We have received reports of scammers targeting website owners with blackmail messages asking them to pay thousands of dollars in bitcoins as ransomware to avoid having their sites` databases ‘leaked and their reputation destroyed.’
Here is a sample of such emails:
Message: Your Site Has Been Hacked
PLEASE FORWARD THIS EMAIL TO SOMEONE IN YOUR COMPANY WHO IS ALLOWED TO MAKE IMPORTANT DECISIONS!
We have hacked your website yourwebsitename.com and extracted your databases.
How did this happen?
Our team has found a vulnerability within your site that we were able to exploit. After finding the vulnerability we were able to get your database credentials and extract your entire database and move the information to an offshore server.
What does this mean?
We will systematically go through a series of steps of totally damaging your reputation. First your database will be leaked or sold to the highest bidder which they will use with whatever their intentions are. Next if there are e-mails found they will be e-mailed that their information has been sold or leaked and your https://yourwebsitename.com was at fault thusly damaging your reputation and having angry customers/associates with whatever angry customers/associates do. Lastly any links that you have indexed in the search engines will be de-indexed based off of blackhat techniques that we used in the past to de-index our targets.
How do I stop this?
We are willing to refrain from destroying your site’s reputation for a small fee. The current fee is $2500 in bitcoins (BTC).
Please send the bitcoin to the following Bitcoin address (Copy and paste as it is case sensitive):
3LKf6NWhJA8L5cmD5p9u6WksjW9SC2jauu
Once you have paid we will automatically get informed that it was your payment. Please note that you have to make payment within 7 days after receiving this e-mail or the database leak, e-mails dispatched, and de-index of your site WILL start!
How do I get Bitcoins?
You can easily buy bitcoins via several websites or even offline from a Bitcoin-ATM.
What if I don’t pay?
If you decide not to pay, we will start the attack at the indicated date and uphold it until you do, there’s no counter measure to this, you will only end up wasting more money trying to find a solution. We will completely destroy your reputation amongst google and your customers.
This is not a hoax, do not reply to this email, don’t try to reason or negotiate, we will not read any replies. Once you have paid we will stop what we were doing and you will never hear from us again!
Please note that Bitcoin is anonymous and no one will find out that you have complied.
The Security Threat:
- As the fraudsters falsely claim, they exfiltrate the databases to attacker-controlled servers using credentials harvested after exploiting a vulnerability found within your website.
- Unless the ransom is paid, they threaten to leak or sell the “stolen” databases, as well as email your associates and customers to destroy your reputation.
- Last but not least, the scammers also try to further scare you into paying out the required fee by threatening to de-index your website from search engines using “blackhat” SEO techniques.
- They then demand that you pay the ransom within 5 days after receiving the ransomware notifications to avoid having their websites destroyed.
Investigations Into The Threat
- This is a well-known scam that has been reported widely across different forums.
- There is also a group of security specialists from a company called WebARX who studied this scam more extensively and observed that this scammer uses multiple Bitcoin wallets to collect ransom payments.
- Victims of this scam also came out with reports on Blogger’s help site, on the WordPress support forum, and on StackOverflow.
- Such ransom attacks are also targeting non-WordPress installations such as Shopify websites, MongoDB databases as well as MySQL servers.
- This scam remains active as shown by the dozens of reports that his/her targets have submitted on the BitcoinAbuse platform for each of the wallets used in this scam campaign.
What To Do
- If you do receive such an email, the first thing to do is to stay calm.
- Next, check your website to see if it contains any visible proof that it was actually hacked. Check for any distortions or weird images showing on the front end. Obviously, you will notice that your website still looks the same as before and rightly so because it has NOT been hacked.
- Do not click any links in the scam email (VERY important).
- Simply forward the scam email to us at [email protected].
Once we have received your email, we will perform any corrective security steps on our side and blacklist the IP Address that the scammer is sending his/her attack email from. We will open a support ticket for you and let you know once the threat has been fully contained.
Further Actions (Optional)
- You can change your Administrative account on your website.
- Enable 2-Factor Authentication as outlined here
- Search for the Bitcoin address embedded in the blackmail email on the Bitcoin Abuse Database for reports of blackmailers or fraudsters actively using that address.
How Safe Is Your Website?
- Every website that we host runs in an isolated security container with two powerful firewalls protecting it at all times, 24/7 365 days a year non-stop.
- We use a server-side IP-based protection firewall and Cloudflare’s advanced firewall to help prevent any attacks from ever getting through into your website. Cloudflare’s strict rules filter helps monitor your site’s incoming traffic and block IPs associated with hacking and DDOS attacks.
- Additionally, the very first plugin we install and activate on each site we build is called WordFence - a highly rated WordPress security solution that houses a malware scanner, firewall, and a certain level of automated malware cleaning. Wordfence also has two-factor authentication, login protection, and password management for users.
In The Unlikely Event of A Security Breach
- If you have reason to believe that your website has been hacked or deleted, please open a support ticket and let us know.
- We will be able to restore a copy of your website from one of our cloud-based servers.
- We use Google`s advanced Cloud1 system to periodically store backups of your website.
- We do not only backup your critical website pages, but also its databases, system files, and system state.
- After each full backup, we use incremental, block-level backup and compression to minimize storage utilization on your website.