The Channel logo


By | Iain Thomson 1st June 2016 02:01

IBM warns of 'bug poachers' who exploit holes, steal info, demand big bucks

And what to do if you get hit

At least 30 companies have been hit in the past year by so-called "bug poaching," where hackers break into corporate servers, steal data, and then demand a fee for showing how it was done.

The technique, spotted by IBM's Managed Security Services researchers, involves miscreants breaking into a corp's servers, typically using a SQL injection attack against a website. In none of the cases IBM has investigated were zero-day vulnerabilities exploited – instead, crims just leveraged common or well-known programming blunders that weren't patched.

The intruders investigate the infiltrated servers for valuable information and stick it all in a cloud storage account. The victim then gets an email explaining that the data has been accessed, providing a link to the cloud storage site. The attackers then demand a reward of up to $30,000 for showing how they managed to pilfer the data.

"These criminals aren’t afraid of penetrating the organization’s network to steal data. They argue their methods prove the point that the organization’s system is vulnerable," said John Kuhn, senior threat researcher at IBM.

"By not immediately destroying or releasing the organization’s data, they are illustrating the ethics (like a white hat) that prevent them from being a complete black hat. Regardless of their rationale, this is data theft and extortion — be it with alleged good intentions or not."

Kuhn recommends not paying the bug poachers, since there's seldom a need to in order to ascertain how the attackers got in. Web server logs are an excellent source of information on this, he said, as well as running forensic scans on machines. You'll just have to hope that the information stays private; if people's personal data is leaked, you should declare that, anyway.

Of course, the most obvious tactic is to harden up your defenses before these scammers strike. Apply patches, run penetration testing, and hire security staff who know what they are doing. But that's been the security industry's advice for the past 30 years and that doesn’t seem to have sunk in yet. ®

comment icon Read 3 comments on this article or post a comment alert Send corrections


Frank Jennings

What do you do? Use manual typwriters or live in a Scottish croft? Our man advises
A rusty petrol pump at an abandoned gas station. Pic by Silvia B. Jakiello via shutterstock

Trevor Pott

Among other things, Active Directory needs an overhaul
Baby looks taken aback/shocked/affronted. Photo by Shutterstock

Kat Hall

Plans for 2 million FTTP connections in next four years 'not enough'
Microsoft CEO Satya Nadella


League of gentlemen poster - Tubbs and Edward at the local shop. Copyright BBC
One reselling man tells his tale of woe