We try not to guffaw at cybercrime, but sometimes – especially on a Monday just after the clocks have gone back to remind us that summer is very much over – we allow ourselves a wry smile.
As we did today on reading a report from our chums at Bleeping Computer in which a cybercrook turned on his fellow crooks by hacking their underground forum and saying he would expose them to the cops…
…unless they forked over $50,000:
MESSAGE TO BASETOOLS OWNER: Hello, you have only 24 hours to pay 50.000$ OTHERWISE YOU WILL BE EXPOSED AROUND THE WORLD & ALSO WE HAVE TOO MANY PROOFS THAT WE HAVEN'T INCLUDED THEM HERE AND THOSE WE WILL SENT TO THE RELEVANT BODIES
The ebullient extortionist listed four examples of “relevant bodies”, all of them in the US: Homeland Security, the Treasury, the Department of Justice and, for good measure, the FBI. (We couldn’t help think that the Internal Revenue Service might be interested, too.)
According to Bleeping Computer, the crook uploaded some of his “proofs” to the Basetools hacking site itself, presumably to cause maximum embarrassment amongst the site’s criminal community.
These published “proofs” included a screenshot that’s supposed to show the web administration panel of the Basetools forum, listing the pseudonyms of the last 15 buyers and sellers, as well as the last 9 refunds.
Seems that the crooks have problems trusting each other on many different levels.
To pay or not to pay?
We don’t want to be seen as offering advice to cybercriminals, but we’d strongly urge against paying up in extortion cases like this.
It’s clear that the data has already been stolen – and some of it already shared with the world, let alone with US law enforcement – so paying now won’t do much good.
In ransomware demands, the extortion typically covers a decryption key for data that almost certainly wasn’t copied by the crooks – in other words, if you decide you aren’t going to pay up, the crooks have nothing further to squeeze you with.
But when the crooks already have copies of your data, and are threatening to besmirch, embarrass or defraud you by exposing it, paying the fee won’t do anything to stop them besmirching you anyway.
Or coming back for more money next week.
For what it’s worth, it seems that the Basetools site owners haven’t quite figured out what to do yet – at the time of writing [2017-10-30T12:00Z], their underground forum said:
One thing they definitely haven’t done yet is to read our highly educational article What you sound like after a data breach.
What to do?
Hackers hacking hackers sounds funny, and perhaps it is – but if hackers can be hacked, then so can you, if you aren’t careful.
We don’t know how this attack happened, but the obvious precautions you can take for your own online service include:
- Patch promptly. If the crooks know what server software version you are using, and it has a known security hole, they may very well be able to break in automatically. In other words, if you haven’t patched, you’re the low-hanging fruit.
- Choose decent passwords. If the crooks can guess your password, or if you used the same password on another site that already got hacked, then the crooks don’t need to do any hacking themselves – they can just login directly.
- Use two-factor authentication (2FA). A one-time code that changes every time you login means that just guessing or stealing your password isn’t enough. If the code is calculated on or sent to your phone, then the crooks need your phone (and its unlock code) as well, which is a higher bar to jump over.
- Check your logs. If you keep logfiles for auditing purposes, for example so you can check who logged in when, examine them proactively in order to find out about security anomalies sooner rather than later.
Honour amongst thieves, eh?
Nelson Muntz
Ha Ha!
Mike Gates
Did you post this early. Clocks dont go back until next week!
Paul Ducklin
Not in Europe, which is where we were when we read the original article and figured it was worth a smile.
(Might want to remember that if you are calling anyone on this side of the North Atlantic in the coming week – you might wake them up early and get a bunch of griping :-)
Pr1muZ
The funny part is the DB was already leaked. Most links are dead now, [url removed]
Tom
Paul, you offered computer security tips to hackers, that is amusing. When I think about it though, there is no reason for hackers to be exceptionally savvy about computer security.
Personally, I don’t see hackers as evil geniuses, just malevolent actors committing criminal acts to make money, who generally don’t seem to think through the process very logically. Hackers don’t seem to have a very deep understanding of how the Internet and TCP/IP work.
Bryan
You’re naturally right about *some* of them, but there’s a big difference between newbies and those who know what they’re doing. Guys (and gals of course) who can reason their way through a complex problem are a far cry from those merely reading output of software they downloaded and barely understand. I’ll take attacks from a thousand script kiddies over a single malevolent programmer with strong security chops.
Let’s hope we never hear this article sparked the origin story of “Black Hat Ducklin.”
Tom
To explain what I meant: Criminals don’t seem to think through their plans to a logical conclusion. For example, it seems that most common criminals forget that that there security cameras. When it comes to black hats, they don’t realize that they can be found out regardless of their perceived anonymity, Brain Krebs proves this repeatedly. Yes, there are some true evil geniuses who have elected to become hackers, but if they are that intelligent, they have put themselves at risk by committing a criminal act, which can be a bad plan. State actors are a different class from criminals in my opinion, and they ate truly dangerous. I do wonder why government computers with secret data and every SCADA computer has to be connected to the internet, though even air gapping is not perfect, just ask the Iranians.
Mark Stockley
Worth remembering that you probably never hear about the really good criminals (cyber or otherwise).
Tom
True, but most crimes have something that can be traced. A good auditor can usually find financial irregularities. The Internet is so far from a secure medium that it’s laughable. If it were secure, Sophos would be out of business, but you probably don’t have much worry about there.
Bryan
“most crimes have something that can be traced”
Absolutely. Ties in well with your prior comment about the Iranian nuclear program; that was such a masterful plan it’s worthy of mention in Ocean’s Fourteen–were it not so frightfully dull to televise lines and lines and lines of code in action.