Imagine a criminal breaks into your home but doesn't steal anything or cause any damage. Instead, they photograph your personal belongings and valuables and later that day hand-deliver a letter with those pictures and a message: "Pay me a large sum of cash now, and I will tell you how I got in."
Cybercriminals are doing the equivalent of just that: Hacking into corporations to shake down businesses for upward of $30,000 when they find vulnerabilities, a new report from IBM Security revealed.
The firm has traced more than 30 cases over the past year across all industries, and at least one company has paid up. One case involved a large retailer with an e-commerce presence, said John Kuhn, senior threat researcher at IBM Security.
Though some companies operate bug bounty programs — rewarding hackers for revealing vulnerabilities — in these cases, the victims had no such program.
"This activity is all being done under the disguise of pretending to be a "good guy" when in reality, it is pure extortion," said Kuhn.
Researchers have dubbed the practice "bug poaching."
Here's how it typically works. The attacker finds and exploits web vulnerabilities on an organization's website. The main method of attack — known as SQL injection — involves the hacker injecting code into the website which allows them to download the database, said Kuhn.
Once the attacker has obtained sensitive data or personally identifiable information, they pull it down and store it, then place it in a cloud storage service. They then send an email to the victim with links to the stolen information — proof they have it — and demand cash to disclose the vulnerability or "bug."
Though the attacker does not always make explicit threats to expose the data or attack the organization directly, there is no doubt of the threatening nature of the emails. Hackers often include statements along the lines of, "Please rest assured that the data is safe with me. It was extracted for proof only. Honestly, I do this job for living, not for fun," said the report.
"This does not negate the fact that the attacker stole the organization's data and placed it online, where others could potentially find it, or where it can be released," said Kuhn.
This activity is all being done under the disguise of pretending to be a "good guy" when in reality, it is pure extortion.John KuhnIBM Security Senior Threat Researcher
Trusting unknown parties to secure sensitive corporate data — particularly those who breached a company's security systems without permission — is inadvisable, said Kuhn. And, of course, there are no guarantees when dealing with these criminals so even when companies pay up, there is still a chance the attacker will just release the data.
Organizations that fall victim to this type of attack should should gather all relevant information from emails and servers and then contact law enforcement, said Kuhn.
Here are some measures companies can take to avoid becoming a victim, according to IBM Security: 1) Run regular vulnerability scans on all websites and systems. 2) Do penetration testing to help find vulnerabilities before criminals do. 3) Use intrusion prevention systems and web application firewalls. 4) Test and audit all web application code before deploying it. 5) Use technology to monitor data and detect anomalies.