FBI Issues Warning after Extortion Schemes Surface Following Spate of Mega Breaches
"We have some bad news and good news for you."
In a public service announcement dated June 1, the Internet Crime Complaint Center (IC3) of the Federal Bureau of Investigation (FBI) alerted the public of a string of email messages reportedly landing on inboxes of unknowing online users in an attempt to extort money. The scammers, according to the reports received by the agency, have been leveraging the latest stream of high-profile data breaches that have imperiled the security of millions of members of social networking sites Tumblr, Myspace, Fling and LinkedIn.
As such, an extortion email sample reads, “Unfortunately your data was leaked in a recent corporate hack and I now have your information. I have also used your user profile to find your social media accounts. Using this I can now message all of your friends and family members.”
The bad news, according to the IC3, is that cyber extortionists quickly jumped on the wave of the disconcerting news of the massive data dumps claiming that names, phone numbers, addresses, credit card information and other personal details have befallen on their hands standing the chance of exposure to the recipient’s family, friends, and even social media contacts. The good news, cleverly put by the scammers, comes after settling the ransom that ranges from 2 to 5 Bitcoins, or an amount equivalent to 250- 1,200 USD in exchange for continuous discretion of said ruinous information. Payment is demanded on a short deadline to further incite fear and heighten the sense of urgency to pay among its would-be victims.
As is expected in any extortion scheme, failure to settle the demanded ransom would result into grave repercussions. The email schemes threaten to expose dirty, well-kept secrets to the mentioned contact list of the recipient, including employers. The FBI then divulged that given the variations of email messages sent to scare victims into paying, multiple cybercriminals may be behind the said ongoing extortion campaigns.
A different extortion email says, “We have prepared a letter to be mailed to the following address that details all of your activities including your profile information, your login activity, and credit card transactions. Now for the good news, you can easily stop this letter from being mailed by sending 2 bitcoins to the following address.” Others go the length of threatening recipients of the possible financial and emotional strain that could come from the disclosure of sensitive information to the target’s contacts—bargaining that the continued secrecy of collected information once payment is made is more convenient than potential court proceedings and social embarrassment brought by the disclosure of information that could potentially ruin the reputation of the victim.
An Intriguing Trend
The emergence of these extortion campaigns is a cause for concern for the FBI as these have sprung quickly after reports of massive data dumps in the cybercriminal underground involving stolen passwords from the mentioned social networking sites have reached public consciousness.
On May 18, a hacker that goes by the handle peace_of_mind, or more commonly referred to as “Peace”, has made 117 million stolen LinkedIn credentials available on sale in the underground. In a statement, the hacker noted that the compromised emails and passwords were part of the harvested data from an earlier breach that dates back to 2012—with figures then pegged only at 6.5 million encrypted passwords.
Paid hack search engine LeakedSource shares that they also possess the data. LeakedSource and Peace then note that the available database is comprised of 167 million accounts, 117 million of which have both emails and decrypted passwords. Peace then marked the available troves of user credentials with a rate of 5 Bitcoins, or an amount totaling to around 2,200 USD.
Cory Scott, Chief Information Security Officer of the 14 year-old business-oriented social networking site, was quick to address the incident in an official blog entry saying, “We are taking immediate steps to invalidate the passwords of the accounts impacted, and we will contact those members to reset their passwords. We have no indication that this is as a result of a new security breach.”
In a May 23 update, Scott noted that the process of invalidating passwords that are potentially at risk has been fully carried out. That said, he concluded, “We will soon be sending more information to all members that could have been affected, even if they’ve updated their password.”
Days before the resurfacing of stolen LinkedIn credentials in the underground market, a May 12 bulletin from microblogging site Tumblr divulged details of an unauthorized third-party access to a “set of Tumblr user email addresses with salted and hashed passwords from early 2013”. However, the exact number of affected parties has not been disclosed at the time the notice was released.
Security researcher and moderator of data breach awareness portal Have I Been Pwned(HIBP) Troy Hunt, on Monday, May 30, shared that the breadth of the breach actually involves over 65 million compromised records—now regarded as one of the most massive data dumps of its kind.
In a statement to Motherboard, Peace, the same hacker behind the sale of stolen LinkedIn credentials referred to the advertised Tumblr database simply as a “list of emails”. Tumblr was noted to have used SHA1 to hash the passwords, aside from “salting” them, thus making it difficult for hackers to crack. Because of this, the collection of stolen records was marked at a relatively lower price of 150 USD.
Shortly after the sale of stolen Tumblr login details in the underground has been made public, another social networking site joined the growing line of breached online networks. The same hacker in question, Peace, claimed ownership to a vast database of MySpace login details totaling to 360 million, which would essentially be one of the biggest password leaks known to date.
While the date when the breach took place has not been determined yet, it is a known fact that the stolen credentials may have been compromised and mined long before MySpace has waned in its popularity. It was also reported that other hackers have been advertising the sale of the stolen information in the underground as well.
In an experiment, Motherboard provided email addresses—three from the news site’s staff and two from friends who have had accounts on the social network—to LeakedSource to verify the authenticity of the said stolen credentials. Notably, in all five instances, the source was able to send back corresponding passwords to the disclosed email addresses.
According to LeakedSource, over 427 million passwords can be found in the database but only 360 million email addresses involved. In a blog entry posted on Friday, May 27, the site noted that each record contains “an email address, a username, one password, and in some cases a second password.”
In a statement dated May 31, MySpace officials confirmed the said breach of information and divulged that, “Shortly before the Memorial Day weekend (late May 2016), we became aware that stolen Myspace user login data was being made available in an online hacker forum. The data stolen included user login data from a portion of accounts that were created prior to June 11, 2013 on the old Myspace platform.”
MySpace highlighted that no credit card or any user financial information has been compromised. To mitigate any further danger brought by the breach, MySpace has invalidated all user passwords of accounts made before June 2013 on the older platform used by the site who are believed to be directly affected by the breach. Returning users will then be prompted to verify their respective accounts and to reset password. Currently, the site is also utilizing automated tools used to quickly identify and block whatever suspicious activity that may arise from the surfacing of the stolen credentials.
Currently, Hunt continues to finalize data on the MySpace breach, attempting to verify the number of stolen credentials available, its origins and the date when it actually occurred before it hid its tracks. While MySpace has gone out of the limelight in terms of usage, he opines that users should still be on the lookout. In an interview to BBC, Hunt noted, “It all comes back to whether they've been following good password practices or not. If they've reused passwords across multiple services - and remember, these breaches date back several years so they need to recall their practices back then - then they may well have other accounts at risk too."
Buried Secrets, Resurface
Interestingly, Hunt notes that an intriguing trend has started to show its face with the discovery of this slew of year-old breaches. First is the age of the mentioned breaches. The recently reported data dumps involve data that has been lying “dormant” for more than three years before it was thrust into public consciousness. Aside from this, the immensity of the stolen information has proven to be impactful, as the recent breaches are now among the most sizable compromised databases that the breach awareness portal HIBP has seen. According to Hunt, “If this indeed is a trend, where does it end? What more is in store that we haven't already seen?"
In Trend Micro’s research paper, Follow the Data: Dissecting Data Breaches and Debunking Myths, knowing the trail of data after it was stolen is as important as knowing the basics or the who, what, when, and how of any data breach.
[Research: Where Do Stolen Data Go?]
Cybercriminals are learned and creative enough to seek ways to get their hands on different repositories of information. These are deemed as goldmine for data thieves as the harvest of personally identifiable information and other credentials could easily equate to profit, or the collection of ingredients instrumental for staging further attacks. In many cases, the theft of irreplaceable data often leads to identity theft much like how IRS scammers take full advantage of the tax season to steal and use data that can ultimately bring them profit.
In Trend Micro’s Security Predictions for 2015, experts believe that cybercriminals are turning on more personal attacks on individuals and even enterprises to reap better results: the more personal the attack is, the more effective it gets. Understanding the psychology of an attack makes for a more reliable tactic and fear will remain a constant element in any successful extortion scheme. This is evidently seen in what the FBI has warned the public about—the emergence of new extortion campaigns that threaten to spill the beans of some of the most ruinous “secrets” a target has.
At the onset of May, Peace, advertised the sale of a significant chunk of stolen member information in the cybercriminal underground from the dating website, Fling. The said stolen information dates back to a breach that occurred in 2011, and the database reportedly comprised of email addresses, plain text passwords, usernames, IP addresses, dates of birth and even sexual preferences, sexual desires, among others.
Fling allows the creation of profiles and the exchange of messages and even photos to prospective partners of its 50 million members. Peace noted that the available database on sale consists of over 40 million records sold at the rate of 0.8888 Bitcoins, or over 400 USD. The kind of data that this adult-oriented social networking site houses, makes for an effective bait to make a target cave in on an extortionist’s demand.
In a statement, the moderator of the site’s domain confirmed the undetected breach but emphasized that the stolen credentials and personal details are old information. As such, in a statement, the site official notes, “We take internet security very seriously,” he wrote in an email. “Our site is free to join and we do not store any credit card information. We've investigated the sample data and it is from a breach that happened in 2011.”
As of now, members of Fling were urged to change passwords to thwart any possible harm brought by the disclosure of breached credentials, most especially if passwords used are linked in other more significant services like professional email. Further, users were advised to be vigilant and constantly be on the lookout for receiving unsolicited emails that would threaten the exposure of data in exchange for monetary settlement.
This is reminiscent of how another dating service, Ashley Madison, made news in 2015, for an enormous hack that threatened to impair not just wallets and bank accounts, but also cause irreparable damages on real-world relationships. This turned out to have sparked grim consequences on the part of the victims, from blackmail and extortion, employment resignations, and even suicide. Apart from Ashley Madison, Fling now joins the growing line of dating networks that have been victimized by hackers such as Adult FriendFinder, BeautifulPeople and the like.
Fling rounds out the four enormous breaches that have been made public in just one month. Hunt, in his blog entry, wrote, "There's been some catalyst that has brought these breaches to light and to see them all fit this mould and appear in such a short period of time, I can't help but wonder if they're perhaps related."
In an interview, security researcher Stephen Gates, shared that Peace may not necessarily be driven by monetary gains. He said, "With limited financial gain and timely value to the data, it's reasonable to believe that Peace may be doing it because he/she can. Right now, Peace is taking the reins of the public image of these social media companies, bringing a mistake they would prefer buried in the past into the forefront of the news cycle."
The FBI, in its warning, continues to drive a campaign to promote cybersecurity education on users to prevent from falling into the traps of the extortionists. In its security bulletin, the agency emphasizes that payment of extortion demands does not ensure the discretion and secrecy of said stolen data. This will only be used as added funds to fuel cybercriminal activities.
“If you believe you have been a victim of this scam, you should reach out to your local FBI field office, and file a complaint with the IC3 at www.ic3.gov. Please include the keyword “Extortion E-mail Scheme” in your complaint, and provide any relevant information in your complaint, including the extortion e-mail with header information and Bitcoin address if available,” the FBI notes.
Update: June 6, 2016
The hacker, popularly known as Peace, continues to create noise in the underground market—this time with a data dump that trades account information of over 100 million users of Russia’s Facebook counterpart, VK.com, reports say on Monday, June 5.
Peace provided Motherboard with the dataset that exceeds 100 million records containing complete names, email addresses, phone numbers, and passwords. These are readily available in the underground market for 1 bitcoin or approximately 570 USD. Peace, noted that the stolen credentials were mined in between the years 2011 and 2013. Aside from this, the hacker, who was also possible for the consecutive data dumps of millions of stolen credentials from other social networking sites, claimed to have full reins to another set of accounts totaling to 71 million. As to when the sale of these records would be, remains to be unclear.
In an analysis published by breach notification site LeakedSource, they too, have obtained the database from a source known to them as “Tessa88”, who was the same pseudonym of the source that provided user data from MySpace. Interestingly, the site stated that the most popular password found in the database was “123456”, appearing over 700,000 times. Other easily decipherable password credentials include “qwerty”, “123123”, and “qwertyiop”, which show clear user disregard of maintaining hard to predict passwords for their own security.
VK joins the growing line of social networking sites victimized by recently-disclosed year-old breaches appearing in the digital underground. Cyber security researcher and journalist Troy Hunt noted that the online world is in the midst of an emerging trend of breaches undiscovered in years past that are only surfacing of late with recently-discovered data dumps. As to how long and how impactful this trend would be in the coming days, the cybersecurity arena, has yet to see.
In a recent update dated June 6, 2016, Motherboard noted a correspondence with an undisclosed VK spokesperson saying, “VK database hasn’t been hacked. We are talking about old logins/passwords that had been collected by fraudsters in 2011-2012. All users’ data mentioned in this database was changed compulsorily. Please remember that installing unreliable software on your devices may cause your data loss. For security reasons, we recommend enabling 2-step verification in profile settings and using a strong password.”
Like it? Add this infographic to your site:
1. Click on the box below. 2. Press Ctrl+A to select all. 3. Press Ctrl+C to copy. 4. Paste the code into your page (Ctrl+V).
Image will appear the same size as you see above.
- Ransomware Spotlight: Trigona
- Steering Clear of Security Blind Spots: What SOCs Need to Know
- Understanding the Kubernetes Security Triad: Image Scanning, Admission Controllers, and Runtime Security
- Preempting Threats to Connected Cars: The Importance of Cybersecurity in a Data-Driven Automotive Ecosystem
- Your Stolen Data for Sale