WordPress Tavern

Fake Ransomware Bitcoin Scam Claims “Your Site Has Been Hacked”

Sarah Gooding · · 13 Comments

A fake ransomware scam is going around that targets website contact forms. It sends an email to the site owner with the subject “Your Site Has Been Hacked.” The body of the email claims the hackers have exploited a vulnerability to gain access to the site’s database and “move the information to an offshore server.” The email threatens to ruin the site owner’s reputation by selling the site’s database, notifying customers that their information has been compromised, and de-indexing the site with search engines using blackhat techniques.

Within the past few weeks, website owners have reported having received this email on various support channels, including WordPress.org, stackoverflow, and reddit. The sites in question have not been defaced, nor do they show any other evidence of tampering.

The Bitcoin Abuse Database has seen a surge of reports regarding this scam in May and June, logged under various Bitcoin addresses. The scammers send the email out indiscriminately, even targeting sites that do not have a database. So far the campaigns have not been very successful at convincing site owners to pay the ransom.

The Bitcoin Abuse Database advises visitors that extortion emails are 100% fake and those who receive them should not pay ransoms.

If you or one of your clients receive an email like this, rest assured that it is a scam that requires no action. If you want to be extra cautious you can change your passwords and use a security plugin to scan your files for changes. Otherwise, simply delete the email.

An example of this scam email is below for reference:

PLEASE FORWARD THIS EMAIL TO SOMEONE IN YOUR COMPANY WHO IS ALLOWED TO MAKE IMPORTANT DECISIONS!

We have hacked your website [website URL] and extracted your databases.

How did this happen?
Our team has found a vulnerability within your site that we were able to exploit. After finding the vulnerability we were able to get your database credentials and extract your entire database and move the information to an offshore server.

What does this mean?

We will systematically go through a series of steps of totally damaging your reputation. First your database will be leaked or sold to the highest bidder which they will use with whatever their intentions are. Next if there are e-mails found they will be e-mailed that their information has been sold or leaked and your site [website URL] was at fault thusly damaging your reputation and having angry customers/associates with whatever angry customers/associates do. Lastly any links that you have indexed in the search engines will be de-indexed based off of blackhat techniques that we used in the past to de-index our targets.

How do I stop this?

We are willing to refrain from destroying your site’s reputation for a small fee. The current fee is $2000 USD in bitcoins (BTC).

Send the bitcoin to the following Bitcoin address (Copy and paste as it is case sensitive):

12KLZzgrNX2DvbWQM7yQ1V9vPwy9JPvUKM

Once you have paid we will automatically get informed that it was your payment. Please note that you have to make payment within 5 days after receiving this notice or the database leak, e-mails dispatched, and de-index of your site WILL start!

How do I get Bitcoins?

You can easily buy bitcoins via several websites or even offline from a Bitcoin-ATM. We suggest you https://cex.io/ for buying bitcoins.

What if I don’t pay?

If you decide not to pay, we will start the attack at the indicated date and uphold it until you do, there’s no counter measure to this, you will only end up wasting more money trying to find a solution. We will completely destroy your reputation amongst google and your customers.

This is not a hoax, do not reply to this email, don’t try to reason or negotiate, we will not read any replies. Once you have paid we will stop what we were doing and you will never hear from us again!

Please note that Bitcoin is anonymous and no one will find out that you have complied.

13 Comments

  1. Gaurav Tiwari
    · Reply

    I got one too. 😦

    I rushed and changed passwords.

    Report

  2. harry
    · Reply

    how would they know after all they say this

    Please note that Bitcoin is anonymous and no one will find out that you have complied.

    lol total idiots.

    Report

  3. Dave LeBlanc
    · Reply

    I have getting variations of this type of email for well over a year now.

    I read on Forbes this was caused by a hack and theft of email addresses and passwords from somewhere and posted on some site for downloads. The password mentioned in the email is one I once used and had already changed as part of a routine to change passwords.

    So far, no one to my knowledge has actually used the old password to try to get into an account. The scammers are just content to sent these emails. If they get just a couple of suckers to follow through on the scam, easy money.

    Report

  4. Inna
    · Reply

    I received one too and at first, I was like ?!?!?! because the email came from an anonymous email address and the message is well-written. Not in broken English, like scammer messages usually are. I’m happy I found this article. My blood pressure is now returning to normal!

    Report

  5. Fawaz Momoh
    · Reply

    Hahaha…I got the scam mail a day or two ago and it prompted me to read this article. I already knew it was a scam.

    Anyway, I think a good way to protect your website is to install Wordfence plugin (for wordpress users). I know it may not totally answer your security questions, but it has worked for me. Also have a good hosting company.

    Thanks Sarah.

    Report

  6. Frank
    · Reply

    This issue was also reported by a website security company WebARX last week. Based on their research, some people have already fallen to it.

    Anyways, here’s a link where they share some advice:
    https://www.webarxsecurity.com/bitcoin-ransom-scam-targeting-website-owners/

    Report

  7. Salim
    · Reply

    Perhaps it comes from un-encoded email addresses shown on our site (i.e. in about page). They are indexed and stored in a certain mailing list.

    I use email encoder plugin to prevent my email addresses from getting this kind of scam.

    Report

  8. Pamela Schmidlin
    · Reply

    Does this have anything to do with host providers? Can host providers stop these hacks from coming through to your site? Because I had issues this week logging into my dashboard only to find the host was working on some stuff and things were down for about an hour or two.

    I also never received and email or anything concerning this “hack”…..if so I will not be changing as I was thinking of my host provider!

    Report

  9. Melanie Adcock
    · Reply

    A couple of my clients got this email.

    Report

  10. Paolo Dodet
    · Reply

    I’ve got one too, thank goodness I’ve just come across this post, so my blood pressure went back to normal again.

    Report

  11. austin marketing guy
    · Reply

    So sleazy and weak! My client got one of these. It’s pretty funny. Clearly they hacked the site because they had to use the contact form to contact us instead of emailing us with all the private data they hacked.

    Report

  12. David.b
    · Reply

    Hi There,

    I also got the mail. Today may host provider server is down and this had never happened before! The server is still down and my hosting support is working on it. Hopefully my website will be up and showing soon….. what a coincidence… Cheers!

    Report

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: