from the managing-everyone's-reputation-but-your-own dept
We’ve covered incidents involving Ripoff Report for several years here at Techdirt. In most of the cases that we’ve covered, Ripoff Report has been the target of bogus DMCA takedowns and libel lawsuits from entities who would do pretty much anything to see negative reviews disappear.
Ripoff Report has plenty of critics. The company refuses to take any review down, even if the reviewer is the one asking for it to be removed. People have accused Ripoff Report of engaging in extortionate behavior by encouraging third parties to flood complaining companies (and individuals) with negative reviews. And the site’s hardline stance of review removal (it simply never happens) hasn’t earned it much sympathy in other countries where Section 230 immunity and other free speech-friendly laws aren’t in effect.
But the latest news involving Ripoff Report is some of the weirdest. And it comes from an unusual source: the Department of Justice. A Cyprus national with links to a California reputation management company has been extradited to the US to face criminal charges related to the malicious hacking of Ripoff Report.
The indictment alleges that on Oct. 30, 2016, [Joshua] Epifaniou obtained unauthorized access to the database of Ripoff Report (ROR), a company located in Phoenix, Arizona, through a brute force attack. A brute force attack is a trial-and-error method used to obtain information, such as a user password or personal identification number. Epifaniou allegedly used the attack to successfully override ROR’s login and password protection to access its database through an existing account for a ROR employee. On Nov. 18, 2016, Epifaniou emailed ROR’s CEO using an email address, threatening to publicly disseminate stolen ROR data unless the company paid him $90,000 within 48 hours. According to the indictment, Epifaniou emailed again the following day with a hyperlink to a video recording demonstrating Epifaniou’s unauthorized access to the ROR CEO’s account.
This would be on top of Epifaniou’s other alleged extortion schemes. He also illicitly harvested personal information from a number of other sites, including those belonging to an online game publisher, an employment service, and a sports news site run by Turner Broadcasting. Epifaniou and his conspirators emailed users of these sites, threatening them with exposing sensitive data unless a ransom was paid.
Trying to extort Ripoff Report’s site owner wasn’t the only thing Epifaniou did. He also leveraged his illicit access to the review site to benefit California-based SEO Company’s customers, ensuring a healthy payout for himself in the process. From the indictment [PDF]:
On or about November 8, 2016, SEO Company negotiated a “reputation management service agreement,” charging the client an initial $4000 for removal of a complaint from ROR.
On or about November 9, 2016, EPIFANIOU and his co-conspirator via an instant messaging service discussed their plan to remove data from the ROR website for a fee but pretend to SEO Company’s clients that it was accomplished through court orders rather than computer hacking.
On or about February 13, 2017, SEO Company negotiated a “reputation management service agreement” with another client, charging an initial $4,000 for removal of a complaint from ROR.
On or about February 14, 2017, EPIFANIOU and his co-conspirator via an instant messaging service discussed the status and profits of their ROR hack, and their intent to hack-additional customer complaint and review websites (including through website vulnerabilities and stolen employee login credentials).
On or about March 3, 2017, SEO Company negotiated a “reputation management service agreement” with another client, charging an initial $4,150 for removal of two complaints from ROR.
On or about March 31, 2017, SEO Company negotiated a “reputation management service agreement” with another client, charging $11,000 for removal of two complaints from ROR.
On or about April 27, 2017, EPIFANIOU and his co-conspirator via an instant messaging service discussed another method for unauthorized access to ROR’s database, “in case the original exploit gets patched so we can drag this out for another at least 6-7 months.”
Between October 2016 and May 2017, EPIFANIOU and his co-conspirator removed at least 100 complaints from the ROR database, charging SEO Company’s clients approximately $3,000 to $5,000 for removal of each Complaint.
And that’s how you remove a negative review from Ripoff Report. All you need is a willing conspirator, admin-level access to the site itself, and the willingness to put your freedom on the line to help companies patch up their reputations. It’s not a great plan, but it worked right up until it didn’t. And that six-month run was enough to delete 100 negative reviews and generate at least $300,000 in payments from SEO Company customers who are now linked to illicit hacking and ransom demands. Fun stuff.