About a week ago, I received an email from an anonymous hacker. He had sent the same email to around 350 people in the Joomla community. They were all registered in the same affiliate system for a well-known software developer, and attached to the email was an Excel sheet with all of their contact info and user names. The hacker said he had extracted the info from an insecure system and offered "security services" to protect from similar hacks.
Apparently, people had been talking about this for a couple of days already on Twitter. Still, I wanted to check a little more what this guy was after.
This is what it said in the first email:
I am writing to warn of a failure, a serious vulnerabilities in your system, I could give them information and solution on these if interested contact me with an answer.
I sent him an email, asking which system he had gathered the information from.
The person behind the email answered me quickly and offered his services again:
These data were extracted from a vulnerable system, I can protect the rest of your data and provide the best security for you and your website.
I asked again and he replied:
Sorry this information I can not give it if you do not hire my services, I can only answer is that this information was not extracted from their website, but if that is compormete very sensitive information and you should know that more information is sensitive that could affect you. I would give all your information, and the best service would provide optimal security for you and your website.
The English used in the emails leads me to think he's not a native speaker, and the message isn't exactly crystal clear. Still, I wanted to know what he planned to do next.
I wrote:
So who are you, then? And what are your prices?
The answer came within a couple of minutes:
I have various prices. from $100 to $300 dollars.
$100 dollars for a medium security. $200 dollars for a medium-high security. $300 for optimal safety.
I yarolinux and my service is personalized for you, it means that it is very good, because while I will only do its yours. Thank you. Tell me what you think?
What I think? Well, I think anyone would be crazy to hire the services of a person that sells his services in this way.
Would you let this guy into your server?
Doing any kind of business with someone who uses his gmail account only as a point of contact is risky. He didn't supply a name, a company name, not even which country he lives in. Is this the type of person you should let into your systems? To be able to perform "security" work on your system, he will need full access to your server. Giving him that will most likely lead to other problems.
Best case, your data can be stolen. Worst case, your server can be compromised and used for the hacker's own projects. Your server could be used as part of attacking other servers. This may in turn lead to problems for you. Or the server could be used to send out spam email. In short, giving a known hacker access to your systems to "fix" problem is crazy. It's bound to give you problems.
My hope is that nobody has been gullible enough to hire this or any other unknown "professional" to fix their system.