A hack-and-extort campaign takes aim at poorly secured databases replete with customer information that can be exploited for further attacks
A number of e-commerce websites from multiple continents have had their customer databases stolen as an unknown seller is offering at least 1.62 million rows of personal records for sale on a public website. The online stores – based in Germany, the United States, Brazil, Italy, India, Spain, and Belarus – have also received ransom notes, with the cybercriminals threatening to release the data if the retailers don’t pay up within 10 days.
According to BleepingComputer – which broke the story and listed some of the hacked merchants – the loot may actually be far larger than what has been put up for sale. The siphoned information varies depending on the ransacked retailer and includes email addresses, hashed passwords, postal addresses, gender and dates of birth.
Cybercriminals can use this Personally Identifiable Information (PII) for all manner of nefarious activities, including identity theft or targeted phishing attacks. The least you as a customer can do is to change your password on the site(s) and keep an eye out for suspicious emails.
It remains unclear who the thieves are, but apparently they targeted unsecured or ill-secured servers that can be found on the public web. They copied the stores’ SQL databases and now demand a ransom of 0.06 bitcoin (some US$537 at today’s rate) within 10 days on pain of publishing or using the data as they see fit.
The attackers also offer unspecified proof, which one might assume is a sample of the data. Some of the shops may have taken them up on their word, since the hackers’ BTC wallets have recently recorded transactions amounting to 5.8 bitcoin (approximately US$52,000).
Speaking of which, paying the ransom to a cybercriminal may prove to be a leap of faith, since you have no way of knowing if they won’t sell your data onwards even if they return it. Ransomware victims may face a similar conundrum, as discussed in this article.
BleepingComputer estimates that around 31 stolen databases have been put up for sale. Based on the number of abuse reports filed against the hackers’ bitcoin addresses, the site believes it to be just a fraction of the overall number. The most recent database is from March and each listing contains a sample of the data, so that potential buyers can check the wares.
Given the wealth of personal data that they may store on their customers, e-commerce sites pose a juicy target for bad actors. Hack-and-extort campaigns, meanwhile, are by no means a novel approach and high-profile incidents have affected, for example, well-known names in the entertainment industry, including HBO in 2017. Just days ago, an entertainment law firm also fell victim to a similar attack.