OMG!! We got hacked!!!!

published on , last updated on , written by , checked with LanguageTool, tagged with .
Text to Speech:

TLDR: No, we didn't. Someone just tried to scam us.

So today I opened my mail client to see a mail with the subject “Your Site Has Been Compromised”. I'm subscribed to haveibeenpwned.com, so I thought, what service got hacked this time? Opening the mail, my client asked for sending a read receipt. Well, that's strange, I guess it's going to be a scam. And sure, it was a scam.

Let me share that mail in its entirety and add my thoughts as I read through it:

Your Site Has Been HackedY0ur Site Has Been Hacked

Punctuation would be nice.

PLEASE F0RWARD THIS EMAIL T0 SoMEoNE IN Y0UR C0MPANY WHo iS ALLoWED T0 MAKE IMPORTANT DECISIoNS!

Company? What company?! And what's with that budget leetspeak in the mail? Was this mail written by some script kiddy that thinks that makes it cool or something? This looks more like crytyping than a serious threat.

We have hacked your website https://riichi.cologne and extracted y0ur databases.

That's not a company, and the site doesn't have databases. That site, just like this site, is a static site, generated by a program. Though, I added a fake WordPress login to the site at some point. If you stretch the definition of database, there are CSV files. But their contents are publicly visible on the site: it's tournament results.

How did this happen?

0ur team has f0und a vulnerability within your site that we were able to exploit. After finding the vulnerability we were able to get your database credentials and extract y0ur entire database and move the information t0 an 0ffshore server.

Unlikely, as I said, it's a static site.

What does this mean?

We will systematically go thr0ugh a series 0f steps of t0tally damaging your reputation. First your database will be leaked 0r sold to the highest bidder which they will use with whatever their intentions are. Next if there are e-mails found they will be e-mailed that their inf0rmation has been sold 0r leaked and your site https://riichi.cologne was at fault thusly damaging y0ur reputati0n and having angry cust0mers/ass0ciates with whatever angry customers/associates do.

Oh, please do leak those databases, I want to know what you actually found!

Lastly any links that you have indexed in the search engines will be de-indexed based off 0f blackhat techniques that we used in the past to de-index 0ur targets.

OK, this is actually believable, it's rather expensive to do, but there are also means to combat this, so not a real threat.

H0w do i stop this?

We are willing to refrain from destroying y0ur site’s reputation for a small fee. The current fee is $3000 in bitcoins (0.15 BTC).

Please send the bitcoin t0 the f0ll0wing Bitcoin address (C0py and paste as it is case sensitive):

31irhaA4pwZr8ff9312L8r8CUoYTZUhqAV

once y0u have paid we will aut0matically get informed that it was your payment.

Actually, I googled that address and the result is commont with the same text as the mail with the same budget leetspeak. They're not even using different addresses for this scam! I had to dig a little since the site I found did a bad job of disabling comments and all comments that do exist are spam.

Please note that y0u have t0 make payment within 3 days after opening this e-mail 0r the database leak, e-mails dispatched, and de-index of your site WiLL start!

How d0 i get Bitcoins?

You can easily buy bitcoins via several websites 0r even offline from a Bitcoin-ATM.

What on earth is a Bitcoin-ATM?!

What if i d0n’t pay?

if y0u decide not to pay, we will start the attack at the indicated date and uph0ld it until you do, there’s n0 c0unter measure t0 this, you will 0nly end up wasting m0re m0ney trying to find a s0lution.

Yes, they are right, there's no countermeasure to this, because all threat claims in mail are complete bollocks. I don't need to spend money to find a solution, I just need to ignore the mail. Or maybe write a blog post to make fun of it.

We will completely destroy y0ur reputati0n am0ngst g0ogle and y0ur cust0mers.

This is not a hoax, d0 n0t reply to this email, d0n’t try to reas0n or negotiate, we will not read any replies. once you have paid we will st0p what we were d0ing and you will never hear fr0m us again!

Please note that Bitcoin is anonymous and no one will find out that y0u have c0mplied.

As much as I hate cryptocurrencies, I have to correct: it's at most pseudonymous. And you can connect cryptocurrency addresses to people if put in enough effort. It's even easier if they use the same address over and over again.

Finally d0n't reply as this email is unmonit0red.

I did some digging: the domain is an ISP, so I guess someone fell for a phishing attack and used those addresses to send out scam mails. I did report it, but as always people never get back to me. 

This site might use Local Storage to improve user experience. Until you accept the Cookie & Privacy Policy those features are disabled. No Cookies/Data Entries in Local Storage will be set until the policy is accepted. Accepting the policy is optional, the site will remain functional if you ignore this. However, some features, i.e., Light Mode and Accessibility Features, and will remain inaccessible.

✔️ I Want the Best Experience and Accept All Local Storage entries and scripts

The browser you are currently using seems to support the Web Environment Integrity API. This user-hostile addition to Google-backed browsers works to undermine the free and open internet. More information about the issue:

“Google's trying to DRM the internet, and we have to make sure they fail” YouTube Video by Louis Rossmann

“Google's nightmare ‘Web Integrity API’ wants a DRM gatekeeper for the web” Article by Ars Technica

“Unpacking Google's new ‘dangerous’ Web-Environment-Integrity specification” Artile by Vivaldi

This message can be hidden by switching to a browser, that doesn't support Web Environment Integrity API.