Fancy Bear scammers are on a hacking blackmail frenzy


Travelex didn't pay the ransom this time and instead survived a DDoS attack, which the hackers launched as a kind of warning shot and then as a second barrage. "Anyone behind this probably thought that Travelex had to be a soft target based on what happened earlier in the year," says Greg Otto, a researcher at Intel471. “But why should you meet a company that has probably made an effort to strengthen its security? I understand the logic, but I also think that logic has gaps. “Travelex has not returned a request from WIRED for comment on the August blackmail attempt.

Blackmail DDoS attacks have never been particularly profitable for fraudsters as they don't have the visceral urgency of ransomware when the target has already hobbled and possibly desperately trying to regain access. And while this has always been a weakness of the strategy, the threats may be even less severe as robust DDoS defense services have become widespread and relatively inexpensive.

"In general, DDoS is not as profitable as other types of digital blackmail as a blackmail method," said Robert McArdle, director of advanced threat research at Trend Micro. “It's a threat to do something, unlike the threat you've already done. It's like saying,“ I might burn your house down next week. ”It's very different if the house was before You're on fire. "

Given the low effectiveness of extortion DDoS, attackers rely on the notorious government-sponsored hacking groups to increase urgency and effort. "You are scare," says Otto. And the attacks are likely to work at least occasionally, as attackers keep coming back to tech. For example, Radware noted that attackers not only impersonate Fancy Bear and Lazarus Group, but also bear the name "Armada Collective", a nickname that DDoS actors have extorted several times over the past few years. It is unclear whether the actors behind this incarnation of Armada Collective have any connection to previous generations.

Although most organizations with digital defense resources can effectively protect themselves from DDoS attacks, the researchers believe that it is still important to take these threats seriously and actually invest in strong protection. The FBI reiterated this message in early September in a bulletin about actors posing as Fancy Bear. It was reported that thousands of institutions around the world were given blackmail certificates in early August.

"Most institutions that have reached the six-day mark have not reported any additional activity or have successfully mitigated the activity," the FBI wrote. "However, several prominent institutions reported follow-up activities that had an impact on operations."

While the attacks may not be as crippling as ransomware for most targets, they nonetheless pose a serious threat to organizations that do not have adequate DDoS defense in place. And with so many other types of threats, it's easy to imagine that the fear tactic would work often enough to make it all worthwhile for attackers.

This story originally appeared on


Steven Gregory