Hackers disguising as security researchers are stealing data from companies and asking for payment so that they reveal how they stole it, in order for the victim to patch their servers.
This new tactic is becoming a common occurrence, John Kuhn, IBM Senior Threat Researcher, revealed last week. He says security researchers with questionable ethics, or downright “hackers,” are targeting companies with a new type of extortion scheme IBM calls bug poaching.
In these attacks, a perpetrator identifies a security weakness on a company’s site or IT infrastructure and then “offers” to disclose it in private for a certain fee.
Softpedia was the target of such an extortion scheme during the past month, when a “security researcher” pointed out that our website was vulnerable to an XSS bug. We did fix the bug without his help, but this serves as proof to IBM’s most recent.
Extortionists also stole data from hacked companies
Kuhn points out that in the cases IBM was made aware of crooks using bug poaching tactics, the security researchers also went one step further.
The IBM researcher says that when these “researchers” identify SQL injection vulnerabilities, they would also often download data from the company’s servers, effectively stealing it.
In all bug bounty programs, private or public (HackerOne, Bugcrowd), downloading a company’s data is frowned upon and strictly forbidden. Doing so breaks bug bounty rules and enters the realm of criminality.
Stolen data is then uploaded online on cloud file sharing services
The crooks are then putting this stolen data on a public file sharing server, emailing companies and telling them about their vulnerabilities, and asking for payment to reveal the details of the security weakness.
IBM says it detected such extortion schemes on 30 organizations in 2015, during which crooks even tried to force as much as $30,000 from one target alone.
Crooks engage in tactics such as mentioning to the company that its data is safe, but nothing can guarantee they’re not selling it on underground hacking forums or the Dark Web at the same time.
Nothing guarantees the data is safe
“To put it mildly, trusting unknown parties to secure sensitive corporate data – particularly those who breached an organization’s security measures without permission — is not a security best practice,” Kuhn notes. “It’s also not clear that attackers won’t just release the data, payment or no payment.”
Furthermore, IBM says that, in most cases, firms wouldn’t even need to pay the ransom because the crook left all the clues they’d need to identify the security bug in the company’s server logs.
While in this tactic hackers pose as white hat researchers, in reality, they’re nothing more than ordinary crooks. As so, IBM recommends that companies gather all the evidence they can, attempt to fix the issue, and call in law enforcement to investigate the extortion attempt.