When we talk about online extortion, nowadays what comes to mind is ransomware, thanks to reports of new strains found almost every day of the week. For some, it may be scams—from online dating, to loan, to 419 fraud. For others, some examples may be hijacked accounts, sextortion, DDoS attacks, and data theft.
These past few weeks, we have been introduced to a new type of digital extortion that, as some security experts claim, is currently on the rise: bug poaching.
So, how does one poach bugs?
In this digital age, plants, animals, insects, and museum collections are no longer the only “goods” that can be poached. Bug poaching is done when a hacker or a “fake white hat” exploits a target company’s website to gain access, steal their sensitive data—the proof of their intrusion and at the same time their bargaining chip in case the company wouldn’t pay up—then uploads it in a cloud storage service, and then contacts them via email to demand a huge compensation in exchange for disclosing information on how the hacker is able to compromise their network so that the company can beef up their security. According to John Kuhn, senior threat researcher for IBM, these hackers can go as far as including this statement in their email: “Please rest assured that the data is safe with me. It was extracted for proof only. Honestly, I do this job for a living, not for fun.”
While this may seem like hackers are doing it for the good of the target company and its clients, in reality it isn’t. These hackers do not guarantee that they will not disclose the sensitive information they’ve stolen elsewhere or sell them once the target company pays.
Money in exchange for revealing vulnerabilities? Sounds like a bug bounty to me.
Unfortunately, not all businesses with an online presence have a bug bounty program in place. Some may not even have a responsible disclosure policy should security researchers find any flaws. In fact, companies without a policy or program in place may be likely targets of bug poaching. They can be a great number of companies belonging to the health, entertainment, education, air transport, banking, and clothing industries, among others.
Remember that forcing companies to pay up before disclosing any information related to their network vulnerabilities is not only unethical but most view this as extortion.
Ransomware is already worrying enough. How can organizations protect themselves from bug poaching?
First, organizations must realize that their website (or their network) may not be as secure as they thought. And that it takes time, effort, and resources to make public-facing sites and internal and external systems to secure and keep secured. Doing their own investigation to identify vulnerabilities is a must. Organizations can use free sites online to do initial scans of their public-facing sites. Although the scanning involved may not be that in-depth compared to how third-party professionals do penetration testing, it’s a good start. From that, organizations would know what software to patch or install in order to address vulnerabilities found.
If organizations lack the man-power to do internal auditing and code testing, hiring third-party professionals is also advisable. It is best practice to thoroughly audit and test Web application code of existing websites, most especially to new/updates sites before production release.
Lastly, installing SIEM technology and other network monitoring tools can significantly aid organizations in identifying attacks as these collect logs and information that are relevant to law enforcement.