Any time you get notification of your organization being compromised, as a security professional you peak up and take notice. This extortion note came across our desk the other day, sent over from the website team, it had been submitted from the contact us form on our main retail site. At that time there were 10 instances of basically the same message, unique email addresses were the only difference between each submission.
First look at the extortion note immediately raised a couple questions:
- Obviously, is this legit and does the threat hold any water
Followed immediately by
- How much money has this attacker made so far?
- $250 ? is that all they are asking for
That initial read through put my mind at ease a little more, no hard evidence of actual breach, no indication of how we were compromised, everything was just generic threats. Then back to the $250… had this attacker done zero recon on our organization, was it just a shot in the dark, why would you even waste your time on $250.
So time to pick it apart:
DonaldNub – Google search – records found, however no record of previous malicious campaigns
WorkPhone: 84623514526 – didn’t spend too much time digging in to the phone, but no records found
Bitcoin wallet – this is where the most information came from.
Using the website: https://bitcoinwhoswho.com/ to track down the wallet info.
Campaign Success Grand Total of: $0.06
Only transaction history must have been when they opened the wallet.
This particular campaign started Oct 12, currently 37 scam reports on Bitcoinwhoswho from either web form blasting or direct email extortion.
In an instance like this, in my opinion, its not worth the time or effort to go any further than the quick analysis above. No need to reach out to this attacker via email to dig for more info. Use the info they gave and do some OSINT (open source intelligence gathering) to see what sort of details you can pull together to build a case. If the threats were to change where they showed evidence of an actual breach, potentially share some of the “hacked accounts information” then it would trigger an all hands on deck response. This was a quick short write up, pretty poor extortion attempt overall but I did find it entertaining.