Cyber Security Institute

§ Current Worries

Top 3 Worries

  • Regulations
  • Old Firewall Configurations
  • Security Awareness

§ Listening

For the best information

  • The underground
  • Audible
  • Executive Excellence
  • Music (to keep me sane)

§ Watching

For early warnings

  • 150 Security Websites
  • AP Newsfeeds
  • Vendors

Monday, May 16, 2005

DDoS being used in extortion schemes

Criminals are increasingly targeting corporations with distributed denial-of-service (DDoS) attacks designed not to disrupt business networks but to be used as tools to extort thousands of dollars from the companies.  Those targeted are increasingly deciding to pay the extortionists rather than accept the consequences, experts say.

While reports of this type of crime have circulated for several years, most victimized companies remain reluctant to acknowledge the attacks or enlist the help of law enforcement, resulting in limited awareness of the problem and few prosecutions.

Extortion is “becoming more com’monplace,” said Ed Amoroso, chief information security officer at AT&T.  “It’s happening enough that it doesn’t even raise an eyebrow anymore.”

“In the past eight months we have seen an uptick with the most organized groups of attackers trying to extort money from users,” said Rob Rigby, director of managed security services at MCI (Profile, Products, Articles).  While MCI has been asked to help with prosecutions in other cybercrime cases, Rigby says he does not recall a service provider being subpoenaed in a DDoS extortion case.

Quantifying the extortion problem is difficult because the FBI, ISPs and third-party research firms can’t provide figures on the number of DDoS attacks that include demands for money.  An indeterminable number of victims are choosing to meet the demands of extortionists rather than turn to law enforcement because they’re worried about negative publicity.

The law does not prohibit paying, said Kathleen Porter, an attorney at Robinson & Cole LLP in Boston, who has extensive experience with e-commerce and Internet law.  Companies are not required by law to report these crimes, Porter said, adding that she suspects that many are reticent to do so because they fear being sued over the risks that such an attack might create for their customers.

Anti-DDoS services cost around $12,000 per month from carriers such as AT&T and MCI, said John Pescatore, an analyst at Gartner Inc.  The most popular type of anti-DDoS equipment used by service providers is Cisco Systems’s (Profile, Products, Articles) Riverhead gear and Arbor Network’s detection tools.  This equipment can filter about 99 percent of the attack traffic, Pescatore said, although sometimes network response times drop by a few seconds.

Last fall, the Bellevue, Wash., payments-processing firm, which authorizes credit card transactions for more than 114,000 merchants, had its Internet-based service disrupted by extortionists demanding payment to cease a massive DDoS attack.

“Today, we’ve not yet seen a successful apprehension of anyone involved,” said Authorize.Net President Roy Banks.

Posted on 05/16