Seen on KNEWS:
The Republic of Cyprus has extradited two alleged cyber criminals to the United States, including a young man who is the first Cypriot national to be extradited under an extradition treaty with the US.
Joshua Polloso Epifaniou, a 21-year-old from Nicosia and the first Cypriot national to be extradited to the United States, landed at Kennedy Airport in New York last Friday. He was extradited on FBI warrants to face multiple cyber charges in Georgia and Arizona, including intrusion and money extortion.
Read more on KNEWS.
Epifaniou’s M.O. seemed to be that he would hack sites and then attempt to extort the owners into paying him some ransom so that he would not dump data or do other damage. He was described as a skilled young hacker who had previously earned bug bounties by finding vulnerabilities.
Among Epifaniou’s alleged victims in the Northern District of Georgia are Adafruit, Snagajob, Armor Games,and Bleacher Report. In Arizona, he’s charged for an incident involving Ripoff Report. Epifaniou’s earlier aliases (cited in the Georgia cases) included CharySQX and Georgos Petiou, while other aliases used in the Arizona cases included Charley Sullivan, Chary Malatan, and Richard Charley.
Epifaniou allegedly hacked Armor Games in October, 2014, exploiting a vulnerability in the site. And although he didn’t acquire the entire database, he contacted the firm claiming to have data on 450,000 users and threatened to dump the data if the firm didn’t pay him a ransom demand in BTC. He also took the site offline to motivate the firm to pay up. At the time, his ransom demand was less than $2,000.00. The firm paid. An Armor Games database with more than 11 million records from 2014 has been publicly circulated, but this site does not know definitively if it is from this incident, although it seems plausible.
The Ripoff Report scheme, alleged in the Arizona indictment, was more complex. Epifaniou allegedly hacked ROR in October, 2016 using a brute force attack that gave him access to an employee’s account. Several weeks later, he emailed the CEO of ROR, demanding $90,000 within 48 hours or he would start dumping the data. But beginning even before that, he had started working with an employee at an unnamed reputation management/SEO firm in Glendale, California. The SEO employee would then contact companies that had bad reports in ROR and offer to get the bad reports removed through the SEO service. What they would then seemingly do is access ROR’s database to remove the listing, and then tell the SEO client that they had gotten the file removed via a court order or some legitimate means. According to the indictment, Epifaniou and his partner managed to remove about 100 firms’ bad reviews that way, charging each firm $3,000 – $5,000 for the alleged SEO service.
Epifaniou’s Ripoff scheme appears to have run between October, 2016 and May, 2017. Unfortunately for Epifaniou, it appears that the prosecution has a lot of instant messaging records that show Epifaniou and his co-conspirator discussing their plans and methods. A sealed indictment was filed in September, 2017.
Update: I just read Hacker News coverage from yesterday. They have a lot of the same details I just reported but they also provide some additional info that you may want to read.
On an additional note, I don ‘t recall ever getting a breach notification letter from Ripoff Report in 2016, even though my information was in there from a report I had filed years earlier. I know my information was in there because it is STILL in there. And how do I know THAT? Well, Ripoff Report recently had a misconfigured Amazon s3 bucket that a researcher found and alerted me to. I gave him permission to check for anything by me, and sure enough, he was able to find the old report.
The researcher attempted to notify ROR of the leak by email, but the emails bounced back. I personally called ROR and left a voicemail message. I got no call back. I then tried reaching the CEO via LinkedIn. Still no response. So the researcher contacted Amazon and it seems like they were able to reach ROR to get the bucket secured on July 16. Is ROR going to notify anyone about this latest incident? Do they know how many people may have accessed their database?
Imagine that you apply for position with a firm who has a copy of RipoffReport. Assume that as part of their background check on you, they look to see if you have ever filed anything with ROR, and lo and behold, it turns out that years ago, you filed a ripoff report about their company — the same one you now seek employment with. How might that work out for you?