Bug poaching
Bug poaching is a cyberextortion tactic in which a hacker breaks into a corporate network and creates an analysis of the network’s private information and vulnerabilities. The hacker will then contact the corporation with evidence of the breach and demand ransom.[1]
Operation
Unlike a typical ransomware attack, once information is stolen, a bug poacher will extort the company with information on how their system was breached, rather than the stolen data itself. [2] IBM Security has found that a bug poaching campaign has targeted approximately 30 companies in 2015, which don’t have bug bounty programs.[3]
Recovery of Files
Bug poachers have demanded up to $30,000 to share how they breached the system. Poachers do not immediately destroy or release stolen data. Some may choose not to pay bug poachers, since they do not typically release the stolen data. However, you will need to hope that the data is not leaked.[4]
A Grey Hat Technique?
Ethical hacking is often described as white hat while the alternative is often termed black hat. Bug poaching uses unethical behavior in requesting a ransom, however uses the technique of alerting the company which is often used by ethical hackers. It therefore has a few attributes of each hat, fitting at least one definition of grey-hat.[5]
References
- Szebeni, Larry. "This Cyberextortion Tactic Is Even Scarier Than Ransomware". Apex Technology Services. Retrieved 23 June 2016.
- Wysopal, Chris (22 June 2016). "'Bug Poachers:' A New Breed of Cybercriminal". Dark Reading. InformationWeek. Retrieved 23 June 2016.
- Kuhn, John (2016-05-27). "Bug Poaching: A New Extortion Tactic Targeting Enterprises". Security Intelligence. Retrieved 2022-10-24.
- Thomson, Iain. "IBM warns of 'bug poachers' who exploit holes, steal info, demand big bucks". The Register. The Register. Retrieved 23 June 2016.
- "Fake white hats turn to bug poaching". TechCentral.ie. TechCentral.ie. 9 June 2016. Retrieved 23 June 2016.