bell of Securonix.