Hikvision senior director of cybersecurity Chuck Davis discussed phishing hacks and malware related to the coronavirus, and tips to avoid them in recent blogs. In today’s HikWire blog, Hikvision’s Davis covers a new phishing scam that Sophos Naked Security is calling “breachstortion,” and how to prevent being hacked by it.
What is Breachstortion?
A breachstortion attack consists of a malicious email which claims that the sender has breached the victim’s website or company network, copied data from their databases and moved that data to an offshore server. The email then threatens to post the data publicly unless the victim pays the ransom.
A breachstortion attack does not show the victim one of his or her passwords as a means to “prove” that the attackers have access to the victim’s computer. In fact, the email does not contain any evidence that the attacker has breached anything.
SophosLabs reports that they have received numerous samples in the past two months and all of them give the victim only five days to pay the $1,500 to $2,000 ransom to a Bitcoin address that is included in the email.
How Did Attackers Get Your Data?
Breachstortion attackers do not have any data and instead are relying on the victim’s fear to cause them to pay the ransom, even with no evidence of a breach. Typically, when attackers have access to a victim’s data, they will post a small portion of that data online to prove that they have it. That is not the case with the breachstortion attacks that Sophos has analyzed to date.
Example of a Breachstortion Attack
As you can see in the example below, this breachstortion email is short and to the point. It conveys a sense of urgency and preys on the fears of the victim to entice them to pay.
“Subject: Your Site Has Been Hacked
PLEASE FORWARD THIS EMAIL TO SOMEONE IN YOUR COMPANY WHO IS ALLOWED TO MAKE IMPORTANT DECISIONS!
We have hacked your website [URL REDACTED] and extracted your databases.
How did this happen?
Our team has found a vulnerability within your site that we were able to exploit. After finding the vulnerability we were able to get your database credentials and extract your entire database and move the information to an offshore server.
What does this mean?
We will systematically go through a series of steps of totally damaging your reputation. First your database will be leaked or sold to the highest bidder which they will use with whatever their intentions are. Next if there are e-mails found they will be e-mailed that their information has been sold or leaked and your [URL REDACTED] was at fault thusly damaging your reputation and having angry customers/associates with whatever angry customers/associates do. Lastly any links that you have indexed in the search engines will be de-indexed based off of blackhat techniques that we used in the past to de-index our targets.”
What Can Breachstortion Victims Do? Five Tips Below
If you find a breachstortion email in your inbox, don’t panic. As you now know, this is a scam. Below are some tips that may help:
- If this was received at a business email address, let your cybersecurity team know that you received the threatening email. There could be a company-wide campaign happening that they can stop if they know about it, and they can use that email to help educate employees.
- Be very skeptical about incoming email. Read the following phishing blog to learn more on how to identify phishing attacks.
- Be wary of short URLs such as “bit.ly.” Sometimes malicious links are sent through social media in a short URL. Check short URLs with a tool like checkshorturl.com to preview the real address before clicking.
- Be aware of doppelgänger domains, which are domain names that look like a valid, trusted domain. Like goog1e.com. If you don’t look closely at URLs sent in email, you could quickly overlook this.
- Don’t pay! If you do pay, will you pay again in a month or six months if they come back with more demands? Digital data can be copied endless times and these criminals play outside of the rules and laws.
For more cybersecurity tips from Hikvision, visit this link.