Blog

Informative, up-to-date and exciting – the Oneconsult Cybersecurity Blog.

“Your Site Has Been Hacked” – Fraud Attempt or Reality?
Nadia Meichtry
Nadia Meichtry
|
26.04.2023
(updated on: 09.09.2024)

Ransomware is currently what everybody is talking about. Everyone fears becoming a victim and bearing the consequences for their reputation as well as the financial impact of it.

“Your Site Has Been Hacked” – Fraud Attempt or Reality?

The scam

The blackmailers send e-mails claiming that they have hacked the company’s website and stolen data that they will publish on leak websites, if the ransom is not paid. E-mails like this are sent by blackmailers en masse.

For companies, the main threat is that their data will be published after their website is compromised. They can only prevent this by paying a certain amount of Bitcoin.

Is this a serious statement or just a bluff? This article is about how to deal with and counteract extortionist scams.

Procedure – Analysing the E-Mail

The Oneconsult International Computer Security Incident Response Team (OCINT-CSIRT) was contacted by a company that had received such an extortion e-mail (see Figure 1). Allegedly, the company’s website had been hacked and they had to pay a ransom to prevent the publication of the stolen data.

E-Mail "Your Site Has Been Hacked"
Figure 1: E-Mail “Your Site Has Been Hacked”

The client asked us to analyze the e-mail to find out if and how to respond to it.

Since the e-mail was not forwarded as an attachment, the e-mail header information was not available for analysis. In such a case, only a brief examination of the e-mail based on the information contained in the text is possible. So there is only the email address and the two parts of the bitcoin address (see red boxes on figure 1) of particular interest and great importance for the analysis.

First, the e-mail address in question was checked on several online services, including emailrep.io. This revealed that the e-mail address is undeliverable and, moreover, the associated domain has a negative reputation.

The Bitcoin address was then searched for on the website bitcoinabuse.com. As shown in Figure 2, it is clearly indicated that this was a scam. Additionally, it was found that the same text was reported multiple times in connection with this Bitcoin address (see Figure 1).

This quickly led to the conclusion that we are facing a scam attempt in this case.

Checking the Bitcoin Address for Bitcoin Abuse
Figure 2: Checking the Bitcoin Address for Bitcoin Abuse

Such emails are sent en masse in the hopes that one of the recipients will be intimidated into paying the ransom. It is recommended that you do not pay the ransom under any circumstances. If you already have, you can file a criminal complaint with the police. You should report the Bitcoin address to both the police and the Bitcoin Abuse platform so that they can trace the transactions on the attackers’ accounts.

Generally, such e-mails can be ignored and deleted. In case of doubt, you can get professional support from a Digital Forensics team. Moreover, you can have your website checked by an expert with a Penetration tests.

Conclusion

Overall, it is important to emphasize that extortion e-mails claiming to have hacked a company’s website and stolen data, can pose a serious threat. However, it is also important to note that many of these e-mails are fraudulent and do not indicate an actual compromise.

As an organization, you are advised to stay vigilant and watch for potential threats. If you have further questions about ransomware attacks or need assistance, you can contact us without any obligation:

Nadia Meichtry

Author

Nadia Meichtry studied Forensics in Lausanne, is certified in GCFA, GREM, GDAT and OPST, and has been working as a specialist in the Digital Forensics & Incident Response team at Oneconsult since 2020.

LinkedIn

Don’t miss anything! Subscribe to our free newsletter.

Your security is our top priority – our specialists provide you with professional support.

Availability Monday to Friday 8:00 a.m. – 6:00 p.m (exception: customers with SLA – please call the 24/7 IRR emergency number).

Private individuals please contact your trusted IT service provider or the local police station.

For more information about our DFIR services here:

QR_CSIRT_2022_EN@2x
Add CSIRT to contacts