We were just alerted, by a message from the Wordfence Threat Intelligence team, that on January 19th, 2023, they received reports of an extortion campaign targeting personal blogs. The campaign, which began on or around January 18th, involves hackers sending emails to website owners through contact forms, claiming that the site has been hacked and demanding a ransom in the form of Bitcoin. You can read more about it on the WordFence blog.
But, in short, the email claims that your site has a vulnerability that has been exploited and threatens to damage the site’s reputation if the ransom is not paid. However, it is important to note that these emails are simply a scare tactic, and the sites have not been hacked.
It is still essential to take website security seriously and to ensure that WordPress, themes, and plugins stay updated with the latest security updates. Implementing a website security solution that includes a web application firewall (WAF) to block common exploits is also recommended. This is why we stress Website Care Plans to our clients.
The email employs scare tactics to deceive recipients into paying a ransom to prevent the alleged leaking of sensitive information, harm to the website, or any other potential consequences that the ambiguous threat may evoke in the website owner’s mind.
Website owners are receiving a message with the subject line “Your Site Has Been Hacked.” It claims that they have downloaded your database files and will go through a series of steps of totally damaging your reputation using it unless you pay them not to do so through Bitcoin.
Scam Bitcoin Message:
The email being sent may look something like this:
From: Manie Hedin
Subject: Your Site Has Been Hacked
Message Body:
Your Site Has Been Hacked
PLEASE FORWARD THIS EMAIL TO SOMEONE IN YOUR COMPANY WHO IS ALLOWED TO MAKE IMPORTANT DECISIONS!
We have hacked your website https://
How did this happen?
Our team has found a vulnerability within your site that we were able to exploit. After finding the vulnerability we were able to get your database credentials and extract your entire database and move the information to an offshore server.
What does this mean?
We will systematically go through a series of steps of totally damaging your reputation. First your database will be leaked or sold to the highest bidder which they will use with whatever their intentions are. Next if there are e-mails found they will be e-mailed that their information has been sold or leaked and your https://
How do I stop this?
We are willing to refrain from destroying your site’s reputation for a small fee. The current fee is $3000 in bitcoins (0.14 BTC).
The amount(approximately): $3000 (0.14 BTC)
The Address Part 1: bc1qe4xvhksgapl3p76mm
The Address Part 2: fz7thdnmkeuxry08kjhcn
So, you have to manually copy + paste Part1 and Part2 in one string made of 42 characters with no space between the parts that start with "b" and end with "n" is the actually address where you should send the money to.
Once you have paid we will automatically get informed that it was your payment. Please note that you have to make payment within 72 hours after receiving this message or the database leak, e-mails dispatched, and de-index of your site WILL start!
How do I get Bitcoins?
You can easily buy bitcoins via several websites or even offline from a Bitcoin-ATM.
What if I don’t pay?
If you decide not to pay, we will start the attack at the indicated date and uphold it until you do, there’s no counter measure to this, you will only end up wasting more money trying to find a solution. We will completely destroy your reputation amongst google and your customers.
This is not a hoax, do not reply to this email, don’t try to reason or negotiate, we will not read any replies. Once you have paid we will stop what we were doing and you will never hear from us again!
Please note that Bitcoin is anonymous and no one will find out that you have complied.
There Is No Actual Threat
Although this extortion campaign poses no actual threat, it is crucial to prioritize website security. Keeping WordPress core, themes, and plugins updated with the latest security updates can patch known vulnerabilities. However, it is important to note that there may be unknown vulnerabilities that don’t have available patches. A website security solution that includes a web application firewall (WAF), such as Wordfence, can help to block common exploits and should be implemented as a precaution.
While this extortion email is still in its initial stages, certain indicators can be utilized to recognize and prevent these extortion attempts. Currently, the following parameters may be in the email, although they can change that up at any time.
- Email Address: hacker@sludgepool[.]org
- Bitcoin Address: bc1qe4xvhksgapl3p76mmfz7thdnmkeuxry08kjhcn
IP addresses that the email may come from include:
- 138.199.18.140
- 138.199.18.61
- 212.102.57.5
- 216.24.216.249
- 212.102.57.24
Conclusion
Though the email extortion campaign poses no genuine danger to the website, it serves as a reminder to regularly update and secure websites. If you aren’t already on a Website Maintenance Care Plan for your website, we suggest you secure one to have peace of mind that your site is always up-to-date and backed up offsite for safekeeping. While the message you receive in this case is likely bogus, there are legitimate hacks out there and they want to use your site for many nefarious reasons. The last thing you want to do is become the victim of a real website hack.
- Google Shakes Up Digital World: Free Website Service No More! - January 8, 2024
- Unleashing the Power of Storyboarding: A Practical Guide to Designing Outstanding Websites - September 20, 2023
- Why Your Business Needs a Professional Web Consultant: A Comprehensive Guide - September 5, 2023
