PARIS — "If you are a customer of Domino's Pizza, know that we asked them not to publish your data in exchange of 30,000 euros...”
This was the message posted on Twitter in mid-June by the “collective" of hackers Rex Mundi. The pizza delivery company has refused to bow to the blackmail of the group, which boasted of stealing data from 600,000 customers.
This incident is just the latest illustration of the new weapon for cybercriminals: old-style extortion. “Usually, the demands are not made public. Here, the hackers are playing their last card,” says Gérôme Billois, computer security consultant at Solucom.
He reckons that Rex Mundi would have made more money by reselling the data on the black market. A brand's customer is worth between 50 cents and 2 euros, and between 300,000 and 1.2 million euros for the whole load like in this case of Domino’s Pizza, Billois estimates, “though data lose their value very quickly."
This is the “ransomware” game that is especially in fashion now. It can take the form of blocking the functioning of a computer and then asking the owner between 300 and 1,000 euros for him to have his encryption keys. “Sometimes the hacker makes a sneaky pass for ransom by sending an official message that appears to come from an authority imposing a fine," says Loïc Guézo from Trend Micro.
According to Europol, several millions of computers have been infected in the past two years, generating a multi-million-euro turnover.
The same phenomenon strikes companies in different ways. Discretion is required, so the ransom demands tend to be in bitcoin, the emerging virtual and untraceable currency.
But the first order of business is often kidnapping the data. Michel Van Den Bergue, CEO of Orange Cyberdefence, cites a case where hackers got their hands on a trove of human resources data. "They threatened to reveal the salaries of top managers on both internal and public forums,” he said. The ultimatum was a success for the hackers: the company paid.
A limitless imagination
A second option is for the hackers to paralyze an information system or threaten to destroy a sensitive data base (customers’ files, leaders’ email, etc). They can also threaten to overload a company's network or system. "The hackers paralyzed the trading room of a bank for 45 minutes, and it caused colossal losses," says Laurent Combalbert, a former officer in the anti-terror unit of the French national police, who now works in crisis management and ransom negotiation for private firms. If the amounts do not seem large compared to the damage that could be suffered, it is precisely because the approach has been to encourage the victims to pay.
So how should companies react? “We advise them to reveal the fuss and, more than anything, not to pay the ransom because otherwise it becomes a spiral," says Combalbert. "In extreme cases, negotiations happen — only by email since the hackers have dematerialized the negotiation — the ultimate goal remaining to convince the victim to give up."
The latest phenomenon is the fake orders of transactions. By getting informations on social networks, hackers pretend to be the bosses, putting pressure on an accountant or an assistant: “On LinkedIn, you can easily access all the charts of a company and its strategic projects. We saw some of our clients accepting to do transfers of 100,000 or 200,000 euros,” says Jean-Michel Orozco, chief of cybersecurity at Airbus Defence and Space.
Banks — particularly Société Générale, BNP Paribas, and CDC — take this phenomenon very seriously. The French central bank has made the issue a priority on its annual agenda.
And when you thought it couldn't get worse, the final trick worth mentioning: direct intrusion into the billing system. "I had the case of a client who had 1.5 million (euros) stolen this way," says Gerome Billois. How? The hacker broke into the company information system, and in the guise of the accounting department, commissioned several major transfers.