[ISN] Extortion via DDoS on the rise

InfoSec News isn at c4i.org
Tue May 17 01:56:22 EDT 2005


By Denise Pappalardo and Ellen Messmer
MAY 16, 2005 

Criminals are increasingly targeting corporations with distributed
denial-of-service (DDoS) attacks designed not to disrupt business
networks but to be used as tools to extort thousands of dollars from
the companies.

Those targeted are increasingly deciding to pay the extortionists
rather than accept the consequences, experts say. While reports of
this type of crime have circulated for several years, most victimized
companies remain reluctant to acknowledge the attacks or enlist the
help of law enforcement, resulting in limited awareness of the problem
and few prosecutions.

Extortion is "becoming more commonplace," said Ed Amoroso, chief
information security officer at AT&T Corp. "It's happening enough that
it doesn't even raise an eyebrow anymore."

"In the past eight months we have seen an uptick with the most
organized groups of attackers trying to extort money from users," said
Rob Rigby, director of managed security services at MCI Inc. "We try
to do our best to get [customers] through it, but we leave it up to
them to bring such attacks to the attention of law enforcement."

While MCI has been asked to help with prosecutions in other cybercrime
cases, Rigby says he does not recall a service provider being
subpoenaed in a DDoS extortion case.

Quantifying the extortion problem is difficult because the FBI, ISPs
and third-party research firms can't provide figures on the number of
DDoS attacks that include demands for money.

The FBI aggressively works daily on cases involving DDoS attacks and
extortion, said bureau spokesman Paul Bresson.

"Almost all of them have an international connection," he says. "There
aren't many cases where people doing this are from the U.S, and many
times it is a juvenile subject to the laws of another country."

Bresson says such cases have been prosecuted, although he was unable
to cite any. The FBI continues to encourage companies to report this
crime to law enforcement, he says, yet "we understand there's a
reluctance to do so."

An indeterminable number of victims are choosing to meet the demands
of extortionists rather than turn to law enforcement because they're
worried about negative publicity. The law does not prohibit paying,
said Kathleen Porter, an attorney at Robinson & Cole LLP in Boston,
who has extensive experience with e-commerce and Internet law.

"It's illegal to make the demand, but it's not illegal for companies
to pay to make the attacks go away. It's analogous to ransom," Porter
said. "It's something companies are doing because the costs of
denial-of-service attacks are so expensive."

"The problem is, if companies keep paying, the attacks will continue,"  
she said.

Even those who don't pay and instead work with their service provider
to mitigate an attack are leery about reporting the crime.

"It's still taboo for users to talk about these attacks," Rigby said.  
"Users worry that just coming under attack can damage their brand."

Companies are not required by law to report these crimes, Porter said,
adding that she suspects that many are reticent to do so because they
fear being sued over the risks that such an attack might create for
their customers.

"We've had [extortion attempts] happen to our customers," said Bruce
Schneier, chief technology officer at managed security services
provider Counterpane Internet Security. "More often than I'd like,
they're paying up." Counterpane offers anti-DDoS services, he added,
but they "aren't cheap."

Anti-DDoS services cost around $12,000 per month from carriers such as
AT&T and MCI, said John Pescatore, an analyst at Gartner Inc.

The most popular type of anti-DDoS equipment used by service providers
is Cisco Systems Inc.'s Riverhead gear and Arbor Networks Inc.'s
detection tools. This equipment can filter about 99% of the attack
traffic, Pescatore said, although sometimes network response times
drop by a few seconds.

Gartner advises clients not to pay extortion demands, but some have
nonetheless dropped hundreds of thousands of dollars into Swiss or
Cayman Island bank accounts controlled by criminals, Pescatore said.  
"We tell them they're better off going to AT&T and MCI for anti-DDoS
protection," he added.

However, when a business needs multiple service providers for backup
and bandwidth, the cost for obtaining anti-DDoS services from each can
be seen as prohibitive. "So they think it's the same amount of money
either way, the service provider or the extortionist," Pescatore said.

One company that refused to pay, Authorize.Net, also went public about
its attack. Last fall, the Bellevue, Wash., payments-processing firm,
which authorizes credit card transactions for more than 114,000
merchants, had its Internet-based service disrupted by extortionists
demanding payment to cease a massive DDoS attack. Authorize.Net issued
a statement apologizing for the intermittent disruption in its service
and spoke out about the extortion demands.

"Today, we've not yet seen a successful apprehension of anyone
involved," said Authorize.Net President Roy Banks. "As a
payment-processing platform service, we're prepared in dealing with
these threats all the time. We see them regularly."

His company has seen "demands from $10,000 to several millions," Banks
said. Authorize.Net's policy is not to pay. "We typically engage law
enforcement immediately," he said.

As for protecting his company against future attacks?

"We've invested in [DDoS] equipment," said Banks, who declined to
identify the type of equipment, saying he worries that might only help
attackers. "It's a combination of hardware and software, both
commercial and proprietary," he said.

Vendors such as Mazu Networks, Captus Networks and Arbor have products
focused on mitigating DDoS attacks.

Banks said an important aspect of a DDoS defense is completing
service-level agreements with Web hosting and bandwidth providers to
create a "framework of cooperation."

There are a few ways these attacks get started. In some cases,
businesses receive a threatening e-mail or phone call stating if they
do not meet certain demands they will be victimized by a DDoS attack.  
Most often, the DDoS attack begins and then the business is contacted.  
The perpetrator sometimes stops an attack after 10 minutes or so and
then contacts the company saying if it doesn't wire money to a
specific account the extortionist will resume the attack.

Experts say the demands can be $100,000 or more, but some criminals
ask for smaller amounts.

The extortionists "want to make it real easy for someone to pay," said
AT&T's Amoroso. "Think about it; if you're getting pounded and all you
have to do is fork over $6,000 to this account and everything will be
fine, it seems easy."

Countering the crime spree is likely to prove more difficult, and some
say it will take an increased willingness on the part of victims to go
to the authorities.

"There's been a certain laggardness in addressing this at a more
formal level," said Banks. Speaking out might help raise awareness
that vendors, online businesses and law enforcement need to work
together more closely to catch the extortionists. "This involves
countries outside the U.S., too, so we should really be dealing with
it internationally."

More information about the ISN mailing list