But it’s the Russians!
The ubiquitous Russians are at it again, or, so we are being told. You know, the Russian hackers who are everywhere, doing everything nefarious in the world, and victimizing poor little helpless “us” here in the United States . . .
Hey, if it makes you feel better, sure, blame it all on the Russians … but are we talking about Russian immigrants, Russian citizens, Russian descendants, or Russian government operatives? Those pesky details always seem to take the fun out of things. But here is something that is not up for debate: shame hacking is on the rise!
What is Shame Hacking?
Shame hacking is the use of hacked data for embarrassing or extorting people by threatening to expose such compromising data if they do not comply with the demands made of them.
Shame hacking is one more way that cyber criminals have learned to monetize the fruits of their criminal actions and represents an increasing trend for how hacked information can and will be used for many ways.
Shame Hacking the Progressives.
According to the recent Bloomberg article, Russian Hackers Said to Seek Hush Money From Liberal Groups, “Russian hackers are targeting U.S. progressive groups in a new wave of attacks, scouring the organizations’ emails for embarrassing details and attempting to extract hush money.” For example, “[i]n one case, a non-profit group and a prominent liberal donor discussed how to use grant money to cover some costs for anti-Trump protesters.” The hackers learned of this information and then threatened to expose this activity if the groups did not pay anywhere from $30,000 to $150,000 in Bitcoin.
Other Cases of Shame Hacking.
Shame hacking is nothing new and first became prominent when the North Koreans hacked Sony and revealed the Sony executives’ embarrassing emails. Over time, this trend has gained more popularity as yet another way for hackers to monetize the fruits of their ill-gotten gains, such as in the following cases:
- DAVID BECKHAM’S EXPOSED EMAILS EXEMPLIFY SHAME HACKING THREAT
- PORN, POLITICS & CYBERSECURITY: ARE WE SEEING SHAME HACKING WITH TEXAS ELECTOR?
- BRAZZERS PORN HACK: MORE THAN JUST ACCOUNT HOLDERS EXPOSED
- YOU COULD SEE THIS ONE COMING: VIBRATOR COMPANY SUED FOR TRACKING USAGE
- YAHOO DATA BREACH – SOME FACTS & QUESTIONS (I.E., WAS IT REALLY THE RUSSIANS?)
- #SONYHACK: WILL EXECUTIVES’ EMBARRASSING EMAILS BETTER MOTIVATE CYBERSECURITY CHANGE?
Shawn Tuma (@shawnetuma) is a business lawyer with an internationally recognized reputation in cybersecurity, computer fraud, and data privacy law. He is a Cybersecurity & Data Privacy Partner at Scheef & Stone, LLP, a full-service commercial law firm in Texas that represents businesses of all sizes throughout the United States and, through its Mackrell International network, around the world.
A warning for law firms:
Preet Bharara, the U.S. Attorney for the Southern District of New York, said the case should serve as a “wake-up call for law firms around the world.”
“You are and will be targets of cyber hacking, because you have information valuable to would-be criminals,” Bharara said in a statement.
But here is the most important point to remember, from the DOJ statement, demonstrating that this entire “hack” was a result of compromised email credentials – not the James Bond kind of stuff people like to think about. There were two law firms “hacked” and both started with compromised employee email credentials:
“[B]eginning about July 2014, the Defendants, without authorization, caused one of Law Firm-1’s web servers (the “Law Firm-1 Web Server”) to be accessed by using the unlawfully obtained credentials of a Law Firm-1 employee. The Defendants then caused malware to be installed on the Law Firm-1 Web Server. The access to the Law Firm-1 Web Server allowed unauthorized access to at least one of Law Firm-1’s email servers (the “Law Firm-1 Email Server”), which contained the emails of Law Firm-1 employees, including Partner-1.””
“[T]he Defendants, without authorization, caused one of Law Firm-2’s web servers (the “Law Firm-2 Web Server”), located in New York, New York, to be accessed by using the unlawfully obtained credentials of a Law Firm-2 employee. The Defendants then caused malware to be installed on the Law Firm-2 Web Server.”