So, we at
http://luckyb.it received another extortion attempt, mostly related to our latest "win 5 bitcoin if you guess the world-cup winner" promo.
We thought it's better to publish these things, so other site operators are warned.
We had an standard "vulnerability scan" this morning ~7 UTC, coming from 173.233.126.140 (dsl-140.pool2.5.e120.sumt.ftc-i.net).
Dynamic home IP - the whole scan came from the same IP, so it was easy to block and most likely just a kiddy that got hold of some webapp security scanner.
Short after that, we received the mail below, coming from 46.19.139.98.
We're of course not giving in to extortion attempts (especially not to such poorly executed ones).
We hope this helps some other site operators - let's get this idiots out in the open
LuckyBit support
Return-Path:
Delivered-To: [email protected]
Received: from spool.mail.gandi.net (mspool4-d.mgt.gandi.net [10.0.21.135])
by nmboxes10-dc2.mgt.gandi.net (Postfix) with ESMTP id DA70C40C8C
for ; Thu, 26 Jun 2014 09:25:20 +0200 (CEST)
Received: from mfilter20-d.gandi.net (mfilter20-d.gandi.net [217.70.178.148])
by spool.mail.gandi.net (Postfix) with ESMTP id CE53F1421EB;
Thu, 26 Jun 2014 09:25:20 +0200 (CEST)
X-Virus-Scanned: Debian amavisd-new at mfilter20-d.gandi.net
Received: from spool.mail.gandi.net ([10.0.21.135])
by mfilter20-d.gandi.net (mfilter20-d.gandi.net [10.0.15.180]) (amavisd-new, port 10024)
with ESMTP id JCLGuk+ocRFX; Thu, 26 Jun 2014 09:25:19 +0200 (CEST)
Received: from tamar.safe-mail.net (tamar.safe-mail.net [212.29.227.229])
by spool.mail.gandi.net (Postfix) with ESMTPS id 184A4142235
for ; Thu, 26 Jun 2014 09:25:15 +0200 (CEST)
Received: by tamar.safe-mail.net with Safe-mail (Exim 4.66)
(envelope-from )
id 1X043G-0003Et-Ld
for [email protected]; Thu, 26 Jun 2014 03:24:58 -0400
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws;
s=N1-0105; d=Safe-mail.net;
b=q8tg9TIGwO/dhWOC37sNDuS08lFLO1GZrK9vHXdB2oV187Zdn1h5Cs0+7B1Kwj3e
YuPG/WP3e9pWt6M6S91QGecTkWgcVjj2r+8LqdwLgYlIpDjjG7UOCeEqeTHdxmA8
Mbw53/bZEs73yjYX/1wVGKiH4KpQovhO6YIdmtABE9I=;
Received: from pc ([46.19.139.98]) by Safe-mail.net with https
Subject: Security Findings - Exploits Discovered
Date: Thu, 26 Jun 2014 03:24:58 -0400
From: [email protected]
To: [email protected]
X-SMType: Regular
X-SMRef: N1B-FaLBugTE1n
Message-Id:
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
X-SMSignature: NaFpzlw5r9KruAaXoi8A6cJduMZbfgJKuuZKFNVgo/XHd+Lc88Ibc654gAeDrz6f
qgFbtAUeTEUmFsk9a8edzFIM1GuAlHbqbhu5mtxX54g8tZkqFJPMizncezNpMrzT
d/wBKoKwAW9/wvaDANUYIre6UcJS3I7SUWVSYIE+pxI=
A recent penetration test of your site found the following:
Confirmed High Risk: 3
Confirmed Medium Risk: 122
Confirmed Low Risk: 84
Confirmed Informational (Information Gathering): 64
We want to help secure you and the BTC, torrent, and download services community. Our work is to exploit and report on the security of all Bitcoin, torrent, and download services online.
The following are your options:
1. Send 1.841 BTC to the following address: 16CTrB3BkSaQazoKeS3qKn9DgaofZP8p4J
- By doing so you ensure that you and ONLY you get the penetration and security report. It will be sent, then destroyed.
- You can help secure your servers from black hat hackers, and you can give a larger level of trust to your users.
2. Do nothing an ignore this email.
- The report will be published on several sites on the onion network, clearnet, torrent sites, and exploit sites such as exploitdb.
- You risk the immediate threat of having thousands of experienced hackers now targeting your site.
- If you received a High Risk notification, this indicates that you are in danger of complete compromise of your site, servers, and data.
If you decide to meet the bounty you will receive the following:
- The test ran.
- The applications used.
- Remediation tactics including OVAL & XCCDF class 4 scripts to fix your site.
- And support from us.
You have until 06/26/2014 to send 1.841 BTC to 16CTrB3BkSaQazoKeS3qKn9DgaofZP8p4J in order to gather the reports generated. Failure to do so will result in releasing the already obtained security flaws with detailed instructions on how to penetrate your site.
This is not a threat, this is securing the clearnet BTC community.
Note: Once payment has been sent, please respond to to this email with your sending address, as well as the address we can email you the reports. Typical archived size of the pdf files can exceed 10mb. Also, upon request we can send you our PGP if you wish to ask further questions, but the deadline will not be lifted nor extended.
