Breachstortion
Sextortion and other “I know your password” scams have been a favorite phishing attack method for years. This week, the Sophos Naked Security blog revealed how some attackers have changed tactics by creating a similar email extortion campaign that Naked Security is calling ‘breachstortion.’
What Is Breachstortion?
A breachstortion attack consists of a malicious email which claims that the sender has breached the victim’s website or company network, copied data from their databases and moved that data to an offshore server. The email then threatens to post the data publicly unless the victim pays the ransom.
Unlike sextortion, a breachstortion attack does not show the victim one of his or her passwords as a means to “prove” that the attackers have access to the victim’s computer. In fact, the email does not contain any evidence that the attacker has breached anything.
SophosLabs reports that they have received numerous samples in the past two months and all of them give the victim only five days to pay the $1500 to $2000 ransom to a Bitcoin address that is included in the email.
How Did Attackers Get Your Data?
Much like a sextortion attack, the attackers do not have any data and they are relying on the victim’s fear to cause them to pay the ransom, even with no evidence of a breach. Typically when attackers have access to victim data, they will post a small portion of that data online to prove that they have it but that’s not the case with the breachstortion attacks that Sophos has analyzed to date.
Example of A Breachstortion Attack
As you can see in the example below, this breachstortion email is short and to the point. It conveys a sense of urgency and preys on the fears of the victim to entice them to pay.
“Subject: Your Site Has Been Hacked
PLEASE FORWARD THIS EMAIL TO SOMEONE IN YOUR COMPANY WHO IS ALLOWED TO MAKE IMPORTANT DECISIONS!
We have hacked your website [URL REDACTED] and extracted your databases.
How did this happen?
Our team has found a vulnerability within your site that we were able to exploit. After finding the vulnerability we were able to get your database credentials and extract your entire database and move the information to an offshore server.
What does this mean?
We will systematically go through a series of steps of totally damaging your reputation. First your database will be leaked or sold to the highest bidder which they will use with whatever their intentions are. Next if there are e-mails found they will be e-mailed that their information has been sold or leaked and your [URL REDACTED] was at fault thusly damaging your reputation and having angry customers/associates with whatever angry customers/associates do. Lastly any links that you have indexed in the search engines will be de-indexed based off of blackhat techniques that we used in the past to de-index our targets.”
What Can Breachstortion Victims Do?
If you find a breachstortion email in your inbox, don’t panic. As you now know, this is a scam but below are some tips that may help.
If this was received at a business email address, let your cybersecurity team know that you received the threatening email. There could be a company-wide campaign happening that they can stop if they know about it and they can use that email to help educate employees.
Be very skeptical about incoming email. Read the following phishing blog to learn more on how to identify phishing attacks.
Be wary of short urls (e.g. bit.ly). Sometimes malicious links are sent through social media in a short url. Check short urls with a tool like checkshorturl.com to preview the real address before clicking.
Be aware of doppelgänger domains, which are domain names that look like a valid, trusted domain. Like goog1e.com. If you don’t look closely at URLs sent in email, you could quickly overlook this.
Don’t pay! If you do pay, will you pay again in a month or six months if they come back with more demands? Digital data can be copied endless times and these criminals play outside of the rules and laws.
