The Dutch police have announced the arrest of three more suspects in one of the biggest data extortion cases to date. The men, all aged between 18 and 21, were allegedly involved in extorting businesses and selling stolen data to other criminals.
During a two-year investigation the police learned that the suspects victimized thousands of businesses, including educational institutions, web shops, online ticket vendors, and institutions connected to critical infrastructure and services.
The three men, and a 25 year-old arrested last year, are accused of entering computer systems illegally, data theft, extortion and blackmail, and money laundering. The suspect arrested last year was allegedly involved in a data theft incident regarding Geburen Info Service GmbH (GIS), which collects television license fees on behalf of the Austrian government. It is likely that the dataset in that breach includes information about almost every Austrian citizen.
Sadly, one of the people arrested was also a member of the Dutch Institute for Vulnerability Disclosure (DIVD), a group of volunteer cybercrime fighters. You may remember hearing about them in the 2021 Lock and Code episode about “The failed race to fix Kaseya VSA, with Victor Gevers”.
Whether the suspect worked there to soothe his conscience or in the hope of gaining access to information he could use for his illegal practices is unknown. Either way, it is clear he alternated between wearing his white and black hats. According to a statement by the DIVD, there is no indication that he has been able to abuse his position, but his access to DIVD systems has been blocked.
As you might expect from crimials willing to extort businesses like this, they were not men of thier word. Some of the data they held to ransom was later sold to other criminals anyway, even if the ransom demad was paid.
One of the members of the group ran a Telegram channel where he offered to sell personal and address information based on a license plate. This enabled organized criminals to find out details of an intended target with the click of a button.
That data would also have been suitable for a variety of other crimes, and useful for phishing attacks, bank card fraud, or any other type of fraud where some knowledge of the victim gives the ciminal an advantage.
The cybercrime unit behind the arrests also warned that criminals are getting better at refining this kind of stolen data and finding innovative uses for it.
It is worth reflecting on the damage caused by a ciminal enterprise like this. It is not limited to those businesses that feel forced to pay the ransom. There are substantial costs associated with restoring compromised systems and forensic investigations. There are also the emotional damages to the owners of the stolen data, and to the people who feel responsible for letting this happen—imagine being the person that clicked on a link that launched an attack.
In an interview, the CEO of the online ticket vendor said he was intimidated by the criminals who let him know they knew “who he was married to”. He also said he is glad to have worked with the police. By engaging in a negotiation about the ransom he was able to win time. And with the help of HaveIbeenPwned’s Troy Hunt he was able to establish the extent of the stolen data and inform the affected customers himself.
Anyone whose data fell into the hands of these criminals (which could include every Austrian and Dutch citizen), should be on their guard for unsolicited calls from people claiming to be from their bank, for phishing mails, and other scams.
Anyone affected by data theft should take the following precautions:
- Check the vendor's advice. Every breach is different, so check with the vendor to find out what's happened, and follow any specific advice they offer.
- Change your password. You can make a stolen password useless to thieves by changing it. Choose a strong password that you don't use for anything else. Better yet, let a password manager choose one for you.
- Enable two-factor authentication. Where possible, use a FIDO2 2FA device. Some forms of two-factor authentication (2FA) can be phished just as easily as a password. 2FA that relies on a FIDO2 device can’t be phished.
- Watch out for fake vendors. The thieves may contact you posing as the vendor. Check the vendor website to see if they are contacting victims, and verify any contacts using a different communication channel.
- Take your time. Phishing attacks often impersonate people or brands you know, and use themes that require urgent attention, such as missed deliveries, account suspensions, and security alerts..