PSA: Your Site Isn’t Hacked By This Bitcoin Scam, Keep the Money
On January 19th, 2023, a member of the Wordfence Threat Intelligence team received an email from their personal blog, claiming the site had been hacked, and we received two reports from Wordfence users who received the same message. The email claimed that the site had been hacked due to a vulnerability on the site. The email went on to demand about $3,000 worth of Bitcoin to prevent the malicious actor from damaging the site’s reputation. This is of course only a scare tactic, and not a true cause for concern. The site was not actually hacked.
This campaign appears to have begun on or around January 18, 2023, and while our data on it is light, the campaign is ongoing. The messages are being sent by a threat actor or a bot they control to submit the message through a contact form on a website. As we do not have data on emails submitted directly through a contact form, this attack campaign is likely to be significantly more prolific than the numbers we have available.
The message in question, which can be seen below in its email form, is a scare tactic that is used to trick victims into paying to prevent a leak of sensitive data, damage to the website, or whatever other potential consequences the vague threat may conjure up in the site owner’s mind.
From: Manie Hedin <hacker@sludgepool.org>
Subject: Your Site Has Been Hacked
Message Body:
Your Site Has Been Hacked
PLEASE FORWARD THIS EMAIL TO SOMEONE IN YOUR COMPANY WHO IS ALLOWED TO MAKE IMPORTANT DECISIONS!
We have hacked your website https://<victimsite>.com and extracted your databases.
How did this happen?
Our team has found a vulnerability within your site that we were able to exploit. After finding the vulnerability we were able to get your database credentials and extract your entire database and move the information to an offshore server.
What does this mean?
We will systematically go through a series of steps of totally damaging your reputation. First your database will be leaked or sold to the highest bidder which they will use with whatever their intentions are. Next if there are e-mails found they will be e-mailed that their information has been sold or leaked and your https://<victimsite>.com was at fault thusly damaging your reputation and having angry customers/associates with whatever angry customers/associates do. Lastly any links that you have indexed in the search engines will be de-indexed based off of blackhat techniques that we used in the past to de-index our targets.
How do I stop this?
We are willing to refrain from destroying your site’s reputation for a small fee. The current fee is $3000 in bitcoins (0.14 BTC).
The amount(approximately): $3000 (0.14 BTC)
The Address Part 1: bc1qe4xvhksgapl3p76mm
The Address Part 2: fz7thdnmkeuxry08kjhcn
So, you have to manually copy + paste Part1 and Part2 in one string made of 42 characters with no space between the parts that start with "b" and end with "n" is the actually address where you should send the money to.
Once you have paid we will automatically get informed that it was your payment. Please note that you have to make payment within 72 hours after receiving this message or the database leak, e-mails dispatched, and de-index of your site WILL start!
How do I get Bitcoins?
You can easily buy bitcoins via several websites or even offline from a Bitcoin-ATM.
What if I don’t pay?
If you decide not to pay, we will start the attack at the indicated date and uphold it until you do, there’s no counter measure to this, you will only end up wasting more money trying to find a solution. We will completely destroy your reputation amongst google and your customers.
This is not a hoax, do not reply to this email, don’t try to reason or negotiate, we will not read any replies. Once you have paid we will stop what we were doing and you will never hear from us again!
Please note that Bitcoin is anonymous and no one will find out that you have complied.
While this extortion campaign may not pose any real danger, it is still important to take website security seriously. WordPress core, themes, and plugins need to be updated with the latest security updates to patch known vulnerabilities. Even with everything updated, there may be vulnerabilities that are not publicly known and do not have an available patch. For this reason, a website security solution that includes a web application firewall (WAF) that can block common exploits, such as Wordfence, should be implemented.
Cyber Observables
While this extortion campaign is still in its early stages, there are some observables that can be used to identify and block these extortion attempts.
Email Address
hacker@sludgepool[.]org
Bitcoin Address
bc1qe4xvhksgapl3p76mmfz7thdnmkeuxry08kjhcn
IP Addresses
138.199.18.140
138.199.18.61
212.102.57.5
216.24.216.249
212.102.57.24
Conclusion
In this post, we discussed an emerging extortion campaign where emails are being sent to site owners through contact forms. This campaign does not pose an actual threat to the website, but serves as a reminder to keep websites updated and implement a website security solution.
Regardless of this being a scam, if you would like additional assurance that your site has not been compromised due to this scam, you can follow our guide to cleaning a hacked site or utilize Wordfence Care or Response to do a complete site audit as well as around the clock security monitoring and unlimited site cleanings if your site ever is compromised. Both these products include hands-on support in case you need further assistance.
This article was written by Topher Tebow, a former Wordfence Threat Researcher.
Comments
12:29 pm
I had the same scam email sent through my website's contact form and completely ignored it. I also reported it to the FBI's Cyber Crimes section. Unfortunately, some people will fall for it in a panic and pay up.
1:19 pm
Fear is definitely a common motivator in these types of campaigns. I'm glad to hear you caught it and reported it when you saw the email!
12:38 pm
Checking the bitcoin address provided, no one has sent any bitcoin to it (thankfully) yet.
https://mempool.space/address/bc1qe4xvhksgapl3p76mmfz7thdnmkeuxry08kjhcn
1:28 pm
Hopefully it stays that way!
12:43 pm
I'm so pleased to see this post. I actually received this email in Nov last year and it coincided with a downturn in my traffic, which I knew was seasonal, but still I had that lurking feeling that maybe this could have been real after all. I had done everything I could at the time of receiving to validate that my site was in fact ok. It's also when I upgraded to Wordfence premium! It's an awful feeling when these things turn up kin your inbox.
1:30 pm
It can definitely be scary to see an email like this, but it's great that you were prepared!
4:33 pm
Hi! I think that if a cybercriminal really has access to the database, he would send some evidence, for example, the table prefix in the database or some other that only the database admin could know. If the criminal submits inconsistent evidence or no evidence at all, it is obviously a hoax... Greetings
6:28 am
Unfortunately, people fall for these scams all the time. Hopefully by educating people, we can make the job of these scammers harder!
12:54 am
Yeah a customer of mine got it too on Saturday morning, totally panicked as you would expect. It was a little different for us as there seemed to be changes made to the website. Clicking on any link took us to a cookie popup which we didn't have on the site. Once accepted it went to a page where there were links to similar websites with similar names.
I had a back up so just restored it, changed all passwords for Admins and installed 2FA. Seems to be ok now.
8:01 am
Hi Ruairi, thanks for the reply. It's great you had a backup to restore from and updated your Admin credentials and login requirements. I would also recommend updating your cPanel/SFTP passwords, as well as the database password, in case any of those were compromised.
10:56 pm
Thank you so much for sharing this! I an a small business owner and I also got a comment with this extortion on my site. I can’t see that I’ve also been sent the actual extortion email, but having this popping up when you log in is of course very stressful!
I already had Wordfence Premium in place so I ran a scan + changed the admin credentials.
In case you are still looking further into this at Wordfence, I can provide the following information: the extortion comment on my site came from the IP adress 5.253.204.132, it was posted on October 22, 2022 at 23:55 in the name of a ”Tommy Dalley” and the email no-reply@tabelamalzemecim[.]com
12:15 am
Nice Info
8:38 am
Thanks for posting this.
1. Did Team Wordfence incorporate the noted, malicious IPs into its IP-blocking database? How soon was action taken after the discovery and confirmation?
2. When posting an article like this, it would be nice to know what action Team Wordfence took to help protect its customers' websites (e.g., add a section to your article, titled "Action Taken by Wordfence" or similar).
Again, thank you.
9:45 am
In this case, the IP addresses in question deliver both legitimate and potentially malicious traffic, making a block on the addresses impractical and unjustified. They can, however, be used as an indicator along with other factors like the submitted email address to confirm if an email received was a part of this campaign. As far as action taken, when we became aware of the scam email, we chose to raise awareness by writing this post, in hopes that it will help our readers to avoid panic and stop them from sending money to a cybercriminal. As this campaign relies on email to spread its message, the best way to fight it is through email filtering.
12:01 pm
Thanks, Topher!
One final comment:
We found this article by happenstance. So, as a suggestion, it would be helpful if you guys can push a special notification to your plugin when a severe and/or significant security breach has been identified or reported. The special notification can be a "one-liner" with a link to your related article or blog. A settings option can be added to the plugin as well to disable these special notifications.
Details: https://prnt.sc/-hEyp9xdcXlp
Again, thank you.
10:54 am
Hi AeroStar, thanks for the suggestion. In this case, an alert was not called for, as there is no breach involved. Essentially, what is going on here is a threat actor using scare tactics by submitting emails to site administrators, but with no actual breach or exploit attempts.