[ISN] Extortion Online

InfoSec News isn at c4i.org
Wed Sep 15 01:58:55 EDT 2004


By George V. Hulme
Sept. 13, 2004 

It's the kind of E-mail that grabs you by the collar and doesn't let
go. On a Saturday afternoon last January, a message hit the in-box of
BetCBSports.com, threatening to knock the online gambling site offline
in prime sports-betting season if the company didn't pay up.

"You have 3 choices. You can make a deal with us now before the
attacks start. You can make a deal with us when you are under attack.  
You can ignore us and plan on losing your Internet business," the
E-mail read.

It was no bluff. Within three hours, the site was taken down by what's
known as a distributed denial- of-service attack. The first attack
lasted five minutes and then ceased. "They were showing us what they
could do," says Thomas Burns, who runs the business-technology systems
for what's now known as WagerWeb.com, operated by CasaBlanca Gaming.

Such threats happen more often than most people realize. A survey by
Carnegie Mellon University's H. John Heinz III School of Public
Policy, in conjunction with InformationWeek's Summer Research
Fellowship, found extortion attacks are surprisingly common: 17% of
the 100 companies surveyed say they've been the target of some form of
cyberextortion. The study, authored by graduate student Gregory M.  
Bednarski, queried small and midsize businesses about cyberextortion
and other types of computer fraud.

The findings come as no surprise to FBI special agent Thomas Grasso,
who helped with the study. "The majority of the cybercrimes we
investigate involve some type of monetary motivation," Grasso says.  
"This business of people going out and compromising sites just to
prove how much they know is a myth."

WagerWeb was knocked offline for about a day, says Dan Johnson, senior
VP and senior oddsmaker at the site. Rather than pay off the
attackers, the company called on its technical forces to build a
defense and enlisted the help of Internet security-services provider
Prolexic Technologies Inc. The vendor's services, at about $100,000 a
year, aren't cheap. But, "I'd rather pay the $100,000 than pay the
extortionists," Johnson says. The gamble paid off. "As soon as we got
the service running, the attack stopped," technology manager Burns

Cyberextortion mostly travels under the radar, but not always. Earlier
this year, Myron Tereshchuk, 42, of Maryland, pleaded guilty to one
count of attempting to extort $17 million from intellectual-property
company MicroPatent LLC. He faces up to 20 years in jail. Tereshchuk
threatened to leak confidential information and launch
denial-of-service attacks against intellectual-property attorneys
worldwide if he wasn't paid.

In January, Thomas Ray, 25, of Mississippi, was indicted for allegedly
claiming to have found a security flaw in Best Buy Co.'s systems and
threatening to expose and exploit that flaw unless he was paid $2.5
million. A trial is expected this fall. And last year, Kazakhstan
hacker Oleg Zezev was sentenced to 51 months for illegally entering
Bloomberg L.P.'s systems and threatening to disclose the break-in if
he wasn't paid $200,000.

Most extortion plans fail. According to Carnegie Mellon's survey, 70%
of those threatened with extortion say the attempts were unsuccessful.

But it's a growing problem nonetheless. Networks with anywhere from a
couple of hundred to tens of thousands of compromised systems that can
be used to launch distributed denial-of-service attacks have increased
sharply this year, says Vincent Weafer, senior director of Symantec
Corp.'s Security Response service. The vendor tracks these attack
networks, which are set up by "criminals who want to use them for
profit," Weafer says. In six months, they've swelled from 2,000 to
more than 30,000, he says.

Small and midsize businesses often believe cyberextortionists aren't
interested in them because they're too small, with 68% of the
companies in the Carnegie Mellon survey responding that they're at no
or low risk. But Bednarski warns that's false comfort. "Being a small
company may actually increase your risk," he says. "The extorters are
scanning the Internet for vulnerable systems, and it's no skin off of
their nose to send out letters demanding $5,000. If 10% of the
companies pay, the extortionist is sitting pretty."

Moreover, many companies aren't taking necessary precautions. Only 21%
of companies in the Carnegie Mellon study have formal training
programs to teach employees how to respond to security breaches, and
only 37% have performed security assessments in the past six months.

Perhaps more unsettling: 45% of companies express a lack of confidence
in their technical department's ability to respond to security
incidents. "More companies clearly need to raise their security
posture," Symantec's Weafer says.

Otherwise, they may find themselves scrambling in the midst of an
attack, as WagerWeb did. Now, the online site is better prepared to
stand firm against a threat, should one arise. Says Johnson: "We won't
give in."

More information about the ISN mailing list