Hackers increasingly target reputations through reviews sites, experts say

Hackers are increasingly attempting to extort companies and individuals by threatening severe reputational harm through online reviews sites such as Yelp and TripAdvisor, security experts tell The Hill.

While internet extortion schemes are not new, their perpetrators now appear to be spamming sites where enough negative reviews can scare away firms’ customers.

“It is definitely an increase that we see — that more and more hackers are misusing the whole brand reputation and any type of review process to blackmail and extort companies,” Candid Wueest, a Symantec threat researcher based in Europe, told The Hill. “Of course the same would be harmful for anyone who has an online profile such as hotels — we’ve seen it with restaurants as well, like TripAdvisor or Yelp.”

{mosads}On Sunday, a group of hackers emailed CheapAir, an online travel agency, threatening to “destroy personal or company reputation online” if the company did not pay 1.5 bitcoins, roughly the equivalent of $10,000, by Wednesday.

The hackers, who claimed they worked for the “STD Company,” said they are “experts in destroying personal and company reputation online,” according to screenshots of the emails provided to The Hill.

They threatened to harm the business by posting thousands of negative reviews, replies and fraud reports on sites such as TrustPilot and Ripoff Report, as well as on social media. The cyber crooks warned that they would also destroy CheapAir’s search engine ranking by spamming it with more than 1 million irrelevant blog comments such as “penis pills,” according to the screenshots.

“If not, we will proceed with our work and you should understand that damage once made can’t be undone, not even by us,” they wrote.

This type of asymmetric attack — low cost, potential high impact — puts the targeted company or person on the defensive, leaving it to them to prove to negative reviews are fake to the public.

Rep. John Ratcliffe (R-Texas) said extortion attacks are not a new phenomenon, but pose a growing threat to the nation’s pocket as hackers methods keep evolving.

“It is a threat to our economy through those types of hacks and breaches of small businesses,” said Ratcliffe, who chairs the House Homeland Security Committee’s Cybersecurity and Infrastructure Protection subcommittee. “Cyber hackers improve with respect to their sophistication and the frequency of those attacks is increasing.”

And law enforcement is facing an uphill battle as they seek to catch the offenders.

“The reality is this happens with such frequency, law enforcement is under-equipped, under resourced to go address every one of these. That adds to the likeliness of success by the bad guys and likeliness they won’t be identified and prosecuted by government entities,” said Ron Hosko, a former assistant director of the FBI’s criminal investigative division.

In 2017, the FBI’s Internet Crime Complaint Center (IC3) received nearly 15,000 “extortion-related complaints,” estimating that the financial loss of these specific schemes was over $15 million, according to the center’s yearly internet crime report.  

Hosko, now president of the Law Enforcement Legal Defense Fund, said it is difficult to distinguish who is behind each attack. Even if federal officials stumble across digital breadcrumbs, the hackers carrying out these attacks could be halfway across the globe.

Additionally, it is relatively cheap to hire hackers and services off the black digital markets to go after a company’s reputation.

“I found one [classical underground website] which is offering for $500 to destroy your reputation…It doesn’t take $10,000 to create this. It is very cheap, unfortunately, and it is increasing right because hackers want to make profits,” Wueest told The Hill.

Experts and law enforcement officials advise against cooperating with the hackers. Paying them, they say, runs a high risk that the hackers will continue to extort the same victims for more money after the initial payment or be incentivized to carry out similar attacks against other companies.

“By paying the extortion you are basically encouraging the other individuals to also conduct these operations because they know they can profit from them,” said Kimberly Goody, manager of financial crime analysis at Fireeye.

“Even if you do pay the extortion, in many cases the actors will still sell your data or still use your data. You have no guarantee that that is going to be returned to you,” she added.

Goody said distributed denial of service (DDOS) attacks were “extremely popular” a couple of years ago, and then hackers began stealing database information and threatening to publicly release it unless they received a particular payment.

She noted researchers at Fireeye have noticed an increase in trend of database extortion over the past couple of years, and they expect to see “other evolutions of this in the future.”

The experts said companies are not the only victims. Individuals can be the targets of internet extortion schemes by threatening to expose sensitive information.

Wueest said Symantec observed an interesting case recently in which a few politicians in Switzerland separately received similar emails where someone was threatening to destroy their reputations.

“They actually attached a 13 page document describing all of the things that they could do. Starting from adding fake advertisements on Craigslist and similar stuff to getting bombarded with emails and phone requests, down to manipulating erotic photographs and porn,” he told The Hill.

While the experts interviewed by The Hill say they have not observed such attacks against U.S. politicians, they also noted that wouldn’t be “surprised” if such attacks have occurred — not all companies or individuals make the attacks against them public.

In an effort to maximize the credibility and the intensity of the threats, hackers provide their intended victims with examples of what they would do if the company or individual does not pay, as they did with CheapAir.

CheapAir CEO Jeff Klee in a Tuesday statement said the company does not plan to pay “these cyber thugs,” but the threat itself has been a drain on the company’s resources.

“We’re definitely not going to pay these cyber thugs, but we still have to devote a lot of time and resources to combating it,” Klee said.

“Surprisingly, there is no obvious way to communicate extortion or other threats to them, other than filing a cyber-bullying request and asking them to block a certain user. That won’t help for sophisticated bot attacks,” Klee continued, urging social media companies to be “more proactive” in protecting companies like his who are facing brand reputation attacks.

Experts say internet users should be vigilant about their online activity, stating that individuals should practice safe online habits like avoiding clicking on links or attachments from unknown senders.

“All of us who lower our guard are potentially at risk,” Hosko emphasized.