Scammers Threaten to Review Bomb a Travel Company Unless it Pays Ransom

Twitter bots, fake reviews, and Instagram comments are the tools of a black hat SEO extortion attempt.

|
Aug 28 2018, 5:39pm

Image: Seth Laupus/Motherboard.

Cybercriminals try to extort cash from victims in all sorts of ways. They may steal data and then demand a hefty sum of bitcoin in exchange for not releasing it publicly. And hackers often deploy ransomware against a target, locking computers until the victim pays up.

But for lots of businesses, reputation is everything. One company says a group is attempting to extort it with the threat of spreading a wave of fake, negative reviews and complaints across Instagram and Twitter.

“We are experts in destroying personal or company reputation online,” the group, calling itself STD Company, wrote to its targets, according to a copy of the email provided to Motherboard by the victim. The target is CheapAir, a flight price comparison website.

“Once we complete our job, even if your site remains on Google, you can be sure that all first page would be full of negative results about your company,” the email adds, signing off with the name “Semyon.”

Businesses, media outlets, and any number of other organizations and individuals are often concerned with their Google Search results (see, for example, Donald Trump’s tweets this morning.) That’s why Search Engine Optimization (SEO), the tactic of getting your website or content higher up in Google’s results has emerged over the last decade. That, and people typically want their high up search results to be positive, be that a glowing restaurant review or five-star product recommendation.

But, of course, search engines, social media, and review sites can be polluted and gamed. In June, trolls posted a torrent of porn on the Yelp page of The Red Hen, a restaurant that asked White House press secretary Sarah Huckabee Sanders to leave. In 2015, Apple haters bombarded Apple’s first Android app with 1 star reviews.

Got a tip? You can contact this reporter securely on Signal on +44 20 8133 5190, OTR chat on jfcox@jabber.ccc.de, or email joseph.cox@vice.com.

In CheapAir’s case, the apparent extortion email says STD plans to create thousands of negative reviews on TrustPilot and RipOff report. STD also threaten to leave thousands of negative posts and replies on CheapAir’s social media accounts.

"We're definitely not going to pay these cyber thugs, but we still have to devote a lot of time and resources to combating it," CheapAir CEO Jeff Klee told Motherboard in an email.

SSPR, a public relations firm that CheapAir confirmed it was retaining, also shared screenshots of the sort of posts STD suggested it plans to make. One is a tweet saying “CheapAir is a total fraud! I have lost $1440 and they ignore my emails. People stay away from @CheapAir.” At the time of writing, the tweet has been retweeted over 200 times, and liked 120 times. But many, if not all, of those interactions appear to be from bot accounts.

Motherboard found a slew of the accounts were created this month, had no profile image, or used a photo of a person widely available elsewhere online. Many of the accounts had no original tweets, and retweeted and liked the same or similar content—football, Turkey, and cryptocurrency, as well as the CheapAir tweet—suggesting they are part of the same bot network. Twitter has already flagged some of the accounts as “temporarily restricted,” a measure the social media site takes against suspicious users.

Caption: One of the tweets retweeted and liked by bot accounts. Image: Screenshot.

In response to that tweet, the CheapAir account replied with a standard customer support message, asking the alleged complainant to get in touch. Probable bot accounts have liked that individual tweet some 1,100 times.

On Instagram, STD has posted a string of negative comments as part of the extortion attempt. “Scam,” reads a comment from one user under a CheapAir photo. A screenshot SSPR shared with Motherboard shows more, seemingly now deleted, comments, including “I was scammed by this fraudulent company!”, “Stay away from CheapAir,” and “Used them once, never again.”

STD also writes it will destroy CheapAir’s search engine ranking by spamming comments with links to pages related to, for example, “penis pills.” In the worse case, STD says, Google may ban CheapAir from the search engine’s results.

Caption: A screenshot provided by SSPR of comments left on CheapAir's Instagram account. Image: Screenshot.

In their email to CheapAir, STD wrote “This is just a demonstration, to prove that this is not just an empty threat as at this point we are not working against you.”

Klee added "In keeping an open dialogue with our customers, we have faith they will see beyond these fake bot posts."

"Brand reputation, not to mention the reputation of political candidates, can be made or broken on social media platforms. I know these [social media] companies didn't necessarily ask for that responsibility, but it's theirs now, and I urge them to be more proactive," he added.

According to the email, STD used a Mail.ru address to contact CheapAir. That’s not necessarily indicative of where a user may be based, but through Mail.ru’s password reset mechanism, Motherboard found the phone number connected to the address begins with the country code for Russia, +7.

In the email, STD demand CheapAir sends 1.5 bitcoin (around $10,500 at the time of writing) to a provided address by Wednesday. STD also offers their services in order to harm CheapAir’s competitors, “but only after your payment has been received,” the email adds.

STD did not respond to an emailed request for comment.

“Best Regards,” the email signs off.

Update: This piece has been updated to include additional comment from CheapAir CEO Jeff Klee.