[WordPress Security] PSA: Your Site Isn’t Hacked By This Bitcoin Scam, Keep the Money

From: Wordfence <list_at_wordfence.com>
Date: Mon, 23 Jan 2023 12:30:38 -0800

The Wordfence Threat Intelligence team provides insight into a new scam campaign where the attacker is demanding $3,000.

Wordfence-Logo.png (https://email.wordfence.com/e3t/Ctc/GC+113/cwG7R04/VVRJLS1MHd1FW1XCdJK1BP7ljW4-ljtc4W80jcN3hBC5L3pdqSV1-WJV7CgCrxW69xPmy6x5MgJW3JL0721BbC6hW6Z1G3j32KXQXW6Mb_Ln5_dj1mN7nwkYYy_3YKW7l759g3Q1dJvW6stQK_75l-YCW75LZZ55yJQ_7N39Xv_SM5d4wW5d_x8W7GsBcPW1KHxTn2fqn5hW5k8qh25hcX5TW2RqFgW7RvFrHW3hpccg7WMBwcW3lZClh4LLBTNW3-h-VP5Lq4DSW4Mn1lg1tvRXhN1Y5jd7ZtcNnW8xggyx1qSMjGN9hfKzjBrcGF3nwy1 )

Extortion Email Featured Image (https://email.wordfence.com/e3t/Ctc/GC+113/cwG7R04/VVRJLS1MHd1FW1XCdJK1BP7ljW4-ljtc4W80jcN3hBC7c3pdskV1-WJV7CgQ8NW61FzB43ng6y7VPMckf5RRQzGW1BcpMp5l8k45VRqxgm3HGGRsN5Xpf8C-SDbnW5YS-h967h3kVW5fDk9M6Mz2LcW4C7LM26_zg_vW3tLN701QYbHbW7h7fJc6QzHwCW64TbxN556P_tW67-hGk8vgktwW8VgT5h17NDcLW4KbdHM33p7cxW5QKlXj31nD-3N8rzbykLWQm-W1XhFgk2h4M_qN1xtNvypygRyW1l-Yk_49gbtkW7vvxr86LWy49W3pmxc07-4GHNW2PBqY16M3T0sW1KD13x7m2mZjW3bvkyr8hW_hHW7QK0cy4jPG8zW8FFqkG42KG2jW624jKp66bPJvN15bvS8zx-f3VMwzpk5C2tQKW8Ld09H3lX4jR3mHm1 )

On January 19th, 2023, a member of the Wordfence Threat Intelligence team received an email from their personal blog, claiming the site had been hacked, and we received two reports from Wordfence users who received the same message. The email claimed that the site had been hacked due to a vulnerability on the site. The email went on to demand about $3,000 worth of Bitcoin to prevent the malicious actor from damaging the site’s reputation. This is of course only a scare tactic, and not a true cause for concern. The site was not actually hacked.

This email content has also been published on our blog and you're welcome to post a comment there if you'd like to join the conversation. (https://email.wordfence.com/e3t/Ctc/GC+113/cwG7R04/VVRJLS1MHd1FW1XCdJK1BP7ljW4-ljtc4W80jcN3hBC7c3pdskV1-WJV7CgQ8NW61FzB43ng6y7VPMckf5RRQzGW1BcpMp5l8k45VRqxgm3HGGRsN5Xpf8C-SDbnW5YS-h967h3kVW5fDk9M6Mz2LcW4C7LM26_zg_vW3tLN701QYbHbW7h7fJc6QzHwCW64TbxN556P_tW67-hGk8vgktwW8VgT5h17NDcLW4KbdHM33p7cxW5QKlXj31nD-3N8rzbykLWQm-W1XhFgk2h4M_qN1xtNvypygRyW1l-Yk_49gbtkW7vvxr86LWy49W3pmxc07-4GHNW2PBqY16M3T0sW1KD13x7m2mZjW3bvkyr8hW_hHW7QK0cy4jPG8zW8FFqkG42KG2jW624jKp66bPJvN15bvS8zx-f3VMwzpk5C2tQKW8Ld09H3lX4jR3mHm1 ) Or you can read the full post in this email.

This campaign appears to have begun on or around January 18, 2023, and while our data on it is light, the campaign is ongoing. The messages are being sent by a threat actor or a bot they control to submit the message through a contact form on a website. As we do not have data on emails submitted directly through a contact form, this attack campaign is likely to be significantly more prolific than the numbers we have available.

The message in question, which can be seen below in its email form, is a scare tactic that is used to trick victims into paying to prevent a leak of sensitive data, damage to the website, or whatever other potential consequences the vague threat may conjure up in the site owner’s mind.

extortion_email (https://email.wordfence.com/e3t/Ctc/GC+113/cwG7R04/VVRJLS1MHd1FW1XCdJK1BP7ljW4-ljtc4W80jcN3hBC7c3pdskV1-WJV7CgGkrW1F0js84Ytv1xW28DWgs1-6fmbW4TLJ2j8lXFvkW3jRmXR76NgysVTQK_-32gdzVN6WNWnXWWkDYW8VvP3T3WhTdGW447z425365sGW2YvJCK5_9JzqW1CmPDY63hb4_W66phYV72ChFVW5qGlhf9lGPBMW5gb6bm4wL-C2W3mVBqp1m2TbcW3xgX-p51bG9YW3PGdHg3vV43vW7B9cbQ7sG5cfN8nzkjg6RPZfW6X6ndW24xY4hW6-c4dK7pXmX9W7V343z2W7880W7RTtJX2TfpyWN4lgfw1ZPch8W4-wr534zPMfMVH5tjM8r69jzW2h8K9c1m144HW83ySt13K18L9W2SjS_f1TGBLnW7HqyKX7j5tZ8W6lgt842YpM0R31JG1 )

While this extortion campaign may not pose any real danger, it is still important to take website security seriously. WordPress core, themes, and plugins need to be updated with the latest security updates to patch known vulnerabilities. Even with everything updated, there may be vulnerabilities that are not publicly known and do not have an available patch. For this reason, a website security solution that includes a web application firewall (WAF) that can block common exploits, such as Wordfence, should be implemented.

Cyber Observables

While this extortion campaign is still in its early stages, there are some observables that can be used to identify and block these extortion attempts.

Email Address

hacker_at_sludgepool[.]org

Bitcoin Address

bc1qe4xvhksgapl3p76mmfz7thdnmkeuxry08kjhcn

IP Addresses

138.199.18.140

138.199.18.61

212.102.57.5

216.24.216.249

212.102.57.24

Conclusion

In this post, we discussed an emerging extortion campaign where emails are being sent to site owners through contact forms. This campaign does not pose an actual threat to the website, but serves as a reminder to keep websites updated and implement a website security solution.

Regardless of this being a scam, if you would like additional assurance that your site has not been compromised due to this scam, you can follow our guide to cleaning a hacked site (https://email.wordfence.com/e3t/Ctc/GC+113/cwG7R04/VVRJLS1MHd1FW1XCdJK1BP7ljW4-ljtc4W80jcN3hBC6X3pds1V1-WJV7CgMPTW6GlSv78-t_pZN4RPTFyNpmQnV46DqM5L7PdrW172T1J1Bx61SVqpySx4QgGf4Vzv7XZ7L_RzvW8bs-0t8HxJPvW8bVT5-7STFCRN51hzdNLgwCjW1F2RyS7MdXjWW51Jy6C3MPhP_W281CtM7jlsBqW2ndkjN7tdT5rW4Bzl4H4MZGhqW3rcXwG7ZQqmnW2hqkKW7_N6ZvW7dW80P1v0hshW1SmCy98LZ8z-W3pSpTY2b6wJ2W5VGNYh2prNQ1W8VnqDG4fsqFVW6v1BQ_4Vy01mW3hSy0W8336LQVJJFXF79XRyzW5-4hnK8XJvq7W6gP5653wTBNNW7WXzzQ2ks-SRW7FbM7X3v0Vkf33jH1 ) or utilize Wordfence Care (https://email.wordfence.com/e3t/Ctc/GC+113/cwG7R04/VVRJLS1MHd1FW1XCdJK1BP7ljW4-ljtc4W80jcN3hBC6k3pdrrV1-WJV7CgKF2W1ps27c6BCVt_VNNxdc91HYKgW3KT9DT1hgNxLW4Y5Rm24jrdXdW24bMvq4JNZ8sN8b42kGFWQnXW1Q6Hjx5QLN-ZF9hyrlxHSp4W2YfCX04KhRqyVR8f5v28GpHsW65RRns2gNrrLW79HpPy1btDK3N3Vcblz68CK-W1ZjW9v3zpn9wW5NNp6G10YTBrVqQTXF22rWKzW8RqT8K4_jncdV3Nc_H7ThFRnW5fySFD5rgtzYW7NWXX47C7-FNW9fCs8s2q-XL0W51CcGF5LtBVGW682kt2877z9nW1TGYJW8CmRj935wm1 ) or Response (https://email.wordfence.com/e3t/Ctc/GC+113/cwG7R04/VVRJLS1MHd1FW1XCdJK1BP7ljW4-ljtc4W80jcN3hBC6k3pdrrV1-WJV7CgLl7W7K_4qp1gHh6-W4ktknJ193VtwW1Fpf0z80wLj2W2hXPN-59J1CWW1Y8yn18Ct6LcW4nfPNX3jDFMkW5zdp2Y9fq22DV3gWXm7rjwngW6dLdLy3wq5C0N56sn573xfGZW1Y-TJt3ZNyXLW4XFbzf1DCRZhW3vGzXK4HvjHXW7h9h6_5TKy84W5pXSfX8VQJCYW1_xqKl3N6FBTVx-b521jytt8W5qSh1X8Z-bfwW7FH4zJ7G8ZsgW6xl_2B5lm5yHW5VF3r34qMNS6W8FFWnn7j3NK7VtWv4r7MVq3xW6_B0QC2rBHJw3m4T1 ) to do a complete site audit as well as around the clock security monitoring and unlimited site cleanings if your site ever is compromised. Both these products include hands-on support in case you need further assistance.

The Full Product Lineup:

wf-stacked-free-1 (https://email.wordfence.com/e3t/Ctc/GC+113/cwG7R04/VVRJLS1MHd1FW1XCdJK1BP7ljW4-ljtc4W80jcN3hBC613pdr7V1-WJV7CgPZ5W5lWrl07BcXQfW2_LbRt7SrFlwV54ps-6_bxxRW6KYzc68t1CwHW5xbkV849HQhvW2tqsSx30sxFGW8bJkQN97t015W30Xjbq8n9g91W91cfKx3zM9z8N6lZgbYfl2ClW4g_Hs48V3zzrW3LFC2l8xbFX0W8R3kvF4gKK5jW3sF2bT794j7BW1DDHqQ7bXnMYW2q2Xw87kGcB9W5q07KW5c9zCdW11s1gk6MvnhxW9hnP9f8VhpCfW7SzTqz2djxWSW52vSLM9jmNhvW6G6hqG38xywb35yF1 )

wf-stacked-premium-1 (https://email.wordfence.com/e3t/Ctc/GC+113/cwG7R04/VVRJLS1MHd1FW1XCdJK1BP7ljW4-ljtc4W80jcN3hBC6k3pdrrV1-WJV7CgL33W7RtkCc9lZSYHW2DS_tj1LXkz7N99twmZLLFwqVRyLKP2sqX4LW9b7z5H3lr1YGW3mVbcz9g5F69W2F8jVc4bPJ95W95v4p48wPFvtW6ZlW5H5t5Hp7W7LDwls5httvCW53JmW-4RBG2PW75qPvX5jSWMsW3LBFKf6929XrW2jTg6J8DGRpgW593rHc9j__flW1wS1td49ZtSXW5BMTTm9fRMlMW9k1CFL2Mtn7QW3g9r9N93-6g_W1dJTpL5gQcNqVwncJk7xBPClW4jdfdG3hZS6TW6t00H21lPb1pW8d9-tz2Cf_6n3p1n1 )

wf-stacked-care-3 (https://email.wordfence.com/e3t/Ctc/GC+113/cwG7R04/VVRJLS1MHd1FW1XCdJK1BP7ljW4-ljtc4W80jcN3hBC613pdr7V1-WJV7CgSr1N3VLW5Xk-Z8CW5-ySs75-TPtGW1_xwWf4LPxr6VfK2x36dPFyqW3bf0Gm2xK4p4W6wtNx415dn-WW4LCZkX5qWHGLW2H96cp61VP7PW3gb9Rn28-7lRW2_TC123W6D9RW2287nC22mZwDN64hjBJ3YKFnW24GCmg1HkcbpW1QF3t41xtgSMVMS7WZ4yMvnhW7WXF195YjrKBW5-wdY98yn8LNW2rjsTw8587tbW84jXtp2nZyWTW2m5s1d7V1NqgW7DbQVw6X8NgZW2fcwr37z2Qls3nn_1 )

wf-stacked-response-2 (https://email.wordfence.com/e3t/Ctc/GC+113/cwG7R04/VVRJLS1MHd1FW1XCdJK1BP7ljW4-ljtc4W80jcN3hBC6k3pdrrV1-WJV7CgGWdW65sjBR2fSgqBW2BMTTj1yLyt4W5xVPzq36fPglW8lWXZy5gC60CW5Ts4wB20618CW7DxXCN4T2frGVkYmyw5k0zskW5LRJsG6v3p26W8xKbrk2RBw2NN5L8c_CYPKltW6rHpRJ1q7KCYW8f4hCF1PY-0wN1dHTFyl77k8W7vgwgb7sD0VBW2XJfnd19JFNPW4k48Qd260zrSV8RYLf6wV0gfW8xH9K41qyfvXVY-gqH1XHFbWW34LPVH90_cZMW8wXsv_62PntnW8zV7sx78b9P1N16zpvZMDjlMW4CKZVj4Zh-nG3jby1 )

wf-stacked-intelligence (https://email.wordfence.com/e3t/Ctc/GC+113/cwG7R04/VVRJLS1MHd1FW1XCdJK1BP7ljW4-ljtc4W80jcN3hBC6k3pdrrV1-WJV7Cg_6mW3N9xfG6RKDNFW5F6pbw60s6H4VldzXQ6qnWFgW8gv9Hc73w1vTN893mZRWp2PDW8GGjBk4fW76dW3D3PZX7xpr1RW68tVbY7-mv6PW8L2Lz-3QdlHRW3j-Pz-5PCxB1V19t-g3kRvwkW4bCW1Q4s4zmlW50d5qL5nGDFyN2R19HhhsKPPW3BVXjG4GRKk0W62dBxL8TG2gsW21394F1s8mHNW940sbx2gMLmMW1YnJh98XxLmcW2vyYC1628Q16W3gTy7p2DR3ZkVqsysN8fsTQXW3_c2pN3YS6TBN9c7gDHPxV7p36hg1 )

logo-defiant (https://email.wordfence.com/e3t/Ctc/GC+113/cwG7R04/VVRJLS1MHd1FW1XCdJK1BP7ljW4-ljtc4W80jcN3hBC5L3pdqSV1-WJV7CgNJ1W1LthsY16-SGkW4nW79j5cBp9hW8R-sb34vDRGLW18TKmD2PVZ8PW8WPNz76Q6BwbW5S-Vx-2MmVTSW1l0kwB3fJDhMW6SS8YS44XYxyW8xFX1h7D6xvCW71h8jT2ljSfBW5psrd651h9dCV-r1wk8LcZnTW852n7Y2WQSfXW2ndWrH4mt1nvW6yLwBw93FjCbN1KJ2_0WVTWmW5tRFKY4zYlK-W5kl224999bhdW56hF9G4wQjQbV8Bz8F78Dnn034xm1 )

Defiant, Inc., 1700 Westlake Ave N STE 200, Seattle, WA 98109, United States

Unsubscribe (https://email.wordfence.com/hs/manage-preferences/unsubscribe-all?languagePreference=en&d=Vn8Pp4892TtnVsxx1M3JN_XyW41Rcn-4h29fmN6J4V3WmWcMxW6vGc1f4VYYlfV25vZg74v9DwW98KYsj7_Pq9HN86pj771yf0NW2__8M81_y8mwW1jGcqX1R_s61n96gnBH4G3&v=3&_hsenc=p2ANqtz-8621SnJ2s2V-K5o1HmcH1cW1WK5xJbHRzhxzu-hDRHZWcULwbAKPsAuTyzwCFq4gtrXEQHvOCN7V9h21THHhHHCqnglg&_hsmi=242858648 )

Manage preferences (https://email.wordfence.com/hs/manage-preferences/unsubscribe?languagePreference=en&d=Vn8Pp4892TtnVsxx1M3JN_XyW41Rcn-4h29fmN6J4V3WmWcMxW6vGc1f4VYYlfV25vZg74v9DwW98KYsj7_Pq9HN86pj771yf0NW2__8M81_y8mwW1jGcqX1R_s61n96gnBH4G3&v=3&_hsenc=p2ANqtz-8621SnJ2s2V-K5o1HmcH1cW1WK5xJbHRzhxzu-hDRHZWcULwbAKPsAuTyzwCFq4gtrXEQHvOCN7V9h21THHhHHCqnglg&_hsmi=242858648 )

You're receiving this email because you signed up to the Wordfence WordPress security mailing list.
Received on Mon Jan 23 2023 - 21:30:41 CET

This archive was generated by hypermail 2.3.0 : Mon Jan 23 2023 - 21:32:30 CET