Apparently this blog, having only barely squeaked past 1000 unique visitors for the first time last month (according to awstats, at least) and even with my posting having dropped off dramatically what with the kids being stuck at home full-time these days … has arrived.
We haz been haxxored.
Well, kinda.
But that looks cooler than:
We are being extorted, and probably scammed.
See, I got this email today; it’s kinda long, so I’ll tack it onto the end of this post instead of inserting it here.
It was sent via the contact page on the site, and it basically says “we haxxored u; pay us $2k”.
Ah, Internet.
See, this site runs WordPress which is a popular and free blogging platform. It is not particularly secure, though they do try.
So it’s totally plausible that some bot equipped with a library of WordPress exploits came by, managed to pull a copy of the db and dropped that email on the way out.
It’s more likely, of course, that a bot that knows how to use the contact form came by and dropped that email hoping it’ll hit enough WordPress sites that a few will panic and pay up without it ever actually breaching the database.
A bot that posts to contact forms is, after all, way easier to write than one that actually breaks into WordPress would be.
And note that the email doesn’t actually offer anything scraped from the db, like say a list of user email addresses or the hash of a user passord for example, to prove it managed to copy the db.
So, this is likely a con.
Not definitely, but likely.
So, how to respond?
This is a good example of something sysadmin/ops engineers have to deal with all the time; I literally get emails like this every day, though most are much more obviously scams.
This one needs to be looked at and weighed to decide what to do.
It’s a plausible threat, but the odds are it’s just a con.
So the only thing to do is ignore it.
Maybe comment on it here on the site, too, since this does mean that the site has now surfaced far enough into search engines that scammer bots are finding it.
Which is annoying, since I don’t really have the time to waste examining this, but I guess it’s nice to be noticed?
The email:
… Subject: This Needs Fixin' "Your Site Has Been Hacked" Date: Wed, 10 Jun 2020 00:34:15 +0000 From: "This Needs Fixin'" ... Reply-To: hacker@byowua.icu … From: Shoshana Tellez hacker@byowua.icu Subject: Your Site Has Been Hacked Message Body: PLEASE FORWARD THIS EMAIL TO SOMEONE IN YOUR COMPANY WHO IS ALLOWED TO MAKE IMPORTANT DECISIONS! We have hacked your website http://www.needsfixin.net and extracted your databases. How did this happen? Our team has found a vulnerability within your site that we were able to exploit. After finding the vulnerability we were able to get your database credentials and extract your entire database and move the information to an offshore server. What does this mean? We will systematically go through a series of steps of totally damaging your reputation. First your database will be leaked or sold to the highest bidder which they will use with whatever their intentions are. Next if there are e-mails found they will be e-mailed that their information has been sold or leaked and your site http://www.needsfixin.net was at fault thusly damaging your reputation and having angry customers/associates with whatever angry customers/associates do. Lastly any links that you have indexed in the search engines will be de-indexed based off of blackhat techniques that we used in the past to de-index our targets. How do I stop this? We are willing to refrain from destroying your site's reputation for a small fee. The current fee is $2000 USD in bitcoins (BTC). Send the bitcoin to the following Bitcoin address (Copy and paste as it is case sensitive): 12KLZzgrNX2DvbWQM7yQ1V9vPwy9JPvUKM Once you have paid we will automatically get informed that it was your payment. Please note that you have to make payment within 5 days after receiving this notice or the database leak, e-mails dispatched, and de-index of your site WILL start! How do I get Bitcoins? You can easily buy bitcoins via several websites or even offline from a Bitcoin-ATM. We suggest you https://cex.io/ for buying bitcoins. What if I don’t pay? If you decide not to pay, we will start the attack at the indicated date and uphold it until you do, there’s no counter measure to this, you will only end up wasting more money trying to find a solution. We will completely destroy your reputation amongst google and your customers. This is not a hoax, do not reply to this email, don’t try to reason or negotiate, we will not read any replies. Once you have paid we will stop what we were doing and you will never hear from us again! Please note that Bitcoin is anonymous and no one will find out that you have complied. ...