Dynadot

warning DDoS Attack Blackmail Email

NameSilo
Watch

frank-germany

domainer since 2001 / musicianTop Member
Impact
14,596
hello I received this email today

what can I do?



We are Anonymous hackers group.
Your site xxxxx.com will be DDoS-ed starting in 24 hours if you don't
pay only 0.05 Bitcoins @ xxxxxxxxx

Users will not be able to access sites host with you at all.


If you don't pay in next 24 hours, attack will start, your service going down permanently.
Price to stop will increase to 1 BTC and will go up 1 BTC for every day of attack.

If you report this to media and try to get some free publicity by using our name,
instead of paying, attack will start permanently and will last for a long time.

This is not a joke.

Our attacks are extremely powerful - over 1 Tbps per second.
No cheap protection will help.

Prevent it all with just 0.05 BTC @ xxxxxxxxxxxxxx

Do not reply, we will not read. Pay and we will know its you.

AND YOU WILL NEVER AGAIN HEAR FROM US!
Bitcoin is anonymous, nobody will ever know you cooperated.
 
3
•••
The views expressed on this page by users and staff are their own, not those of NamePros.
4
•••
I found a sample of a similar email with headers included. It looks like it was sent from a compromised website through a compromised VPN, but I can't be sure. The IP address of the VPN was 194.243.107.146; it looks like it goes to an old, vulnerable WatchGuard device in Italy. There are at least two domains that have that IP address as an A record: jolly[.]us and pixelprocessor[.]us. Neither have WHOIS privacy, but are under different registrants at different registrars. The email address for pixelprocess has a hostname of craniumpro.com, which has a pretty interesting notice on it. Keep in mind that vulnerable devices are often compromised and used by multiple hackers with no knowledge of each other, so even if that notice is true, it's quite possible that it's a different spam effort. Also, hackers who acquire compromised devices will often rent usage to other hackers, so it's also possible we're already seeing at least three unique parties involved here whose only affiliation with each other is a brief, anonymous business exchange.

@NameZest I'm not interested in a confrontation; however, it's important that you're aware that the information you're spreading is both dangerous and almost entirely incorrect.
 
Last edited:
6
•••
@NameZest I'm not interested in a confrontation; however, it's important that you're aware that the information you're spreading is both dangerous and almost entirely incorrect.
What are you smoking?



Your prior post before this quoted one was however way out there.
Your last post made lots of assumptions over a dozen to my count, there and I guess you know more about security and the full communications infrastructure and how it operates now than people with real knowledge of it.
Also a bitcoin address will give you nothing as even kids know to never use the same bitcoin address, which is why programs like eternal blue were made to begin with it was cryptology/anticryptology.
FYI.. A real hacker could break most encryption with 2 real strings or less if they were really good in a relatively small amount of time, especially with the processing power of all systems connected to a botnet, which is where denial of service attacks get their strength from, due to the number of simultaneous connections that can and will overload the target system by simple port flooding or brute force attack normally directed at the user login. The real result of that would be server restart at which point an overwhelmed system would have been cracked.

Using trace route (I am presuming you did or read someone else did in the sample you mentioned) will give you the last 2 hops the ip of the last server to process the info and the ip of a system that came from, all the hops before that are pretty much lost.
Iit's not the same as a trace route 20 years ago where most people dialed to get online making their real phone number visible along with home address, isp etc because it would show all hops and server requests from origin to endpoint.

Combine that with the fact cell phones are now connecting to everything and not at all secure, no one knows how many cell phones are already breached. Computer prices tanked cell phone prices have risen, because most people are glued to their phones with little to no knowledge of them, let alone the true damage they can cause. It's not so much computers doing the damage as it the phones.

Another fact is a real hacker would not email you asking for anything when they can simply take your whole network, without you knowing (even a virtual one) and everything on it. Just because someone didn't secure all devices connecting to it. And by the time it was discovered it was far too late.
BTW You can easily stop piggy backing by only allowing certain mac addresses access to your network combined with regularly changed passwords. And do yourselves a favor set up all networks as public/untrusted.
Also the SMB is still in windows 10

Those are facts @Paul Buonopane Keep in mind that vulnerable devices are often compromised and used by multiple hackers with no knowledge of each other....??? Sorry m8 but...
That is a load of crap, surely you mean people with compromised devices have no clue until it is discovered that is if it is at all. Yet another fact.
My info comes from real security experience not by running a google search or checking wikipedia. But I suppose everything I said is totally incorrect.
No Paul I told it as it is by sharing some real info. And in security you are a noob. We all have things we excel in and I was not being rude.
 
Last edited:
2
•••
@NameZest, you're getting off-topic. I appreciate that you're trying to help, but it's not constructive. No, I didn't run a traceroute, lol.

@frank-germany sent me a copy of the email, including headers. It was indeed sent by a compromised website, and that website has in fact been compromised by a large number of people; it's impossible to tell which one sent the email. In fact, it's quite likely that someone entirely different stumbled upon the server after it had been compromised and used the existing backdoor to send the spam.

Here's a screenshot of the primary web shell--the interface that a hacker would use to launch attacks and install additional malware. There are several other shells present, some likely from other hackers. The one pictured here is pretty rare and Indonesian in origin. I've censored some information because I don't want people poking around until I've finished, but it shouldn't be that hard to find the shell from the screenshot anyway.

upload_2017-6-23_7-2-14.png


You can see additional shells installed to the same directory when I scroll down:

upload_2017-6-23_7-3-38.png


There are mentions of various hacker aliases; none can be attributed directly to the spam campaign because there are multiple people involved here, and there's no way to know how they're related, or whether they were even the same people who sent the spam. Many of these people seem to be focused on website defacement: they compromise websites just to leave their watermark, sort of like tagging. Some of the websites they've compromised have tags from hundreds of other hackers, though this doesn't have nearly that many. The tag that I find most interesting is this one:

upload_2017-6-23_7-8-9.png


There's also contact information for the person who wrote the shell, which is relevant only because it's such a rare shell. I added the red arrows.

upload_2017-6-23_7-11-50.png


The Facebook and Google links aren't interesting, but the mail link goes to leohaxor404@@hackermail.com (yes, with two @ symbols). A page like this could easily be used to frame someone else, so take the info here with a grain of salt.

Searching for Cyb3rGh05t's tag did turn up some interesting results, but there are indicators that the skull-with-respirator logo in the image has been adopted as an avatar by multiple people.
 
Last edited:
4
•••
@frank-germany you must be a evil/corrupt/power player/etc to be on "anonymous" list..

Never heard of "them" extorting average people for money..

Glad you didn't fall for it and are doing something about it.
 
2
•••
@frank-germany you must be a evil/corrupt/power player/etc to be on "anonymous" list..

Never heard of "them" extorting average people for money..

Glad you didn't fall for it and are doing something about it.

it looks like they hijacked their reputation ..
I am just a nice/ small/ average guy ...!! ;)
 
1
•••
it looks like they hijacked their reputation ..
I am just a nice/ small/ average guy ...!! ;)
"Nice guy etc" isn't that what all the bad guys says? Lol just kidding

Yeah (my opinion) is that it is part of "bad guy"
game is using other people reputation...seen lot of 'malware" claiming that it is from the FBI/RCMP/etc..
 
1
•••
Hackers just say they're Anonymous when they want to scare people or garner media attention.

Often you can tell they're bluffing because they'll reuse the Bitcoin addresses; that's what WannaCry did. However, there's no evidence that the address here has been reused; same for the similar sample I found elsewhere.

Of course, they're not going to waste a 1 Tbps botnet on a parking page--that's too much attention for too little a reward. If they were serious, they'd DDoS you first, then email you while the site's down.

1 Tbps for an extended period would cost ISPs millions. It wouldn't go unnoticed; someone would be waking up to a SWAT team knocking on their door.
 
Last edited:
6
•••
Often you can tell they're bluffing because they'll reuse the Bitcoin addresses; that's what WannaCry did. However, there's no evidence that the address here has been reused; same for the similar sample I found elsewhere.

Does the Bitcoin address @frank-germany received match the Bitcoin address in below (linked) related thread? (Assuming @mr-x received a different email)

https://www.namepros.com/threads/new-scam-ddos-threat.1025903/
Domain name is parked at SEDO. Dumbasses didn't bother to look at the DNS. Email originated from Godaddy server.
--

We are Anonymous hackers group.
Your site __________ will be DDoS-ed starting in 24 hours if you don't pay only 0.05 Bitcoins @ 14S5mYshjvw65aG6savw8m6yPAjKt9PV8s
Users will not be able to access sites host with you at all.
If you don't pay in next 24 hours, attack will start, your service going down permanently. Price to stop will increase to 1 BTC and will go up 1 BTC for every day of attack.
If you report this to media and try to get some free publicity by using our name, instead of paying, attack will start permanently and will last for a long time.
This is not a joke.
Our attacks are extremely powerful - over 1 Tbps per second. No cheap protection will help.
Prevent it all with just 0.05 BTC @ 14S5mYshjvw65aG6savw8m6yPAjKt9PV8s
Do not reply, we will not read. Pay and we will know its you. AND YOU WILL NEVER AGAIN HEAR FROM US!
Bitcoin is anonymous, nobody will ever know you cooperated.
 
0
•••
0
•••
Nice work @Paul Buonopane, I have have three sites destroyed these past few months and took the easiest way and just simply erased them, and reinstalled wp. I am not qualified nor want risk my own systems to figure anything the details or about origin, though wordfence warned me and reported the IP address in Turkey on the last one. One site had been purchased on Flippa so previous owner/ seller might have been compromised. When or If this happens in the future, do you want to dig into it? Not sure if this is a hobby or something you regularily do. Thanks again for posting all those details, its a lot of work.
 
0
•••
@offthehandle Sure, I collect samples and occasionally unearth something useful. On a lucky day, that means new vulnerabilities these hackers are exploiting can be patched. Historically, WordPress has had mixed responsiveness to my reports, though, especially since most vulnerabilities aren't exposed directly by WordPress, but rather popular plugins. In one case, WordPress offered a vulnerable function to plugins. They expressed initial interest in the vulnerability report, but stopped communicating once it was clear what the vulnerability was. It was eventually patched, but it took them longer than it should've, and there wasn't a proper public disclosure on their end.
 
2
•••
Thank you!. WP probably wants to avoid the bad PR, hence their lack of response and minimal disclosure. But no excuses for them, they should at a minimum communicate with those like yourself and be grateful for your input. I find wordfence publishes very timely notices about vulnerabilities so perhaps collaborating with them instead would be an alternative? Ok, I will keep that in mind. It's really annoying the defacing campaigns, and Wordpress seems like a central target for small businesses, I still like and prefer html though being old school.
 
0
•••
If you have the technical know-how, Jekyll is a much more secure platform for static content. It's also simpler with the potential to be more powerful than WordPress for anything data- or content-oriented. GitHub Pages will host Jekyll sites for free, no ads; the catch is that your site has to be open source. (Or you can pay and keep it closed, but there's really no point if it's static, because someone can just scrape it anyway.). The downside to Jekyll if you're coming from WordPress is that it's newer and doesn't have nearly as many premade templates, so you usually have to get your hands dirty with code.

Jekyll generates all the pages ahead of time, rather than on each request like WordPress and most other CMSes. This means there isn't any dynamic PHP or SQL on the server to exploit.
 
3
•••
If you have the technical know-how, Jekyll is a much more secure platform for static content. It's also simpler with the potential to be more powerful than WordPress for anything data- or content-oriented. GitHub Pages will host Jekyll sites for free, no ads; the catch is that your site has to be open source. (Or you can pay and keep it closed, but there's really no point if it's static, because someone can just scrape it anyway.). The downside to Jekyll if you're coming from WordPress is that it's newer and doesn't have nearly as many premade templates, so you usually have to get your hands dirty with code.

Jekyll generates all the pages ahead of time, rather than on each request like WordPress and most other CMSes. This means there isn't any dynamic PHP or SQL on the server to exploit.

Thanks once again. I need to take a look to see if I could use it. Is Jekyll friendly with g oo gle For Seo? Wordpress I have been told is good for SEO, I am yet to realize it. However, I still have little ranking on a few longtails for a large WP site I own that g oo gle scraped, and used my data, ranked other stuff and ignored my site and spit me out. I am still angry, lol. Stuck at the moment as far as what to tackle.
 
1
•••
Someone's watching this thread. :~) We just got hit with a spear phishing attempt. Commendable effort on their part; it's pretty convincing. (This isn't the real Cloudflare login page.) Time to call in the big guns?

upload_2017-6-23_15-51-25.png
 
0
•••
The phishing page is using Cloudflare. It took less than two minutes for Cloudflare to blacklist the domain after we contacted them:

upload_2017-6-23_16-21-22.png


Edit: Actually, looks like they blocked it while we were typing the request. They replied that the issue had been escalated about two minutes later, at which point I noticed the site was blacklisted. Here was the follow-up their safety team sent a few minutes later:

Hello,

Thank you for the email.

We have already addressed this from Cloudflare's side -- a warning interstitial page is in place. We've notified the host and registrar of this phishing page also.

Thank you for your concern, and for reaching out regarding this issue.

Thanks,
Justin
 
Last edited:
2
•••
Wow. This past 6 months have really opened my eyes to a lot.
 
0
•••
0
•••
Sounds like a far reaching bluff. But regardless, it's always good to have protection. We built a fence to protect the house, not just to protect against the people who make threats. With what's going on nowadays, we need to built a fortress to protect our sites.

Obtain a public cloud service account at one of the hosting company that come with advanced DDOS protection. Move your site to such host and get a redundant account with replication on a separate IP. Create a round robin configuration on wherever you have the DNS servers. This way if the main site goes down, your second site will stay on until the main site is fixed.

OVH is offer DDOS protections for almost of of their services. I also looked at Google Cloud and others, but so far OVH seems to be the cheapest with the provided features. They are not the cheapest in term of hosting options (memory, disk, etc.).

Stay away from companies like BlueHost. They are among the worst. At the first sign of DDOS, they will shutdown your service and make you move elsewhere. GoDaddy used to do that too but I have not heard about them doing so for the past two years.

OVH also have edge firewall but does not have auto-ban of attacking IPs. You can install a firewall application like pfsense as a virtual machine and enable auto detection to ban the attacking IPs.

It may be a waste of time, but copy the info from the header and forward it to the proper authority in your countries. They may or may not keep track of these scammers/spammers. It takes time to build a defense for your sites, but the effort is so worth it in the long run and keep you a peace of mind.

Hope that helps.
 
3
•••
after cloud bleed, weirdos have been using much of the exploited data to send spam and extortion attempts to customers... cms scripts get a lot of the blame for what many admins/devs fail to do, hardened the site/app/server.
Relying on a browser accessible script to handle content 'securely' is lazy when there are so many default ports/settings/configs that are well known on webservers/firewalls/etc... plus how would one know if the host's iso image is compromised without compiling/verifying personally? how would one know if someone at the host is compromised, selling customer data [in bulk] themselves to 'anonymous'?

on top of that, typically software installed on fcc complaint hardware is already compromised [by law] despite any best efforts made within the software. and nowadays with refrigerators and baby monitors having wifi connections, actors like the dark army can send infinite requests, from home ip addresses whilst creating the nightmare 1TB/sec situation on the fly to any target. and don't forget where most chips/hardware is produced...
 
1
•••
The geek inside of me is loving this thread (y)
 
1
•••
how would one know if someone at the host is compromised, selling customer data [in bulk] themselves to 'anonymous'?

1998 a competitor purchase a co-located server with the same company hosting ours. He bribed the owner for access to our server. A guy I worked with for two years, copied then deleted our subscription website.

We moved to a "secure" hosting company. A few months latter, on a long holiday weekend, "someone" launched a duplicate of our website, poisoned the DNS and collected leads and customer information.
 
2
•••
OVH is offer DDOS protections for almost of of their services. I also looked at Google Cloud and others, but so far OVH seems to be the cheapest with the provided features. They are not the cheapest in term of hosting options (memory, disk, etc.).

OVH has great prices and decent service, but their DDoS protection is garbage, sadly. They've been working hard on improvements, but their peering leaves much to be desired. They picked a lousy location for their American datacenter that requires running lines across international borders. It's taken them years to get the necessary permits, and I don't even know that they've finished that stage. I'm pretty sure they've finally begun construction, but I don't remember for sure.

Stay away from companies like BlueHost. They are among the worst. At the first sign of DDOS, they will shutdown your service and make you move elsewhere. GoDaddy used to do that too but I have not heard about them doing so for the past two years.

Yeah, there are only a handful of good providers out there, and they're all very expensive. OVH offers a good balance between price and quality, but don't expect perfection. If you want reliability, good SLAs, good networking, and high availability, you're pretty much limited to AWS, GCP, Rackspace, Azure, and OpenShift. For the most part, I stay away from anyone that offers shared hosting. If you're not comfortable managing your own servers without the likes of cPanel/WHM or Plesk, shared hosting is acceptable, but it's a sign that a hosting provider is focusing on small sites.

OVH also have edge firewall but does not have auto-ban of attacking IPs. You can install a firewall application like pfsense as a virtual machine and enable auto detection to ban the attacking IPs.

You can't block real DDoS attacks with your own firewall; the hosting provider has to block it either at their edge or upstream, depending on the size. Customer-managed firewalls are for blocking more focused attacks. OVH claims to have a automated system in place to block abusive traffic upstream, but I've never seen it function properly, at least at their American datacenter.

It may be a waste of time, but copy the info from the header and forward it to the proper authority in your countries. They may or may not keep track of these scammers/spammers. It takes time to build a defense for your sites, but the effort is so worth it in the long run and keep you a peace of mind.

Unfortunately, the headers aren't that useful here because it came from a compromised web server. I checked the web server, but it had been used by numerous hackers and was pretty much open to anyone who stumbled upon it; it's impossible to tell who did what after-the-fact. They're important evidence, but they're not going to catch any bad guys on their own.
 
2
•••
There are a few ethics in Anon and this doesn't sound like them more of a mass spam email copy and paste a bit into google see what others are getting.
 
0
•••
Back