Coveware: Ransomware Recovery First Responders

View Original

Phantom Incident Scam Threatens Release of Corporate PII

Cybercrime that involves social engineering exists in many forms. One such scam, which we call Phantom Incident Extortion, evolved from consumer sextortion emails and has moved up to the enterprise world. By tracking these scams over time, some very obvious patterns emerge that can help prevent new targets from falling victim. 

We explain these patterns by looking at 4 different Phantom Incident Extortion scams that we have observed in the wild. We call these scams phantom incidents, as their success depends on convincing the target that an illegitimate (i.e. phantom) incident has occurred or will occur, and the only way to prevent its impact is to pay (hint: don’t pay!). 

3 Components of a Phantom Incident Scam

Phantom incident extortion has three main components and some peripheral tells. 

Engineered Legitimacy

A key component of a phantom incident scam is a piece of data that is unique and familiar to the victim. For example, an email address or list of user accounts. The appearance of this data gives credibility to the threat. It is designed to convince the victim that the threat is real, and not just contrived. 

Social Pressure

Phantom incident scams use different types of social pressure to coerce the target to comply with the extortion threat as quickly as possible. This pressure is often rooted in deadlines and threats of brand damage or costly consequences if the extortion payment is not made. 

Asymmetric Financial Offer

Another key component of a well designed phantom incident is that the demand is a slim fraction of the perceived cost of the threat. This compounds the social pressure, convincing the victim that paying is the cheap, safe way to deal with the threat.

Phantom Incident Example #1: Breached Employee PII 

In early November, a new type of Phantom Incident email began circulating. The scam begins with emails sent to senior executives of a company using multiple email variants (hoping one gets through). The email threatens to release data that was breached from the recipient’s company. Below is an example of the email:

In past day we have come across data pertaining to company you work for: [Recipient Company Name]. Data contains all personal identifiable information for every employee that works for this company including yourself. Data was leaked around [specific date]. This will happen when systems are in process of updating/ or if your company still uses an older version of [Certain common manufacturer] OS that no longer receives security updates.

What me and me organization do is buy hacked data on market to keep it out of hands of criminals who plan to use it unethically. We then will contact company or companies that this data belongs to and ask them to pay us exactly what we paid for data/ keeping data secure.

We wish that we could just delete data ourselves and it be over but unfortunately that is not reality. At this moment it is only possible to obtain data buy purchasing it and we need to recover our funds.

This market it was purchased from is similar to an eBay for hackers and criminals, sellers have ratings and reputations/ they are only allowed to sell data once and then permanently delete it. So rest assured that there is only one copy in existence.

We need you to consider ALL damage that could occur if this data got into the wrong hands/ or if your current or past employees found out that data was leaked. You are very fortunate that our organization exists/ There were [oddly specific #] bidders for this data.

We give you [specific #] hours from the time this email sent/ Till [specific date] your time. We paid [bespoke $]] USD/ that's amount we need back. We only accept bitcoin as payment/ that's what we use on market/ we need bitcoin back so we can continue our efforts for others.

We encourage you to not contact any legal counsel nor authorities until after our business is complete. It will delay your efforts to send us our funds and we do not allow that. If you do not meet the deadline your data will be sold back on market so we can recover our funding/ no exceptions.

We are in Sweden/ logged in from China on an encrypted mail server in Switzerland. A country with extremely strict privacy laws. No one can help you in time/ trust us. We consider this a courtesy service/ we are very busy so please do not waste our time.

We have attached an image for proof.

We also offer other services once this has been resolved.

We can track down how this happened and offer you ways to make sure this never happens again. There is small chance we can find out which group was responsible as well.

Just think about the impact this could have on the people that work for your company. You need to make the right choice and that's the one where you choose the people over a company. Contact only people that can help you send us back our bitcoin and everything will go smooth and fast.

Our bitcoin address is: [btc address]

Engineered Legitimacy

In this phantom incident scam a small sample of employee Personally Identifiable Information (PII) is attached to the email (redacted from above example). This PII typically matches current or former employees of the company and normally includes social security numbers, so it looks legit and material. The likely source of this data is not a company breach though. Because so much PII is already available for sale, this scam simply picks from a large data set and filters it by employer. The resulting list of current ex-employee data creates the appearance of a breached employee PII. In reality, the limited data set was pieced together from various incomplete sources. 

Social Pressure

The consequences of sustaining a PII related breach are severe and include legal and regulatory consequences. A data breach can be a costly, brand-damaging event. Avoiding the incident by paying off an extortion demand is an appealing option versus dealing with the fallout of data breach disclosure, as Uber demonstrated. In this note, the victim is reminded of the costs and potential damages if this data is allowed to leak out. 

Asymmetric Financial Offer

Given the roughly $4 million average cost of a data breach, the option to avoid a data breach for a few thousand dollars seems very enticing. The offer uses a common negotiation tactic of picking a non-round, specific number for their demand (e.g. $32,500). The number adds legitimacy to the threat as its specificity implies it is representative of a legitimate transaction. 

Other Tells

Genuine data exfiltration extortion negotiations are long drawn out processes involving the victim purchasing a sample to validate the legitimacy of the data and enumerate the content. This exchange takes time, and extortionists that actually apply this tradecraft know that. It is never a quick, immediate payment without further proof. In this case, the example data also had some inconsistencies. The alphanumeric order was slightly off. It also included an employee that joined the company AFTER the date of the breach specified in the note. 

Phantom Incident Example #2: Customer Data Breach 

A similar version a phantom incident that involves the threat to release breached customer data. The target of this scam is almost always B2C companies with very low barriers to signup. For example, Uber and Bird, or online retailers. The key difference in this variation is how legitimacy is engineered. 

Rather than creating a legitimate seeming data set from scraped data dumps, the attacker creates a relatively large group of fake accounts on the targets website. These accounts are created over a period of time and have unique emails, names, and passwords. The scammers aggregate the details of this manufactured user data and claim it has been breached. When the company receives the threat, and validates the data, they find that the accounts exist and match the sample provided by the scammer. This raises major alarms, as the company previously believed their user data was fully encrypted and that such a breach would be impossible. But it is all a ruse engineered by the attacker. 

This sort of scam has common tells. Often the scammer will get lazy and leave easily discernible patterns in the accounts that were created. Additionally these accounts typically never log in to the service or make purchases. 

Phantom Incident Example #3: DDOS Extortion Threat

Over the summer of 2019, a group known as Cozy Bear began threatening companies with crippling DDOS attacks. The threat was often followed by an actual small DDOS attack to demonstrate their ability. Another group emerged in the spring of 2021 calling themselves Fancy Lazarus. The extortion email looked like the below:

UPDATED MAY 2021:

We are the Fancy Lazarus and we have chosen [redacted] target for our next DDoS attack.

Please perform a google search to have a look at some of our previous work. Also, perform a search for "NZX DDOS" or "New Zealand Stock Exchange DDOS" in the news. You don't want to be like them, do you?

Your whole network will be subject to a DDoS attack starting in 7 days on [redacted] next week. (This is not a hoax, and to prove it right now we will start a small attack on a few random IPs from your [redacted] block that will last for about 2 hours. It will not be a heavy attack, and will not cause you any damage, so don't worry at this moment. We are attacking you with 6 out of 137 of our servers, so do the math.) There's no counter measure to this, because we will be attacking your IPS directly and our attacks are extremely powerful (peak over 2 Tbps)

This means that your websites and other connected services will be unavailable for everyone. Please also note that this will severely damage your reputation among your customers who use online services. And worst of all you will lose Internet access in your offices too.

We will refrain from attacking your network for a small fee. The current fee is 2 Bitcoin (BTC). It's a small price for what will happen when your whole network goes down. Is it worth it? You decide!

We are giving you time to buy Bitcoin if you don't have it already.

If you don't pay the attack will start and the fee to stop will increase to 4 BTC and will increase by 1 Bitcoin for each day after the deadline that passed without payment.

Please send Bitcoin to the following Bitcoin address: 1GJDfndv7BSq2e[redacted]ESTSEYmE9

Once you have paid we will automatically get informed that it was your payment. Please note that you have to make payment before the deadline or the attack WILL start!

If you decide not to pay, we will start the attack on the indicated date and uphold it until you do. We will completely destroy your reputation and make sure your services will remain offline until you pay.

Do not reply to this email, don't try to reason or negotiate, we will not read any replies.

Once you have paid we won't start the attack and you will never hear from us again.

Please note we will respect your privacy and reputation, so no one will find out that you have complied.

JUNE 2019:

We are the Cozy Bear and we have chosen [Victim Company] as target for our next DDoS attack.

Please perform a google search for "Cozy Bear" to have a look at some of our previous work.

 Your network will be subject to a DDoS attack starting at [a day 2-3 days after receipt of email] morning.

(This is not a hoax, and to prove it right now we will start a small attack on [legit IP address of victim] that will last for 30 minutes. It will not be heavy attack, and will not cause you any damage so don't worry, at this moment.)

 This means that your website and other connected services will be unavailable for everyone.

 We will refrain from attacking your servers for a small fee. The current fee is 2 Bitcoin (BTC). The fee will increase by 1 Bitcoin for each day after deadline that passed without payment.

Please send Bitcoin to the following Bitcoin address:

 [bitcoin wallet address]

 Once you have paid we will automatically get informed that it was your payment. Please note that you have to make payment before the deadline or the attack WILL start!

 If you decide not to pay, we will start the attack on the indicated date and uphold it until you do, there's no counter measure to this, you will only end up wasting more money trying to find a solution (Cloudflare, Sucuri, Imperva and similar services are useless, because we will attack your IPs directly). We will completely destroy your reputation and make sure your services will remain offline until you pay.

 Do not reply to this email, don't try to reason or negotiate, we will not read any replies. Once you have paid we won't start the attack and you will never hear from us again.

 Please note that Bitcoin is anonymous and no one will find out that you have complied.

Engineered Legitimacy 

The DDOS traffic in these attacks is legitimate and occurs on an IP address of the target. This tangible credibly is more compelling than other phantom incidents. However, the larger crippling attack never follows. Why? Because purchasing small blocks of DDOS traffic and target IP addresses is extremely cheap. Most companies have never been DDOS’d before, so even a small DDOS demonstration of 2-5GB per second, can be quite alarming. This is the goal of the first attack. 

Social Pressure

The extortion email uses a combination of time pressure and the business interruption to pressure the target into a hasty decision. The email states the target’s worst fears out loud (destroyed reputation and offline services) to hammer home the anxiety. 

Asymmetric Financial Offer

Given the average cost of a corporate DDOS attack is roughly $2.5 million dollars, the offer to avoid the attack for 2 bitcoins (roughly $15,000 at the time of this example) seems like an obvious choice for the victim. 

Other Tells

Unlike ransomware, where the attackers ARE typically the only ones capable of decrypting data, the CDN vendors mentioned in the email are actually capable of preventing DDOS attacks, and most security professionals know that. 

Phantom Incident Example #4: Sextortion Scam Emails

The original phantom incident has been around for a few years but seems to make the rounds anew every couple of months. Sextortion emails attempt to convince recipients that their computer has been compromised. Below is a sample ‘sextortion’ email:

Title: “I’m aware that <password formerly used by recipient here> is your password,”
Body: You don’t know me and you’re thinking why you received this email, right?

Well, I actually placed a malware on the porn website and guess what, you visited this web site to have fun (you know what I mean). While you were watching the video, your web browser acted as a RDP (Remote Desktop) and a keylogger which provided me access to your display screen and webcam. Right after that, my software gathered all your contacts from your Messenger, Facebook account, and email account.

What exactly did I do?

I made a split-screen video. First part recorded the video you were viewing (you’ve got a fine taste haha), and next part recorded your webcam (Yep! It’s you doing nasty things!).

What should you do?

Well, I believe, $1400 is a fair price for our little secret. You’ll make the payment via Bitcoin to the below address (if you don’t know this, search “how to buy bitcoin” in Google).

BTC Address: []

(It is cAsE sensitive, so copy and paste it)

Important:

You have 24 hours in order to make the payment. (I have an unique pixel within this email message, and right now I know that you have read this email). If I don’t get the payment, I will send your video to all of your contacts including relatives, coworkers, and so forth. Nonetheless, if I do get paid, I will erase the video immediately. If you want evidence, reply with “Yes!” and I will send your video recording to your 5 friends. This is a non-negotiable offer, so don’t waste my time and yours by replying to this email.

Engineered Legitimacy

The title of these sextortion emails frequently contains a KNOWN password to the victim. How? If you have been using the internet for more than a few years, prior passwords have likely been leaked and are floating around in breach dumps. Massive data sets of these passwords and their corresponding user emails can be purchased on dark marketplaces for almost nothing. In this example, the leaked password is merged into the title of the email. The victim reads the email, recognizes the PW, and may be convinced that the extortion threat is legitimate. The email also references common online proclivities and preferences. Given how many internet users visit pornography sites, this uncomfortable and potentially embarrassing observation applies to everyone but feels personal.

Social Pressure

In sextortion scams, the social pressure is applied via the threat of releasing an embarrassing phantom video to the victim’s contacts. They use a time-based threat as well to create a sense of urgency.

Asymmetric Financial Offer

The relatively low demand is designed to force the victim into NOT thinking this whole situation through. The perceived risk is SO high relative to the cost that one might as well pay. 

Other Tells

This email was designed to elicit a payment without any back and forth, but in the last line the sender offers a contradicting offer. First, they state they can produce evidence if the recipient replies. In the next sentence, they tell the recipient not to bother emailing. When the authors of these emails deviate from the basics it exposes their illegitimacy.

Phantom Incident Example #5: Database Deletion Scam, Data Theft or Threat of Future Attacks

Over the past few years, there have been a number of groups who have been targeting unprotected databases hosted on cloud storage spaces such as AWS. These groups will often brute force weak passwords on hundreds of internet facing servers and delete all of the underlying data. Upon deletion, they will insert a ransom note (similar to the below) within the database explaining that a payment is required to both retrieve the data and prevent it from being exposed. In most cases, these groups are successfully able to delete data; however, there is a low probability of retrieving the information after payment. Logistically, it’s very difficult to infiltrate hundreds of databases and successfully exfiltrate data quickly. In reality, the groups are using smash and grab techniques rather than thoroughly vetting and exfiltrating data from all of the accessible databases. They likely do not have copies of the data nor will they choose to monetize any of the information that they initially had access to.  It is doubtful that they even know who the owner of these databases is.

Example #1:

To recover your lost Database and avoid leaking it: Send us 0.08 Bitcoin (BTC) to our Bitcoin address [merge field - bitcoin address] and contact us by Email with your Server IP or Domain name and a Proof of Payment. If you are unsure if we have your data, contact us and we will send you a proof. Your Database is downloaded and backed up on our servers. Backups that we have right now: [merge field - host name]. If we don’t receive your payment in the next 10 Days, we will make your database public or use them otherwise.

Example#2:

As you may have noticed, a couple of months ago, there was a data breach in your company - [merge field - company name].

We gained access to your employees email accounts and the [merge field - host name] server. We have downloaded every single file stored and shared through [merge field - host name]. Your company is storing sensitive client data, in "[merge field - host name]” without encryption, data we gathered::

- operational credentials of your clients, CRM/admin URL's, login's, passwords,

- transactional data, including credit card numbers and other consumer data,

- other sensitive business data of your company and your clients, like load balancing schemes, merchant accounts, gateways, etc.

Data we gathered from your company was already used in attacks on your clients and some of your clients have suffered financial and data loses. Storing and processing data the way your company does is a clear violation of the Data Protection Act, which may lead to damaging financial and legal ramifications for you and your company. More problems will come if following information including data will be shared with your clients:

- Detailed notification of data breach in your company,

- Evidence of improper client data storage and processing which lead to attacks and leaked sensitive information,

- Detailed list of data which was leaked from you and how it was used to attack your clients and consumers.

- All data we downloaded from your companies [merge field - host name],

- Sensitive data of your clients

-Additionally, we are prepared to leak all data to the public.

To keep your business running, to keep your clients, and avoid financial and legal ramifications, you must pay exactly 1 Bitcoin(BTC). You must send payment to this Bitcoin address: [merge field - bitcoin address]. Payment must be received by [merge field - date] in Bitcoin address provided. If we do not receive payment by the date and time stated above, we will start the process and there is no way back.

Example #3:

Hello [COMPANY NAME], we are a hacker group and it’s no secret to you what we do! Your servers and website will be attacked, data will be encrypted soon if 15 bitcoins are not transferred to our account. In the event that you do not pay the ransom amount, we will release all of your customer data and other sensitive information. An example of our success is the [REDACTED FAKE PRIOR VICTIM COMPANY NAME] company [REDACTED COMPANY NAME], regarding our hack, we came to a mutual decision, where everyone was satisfied. All the work of your IT people will be useless if you do not pay us, then the price will rise to $15 million at the BTC rate, and the information will get into the media and you will lose your reputation. To avoid unnecessary scandal, follow our terms. BTC payment account for payment:

bc … [REDACTED BTC WALLET ADDRESS]

Example #4:

We have hacked your website [redacted website URL] and extracted your databases.

How did this happen?

Our team has found a vulnerability within your site that we were able to exploit. After finding the vulnerability we were able to get your database credentials and extract your entire database and move the information to an offshore server.

What does this mean?

We will systematically go through a series of steps of totally damaging your reputation. First your database will be leaked or sold to the highest bidder which they will use with whatever their intentions are. Next if there are e-mails found they will be e-mailed that their information has been sold or leaked and your [redacted] was at fault thusly damaging your reputation and having angry customers/associates with whatever angry customers/associates do. Lastly any links that you have indexed in the search engines will be de-indexed based off of blackhat techniques that we used in the past to de-index our targets.

How do I stop this?

We are willing to refrain from destroying your site's reputation for a small fee. The current fee is $2500 in bitcoins (BTC).

Please send the bitcoin to the following Bitcoin address (Copy and paste as it is case sensitive):

[redacted BTC address]

Once you have paid we will automatically get informed that it was your payment. Please note that you have to make payment within 5 days after receiving this e-mail or the database leak, e-mails dispatched, and de-index of your site WILL start!

How do I get Bitcoins?

You can easily buy bitcoins via several websites or even offline from a Bitcoin-ATM. We suggest you to start with localbitcoins.com, paxful.com or do a google search.

What if I don’t pay?

If you decide not to pay, we will start the attack at the indicated date and uphold it until you do, there’s no counter measure to this, you will only end up wasting more money trying to find a solution. We will completely destroy your reputation amongst google and your customers.

This is not a hoax, do not reply to this email, don’t try to reason or negotiate, we will not read any replies. Once you have paid we will stop what we were doing and you will never hear from us again!

Please note that Bitcoin is anonymous and no one will find out that you have complied.

Example #5:

Hello [first & last name of email recipient],

This is Midnight group. As you possibly was warned, your employer recently had a data security hack, and we are the ones who are behind it. During this incident, we exfiltrated [100 - 900 GB] of crucial information from your employer's servers, and we are now offering you a way to resolve this case.

First, [first and last name] let me explain why you are getting this letter.
The first reason we are sending this message to all the employees and managers, as among the data that we took, there was massive amount of data related to HR records, employee records, and personal and medical data of the employees. This is why this issue should concern you personally, no matter what your employer says about this being "just a regular data breach" (in case they actually told you anything). The second reason is that the more employees know, the higher there is a chance that the firm will begin talking to us, the more chance there is that the cirsis gets resolved.

So, we ask you to talk to your directors about this and tell them this note.
- First, we know who you are. We saw your documentation, your employer does a lot of work with cliniques and has state contracts. If your data are exposing not only you but your counterparts and people who trusted you.
- Second, we have your accounting, finance, and employee information which is an crucial resource. If you don't pay, we know hackers who will pay for it.
- Third you are in West and the regulatory laws of data breaches are very strict there.
- Four, we have access to the folders of your counterparts. If you don't pay, we will get our money by hacking them using the important documentation we get from you. We will use the information from there to attack these parties, and you will be the one to blame.
- Five, if you don't talk to us, we will be going for your staff, and directors and keep calling and emailing them: we have all your phones, addresses, and personal details.

[first and last name], please tell your managers that in order to resolve this, they need to contact us via this email: [random email address, often outlook]. After this will provide expnation on how to enter a secure chat in which we will provide you comprehensive proofs that we have the data and the instructions on what to do. When you entre, we will handle you with a listing of all the data we took. It is two millions of files. We will be then talking price.

ENGINEERED LEGITIMACY 

The disappearance of the data in the database is very much real. What is NOT real is the removal of the data and its ability to be recovered if you pay. 

SOCIAL PRESSURE

The extortion email threatens the public release of the database, or malicious use.  Given the actors are likely just wiping the database, this threat has no basis.

ASYMMETRIC FINANCIAL OFFER

Given the average cost of a data exfiltration extortion is several hundred thousand dollars, the ransom of a few hundred dollars certainly seems like an easy trade to avoid the embarrassment of the data coming public.

Conclusions to Avoid Phantom Incident Extortion

The likelihood of encountering threats like this is about 100%, so it’s important that companies protect themselves and are ready and able to spot these scams. Breaking down the threats into the components we discussed in these examples can help qualify the extortion threat as a scam. When in doubt, victims should always contact law enforcement or their privacy counsel for assistance. We also note that every threat should be evaluated in depth and taken seriously. At a minimum, the feedstock for creating the engineered legitimacy is something to look into. Coveware’s phones are always on as well!