Hacking site hacked by hackers

We try not to guffaw at cyber crime, but sometimes – especially on a Monday just after reading a report from  Bleeping Computer in which a cyber crook turned on his fellow crooks by hacking their underground forum and saying he would expose them to the cops…

…unless they forked over $50,000:

MESSAGE TO BASETOOLS OWNER:

Hello, you have only 24 hours to pay 50.000$ OTHERWISE YOU WILL BE 

EXPOSED AROUND THE WORLD & ALSO WE HAVE TOO MANY PROOFS THAT WE HAVEN'T 

INCLUDED THEM HERE AND THOSE WE WILL SENT TO THE RELEVANT BODIES

The crook uploaded some of his “proofs” to the Basetools hacking site itself, presumably to cause maximum embarrassment amongst the site’s criminal community.

These published “proofs” included a screenshot that’s supposed to show the web administration panel of the Basetools forum, listing the pseudonyms of the last 15 buyers and sellers, as well as the last 9 refunds. Seems that the crooks have problems trusting each other on many different levels.

To pay or not to pay?

We don’t want to be seen as offering advice to cybercriminals, but we’d strongly urge against paying up in extortion cases like this. It’s clear that the data has already been stolen – and some of it already shared with the world, let alone with US law enforcement – so paying now won’t do much good.

In ransomware demands, the extortion typically covers a decryption key for data that almost certainly wasn’t copied by the crooks – in other words, if you decide you aren’t going to pay up, the crooks have nothing further to squeeze you with.

But when the crooks already have copies of your data, and are threatening to besmirch, embarrass or defraud you by exposing it, paying the fee won’t do anything to stop them besmirching you anyway.Or coming back for more money next week.

For what it’s worth, it seems that the Basetools site owners haven’t quite figured out what to do yet – at the time of writing, their underground forum said:

What to do?

Hackers hacking hackers sounds funny, and perhaps it is – but if hackers can be hacked, then so can you, if you aren’t careful. We don’t know how this attack happened, but the obvious precautions you can take for your own online service include:

1. Patch promptly: If the crooks know what server software version you are using, and it has a known security hole, they may very well be able to break in automatically. In other words, if you haven’t patched, you’re the low-hanging fruit.
2. Choose decent passwords: If the crooks can guess your password, or if you used the same password on another site that already got hacked, then the crooks don’t need to do any hacking themselves – they can just login directly.
3. Use two-factor authentication (2FA): A one-time code that changes every time you login means that just guessing or stealing your password isn’t enough. If the code is calculated on or sent to your phone, then the crooks need your phone (and its unlock code) as well, which is a higher bar to jump over.
4. Check your logs: If you keep log files for auditing purposes, for example so you can check who logged in when, examine them proactively in order to find out about security anomalies sooner rather than later.    Honour amongst thieves, eh?