By Paul Ducklin
We try not to guffaw at cybercrime, but sometimes – especially on a Monday just after the clocks have gone back to remind us that summer is very much over – we allow ourselves a wry smile.
As we did today on reading a report from our chums at Bleeping Computer in which a cybercrook turned on his fellow crooks by hacking their underground forum and saying he would expose them to the cops…
…unless they forked over $50,000:
MESSAGE TO BASETOOLS OWNER: Hello, you have only 24 hours to pay 50.000$ OTHERWISE YOU WILL BE EXPOSED AROUND THE WORLD & ALSO WE HAVE TOO MANY PROOFS THAT WE HAVEN'T INCLUDED THEM HERE AND THOSE WE WILL SENT TO THE RELEVANT BODIES
The ebullient extortionist listed four examples of “relevant bodies”, all of them in the US: Homeland Security, the Treasury, the Department of Justice and, for good measure, the FBI. (We couldn’t help think that the Internal Revenue Service might be interested, too.)
According to Bleeping Computer, the crook uploaded some of his “proofs” to the Basetools hacking site itself, presumably to cause maximum embarrassment amongst the site’s criminal community.
These published “proofs” included a screenshot that’s supposed to show the web administration panel of the Basetools forum, listing the pseudonyms of the last 15 buyers and sellers, as well as the last 9 refunds.
Seems that the crooks have problems trusting each other on many different levels.
To pay or not to pay?
We don’t want to be seen as offering advice to cybercriminals, but we’d strongly urge against paying up in extortion cases like this.
It’s clear that the data has already been stolen – and some of it already shared with the world, let alone with US law enforcement – so paying now won’t do much good.
In ransomware demands, the extortion typically covers a decryption key for data that almost certainly wasn’t copied by the crooks – in other words, if you decide you aren’t going to pay up, the crooks have nothing further to squeeze you with.
But when the crooks already have copies of your data, and are threatening to besmirch, embarrass or defraud you by exposing it, paying the fee won’t do anything to stop them besmirching you anyway.
Or coming back for more money next week.
For what it’s worth, it seems that the Basetools site owners haven’t quite figured out what to do yet – at the time of writing [2017-10-30T12:00Z], their underground forum said:
One thing they definitely haven’t done yet is to read our highly educational article What you sound like after a data breach.
What to do?
Hackers hacking hackers sounds funny, and perhaps it is – but if hackers can be hacked, then so can you, if you aren’t careful.
We don’t know how this attack happened, but the obvious precautions you can take for your own online service include:
- Patch promptly. If the crooks know what server software version you are using, and it has a known security hole, they may very well be able to break in automatically. In other words, if you haven’t patched, you’re the low-hanging fruit.
- Choose decent passwords. If the crooks can guess your password, or if you used the same password on another site that already got hacked, then the crooks don’t need to do any hacking themselves – they can just login directly.
- Use two-factor authentication (2FA). A one-time code that changes every time you login means that just guessing or stealing your password isn’t enough. If the code is calculated on or sent to your phone, then the crooks need your phone (and its unlock code) as well, which is a higher bar to jump over.
- Check your logs. If you keep logfiles for auditing purposes, for example so you can check who logged in when, examine them proactively in order to find out about security anomalies sooner rather than later.
Honour amongst thieves, eh?
(From Naked Security).