An interesting piece of news- a malicious website which was in fact set up to make visitors pay a cryptocurrency ransom has now reportedly changed its course. Now, instead of asking for a ransom, the malicious website hijacks your system’s processing power and does cryptocurrency mining, in the background. This malicious website was designed as a copy of the “Have I Been Pwned?” attack. It began by asking users to enter their emails to check if their password has been breached. And if your password was compromised, the website would demand a donation of $10 by cryptocurrency to refrain from publishing your password on the web, in plain text.
The Next Web discusses this website in detail, in a report titled ‘This site will leak your password to everyone unless you donate Bitcoin’; the report says- “Just like Have I Been Pwned, the malicious copycat will let you check whether your associated email address has been breached in the past. The disturbing part is that it will also display leaked passwords of such compromised accounts. The website then asks users for a one-off $10 donation in cryptocurrency to hide the passwords…According to the instructions on the website, leaked passwords will only be removed after users have successfully provided proof of payment. It is worth noting that – depending on how widely you used your passphrase – it might be faster to update your old password than to pay up the ransom.”
The Next Web has confirmed that the malicious website really has a database with legitimate passwords, but it seems that it doesn’t store plaintext passwords for all compromised accounts in its database. The website, as per the report, claims to have data pertaining to 1.4 billion compromised accounts. The report says- “It is unclear precisely how extensive the data is, but the website insists it contains 1.4 billion compromised accounts with their associated passwords. Another thing to point out is that some of the leaked passwords are at least several years old from what we can tell. Journalist Daniël Verlaan has said the website uses the same database as popular breach lookup service Gotcha.”
However, the name of the website hasn’t been revealed, citing security reasons; it has been mentioned that it seems that no one has paid any ransom. The Next Web report says- “We have decided not to publish a direct link to the website for security reasons, but it appears that the platform is hardly getting any traction as of now. Indeed, a quick lookup of the associated wallet addresses indicates that nobody has paid the requested ransom fee as of the time of writing.”
The best thing anyone can do to avoid being targeted is to update the password immediately, especially if the account has been compromised recently.
The Next Web report ends with an update, which states- “Shortly after our coverage, the website’s search functionality stopped working. As pointed out by Verlaan (Journalist Daniël Verlaan), the site is now surreptitiously running a crypto-miner in the background to hijack your computer power.”