Slashdot Mirror

← Back to Stories (view on slashdot.org)

Gangs Extort Companies With DDoS Attacks

Posted by timothy on from the crisis-of-the-week dept.

Pcol writes "The Financial Times reports that gangs based in Eastern Europe have been launching attacks on corporate networks costing the companies millions of dollars in lost business and exposing them to blackmail. Sites have been asked to pay up to ensure they are free from Distributed Denial of Service attacks for a year. One detective reported, 'If the demand comes in for $40,000-50,000, compared to the losses they're suffering, there's an attraction for the companies to pay and hope it goes away. But there's nothing to say it will go away.'"

30 of 423 comments (clear)

  1. A new financing model... by waytoomuchcoffee · · Score: 5, Funny

    For /.?

    1. Re:A new financing model... by metlin · · Score: 4, Funny

      Sure.

      But just that with all the story repeats, they might just forget that they'd been paid not to do that again.

      You know, that might actually prevent them from posting repeats though ;-)

    2. Re:A new financing model... by blair1q · · Score: 4, Funny

      Turn it around. /. should offer to block access from a company network.

      The productivity gains would be enormous.

  2. Fine. Let them! by freeze128 · · Score: 5, Insightful

    The gangs can *TRY* to extort money, but in the long run, it would be cheaper to hire consultants or better administrators. This will have the effect of IMPROVING security worldwide. Thanks European gangs!

    1. Re:Fine. Let them! by TheTomcat · · Score: 4, Insightful

      What exactly would this consultant / administrative talent DO?

      You have 10,000 zombies firing packets at you, spoofed on random IPs, how do you stop this?

      We had to Akamize our stuff.. and that's extremely pricey (think 2+ salaries).

      S

    2. Re:Fine. Let them! by Zeinfeld · · Score: 4, Informative
      The gangs can *TRY* to extort money, but in the long run, it would be cheaper to hire consultants or better administrators. This will have the effect of IMPROVING security worldwide. Thanks European gangs!

      Commercial rates for security consultants start at $2,000 per day. People in the middle tier charge as much as $5,000. Big name consultants such as Bruce Schneier can name their price.

      And the fact is that none of us can do diddly against a DDoS attack, except advise you on how to configure bigger pipes and how to get in touch with ISPs quickly to stop the traffic from their networks.

      Occasionally there is a DDoS that has a flawed mode of attack that can be diverted. There have been a couple of attacks against the Whitehouse that were like that. They can divert the attacks because they can get top rank consulting for free in extremis.

      Not paying might be cheaper in the long run, but in the long run we are all dead. The answer is not consultants, it is law enforcement and better infrastructure.

      For example why exactly does anyone need to send a stream of several thousand SYN packets per second from a home computer to the same IP address for several hours at a time? There is simply no reason why a home machine should need to do that, nor should a home machine be sending millions of DNS requests per second to any machine.

      There is a pretty easy fix to DDoS attacks, put intelligence into cable modems and router boxes. Even if there is an option that allows the expert user to turn the checking off the boxes should be shipped in a safe configuration by default and it should not be possible to disable the safety catch without physical access to the modem.

      Congress could encourage ISPs to adopt this type of technology by merely suggesting that ISPs be made liable for attacks mounted from their machines.

      --
      Looking for an Information Security student project suggestion?
      Try http://dotcrimeManifesto.com/
  3. Internet Mafia by Anonymous Coward · · Score: 4, Funny

    So now there's an internet mafia.

    So who's the god father? I vote Al Gore.

  4. protection market by musikit · · Score: 5, Insightful

    funny thing is with the old mobsters paying protection money to mob A would stop mob B from doing the same.

    what's to stop another DDoS group from doing the same?

    as the movies teach never pay the protection money

    1. Re:protection market by swb · · Score: 4, Interesting

      There's two kinds of protection:

      One kind is the low-level "Pay me or I wreck shit". In this model, you don't actually get "protection" from anyone else, just the people you paid don't arbitrarily wreck your stuff. If some third party decides to play rough, the people you're paying protection to generally don't care, unless it threatens their protection money (ie, driving a store owner completely out of business).

      The more sophisticated kind of protection generally involves paying someone so that you can operate without interference. Generally this involves handing over a percentage of the operations as a tithe or tribute (and in fact among Italian mafia, it is a historical descendent of the practice of conquered peoples paying tributes to Roman officials). In this case, since the payment is generally dependent on the successful completion of whatever the protected activity is, you'd be more likely to get muscle applied in your favor to keep rivals away. But even then there may be extra money associated with hiring muscle, and often it is an artificial ruse used to obtain larger tributes. (In an episode of the Sopranos, Tony uses a black political agitator to get more tribute out of a construction business that is already paying tribute. He then "breaks up" the black's protest and later splits the take with the black's leaders).

  5. A new financing model for /.? by canfirman · · Score: 5, Funny

    Nah, a new financing model for SCO.

    --
    It is not our abilities that show what we truly are... it is our choices.
  6. Lunch money by landaker · · Score: 3, Funny

    One kid reported, 'If the demand comes in for $4-5, compared to the losses they're suffering, there's an attraction for the wimps to pay and hope it goes away. But there's nothing to say it will go away.'

  7. This isn't surprising... by Mysticalfruit · · Score: 4, Interesting

    Firstly, I'm suprised it took this long for something like this to happen. Though I suspect it's been happening for a while. Organized crime has always been ready to utilize new technology in the persuit of money / Power.

    Secondly, How is this different from some company installing spyware/nagware that's not uninstallable and then sending you email asking you to pay 20 bucks for a utility that'll "remove" their piece of software.

    --
    Yes Francis, the world has gone crazy.
    1. Re:This isn't surprising... by signe · · Score: 4, Funny

      Secondly, How is this different from some company installing spyware/nagware that's not uninstallable and then sending you email asking you to pay 20 bucks for a utility that'll "remove" their piece of software.

      Easy. Asking for money to not attack someone's servers is extortion. Your example is an "innovative business model".

      -Todd

      --
      "The details of my life are quite inconsequential..."
  8. Anyone looking for work in security? by phorm · · Score: 4, Insightful

    For $50,000 a year, sounds like a decent wage for anyone who's currently unemployed. Why not just hire a good whitehat instead of caving into blackhat demands?

    1. Re:Anyone looking for work in security? by fliplap · · Score: 3, Insightful

      And then what exactly is a "good whitehat" going todo to stop a DDoS?

  9. Quick! Someone call SCO! by Our+Man+In+Redmond · · Score: 4, Funny

    Surely this is a violation of their IP in regards to extorting money using online means!

    --
    Someone you trust is one of us.
  10. SOLUTION? by exhilaration · · Score: 3, Interesting

    So how do you protect yourself from a DDOS attack? Are there any closed-source or open-source products that can do it? I've seen "network appliances" that claim to protect you, but I haven't read any reviews.

  11. Stupid Gangs... What they ought to do by EricWright · · Score: 3, Funny

    ... is patent DDoSs, then extort, er... I mean, charge licensing fees, to anyone invoking a DDoS against a site. I mean, isn't that what US patents are good for these days?

  12. Why do I Keep Getting Left Out? by coupland · · Score: 4, Funny

    Fifteen years ago all the cool kids would make fun of me and call me a computer geek and never pick me for the baseball team and stuff. Now all the cool geeks are going off forming gangs and taking down servers and I'm still left out! I can't figure this world out...

  13. Hmm by downix · · Score: 4, Interesting

    The primary targets appear to be gambling sites.

    Why is it whenever the mob is involved, their first target are gambling sites? Next thing it will be online porn and pharmacudicals.

    --
    Karma Whoring for Fun and Profit.
  14. Re:What gives? by The_K4 · · Score: 3, Interesting

    The issues becomes when it crosses country lines. I recently had trouble with a buisness in Canada, I live in the US. The US police have the police who's jurisdiction the company is in do the investigation. The Canadians have the police who's jurisdiction the victim is in do the investigation. Neither set of authorities would investigate a clearly illegal act. They both refered me to the FBI who said "Unless it's a terrorist act, we will not even start a report".

  15. My God someone has finally done it! by Str8Dog · · Score: 3, Funny

    I am stupified... someone has finally found the ????? in the buisness plan. Amazing...

    1. Buy computers
    2. Blackmail companies for $40k or DDoS them
    3. Profit!

    --


    Str8Dog
    using System.Darkside; public
  16. Re:It's even cheaper... by satanicat · · Score: 3, Insightful

    I can imagine the headline. . , hitman kills a bunch-o 14 year olds for 40 grand=)

    --
    How Now Brown Cow
  17. They make pay to their hacked eBay accounts... by jcrb · · Score: 4, Informative

    which they transfer to one of the 100's of stolen credit card numbers they have which they then go off and use to by something very expensive (in person).

    As a side note, I know a network security company who got hit with one of these, end result? The FBI and the local (eastern european) police arrested and are trying the hackers in question.

    When you start trying to extort real money across international borders you are into real crime. The FBI does investigate these attacks, and I am sure they will get much better at it as time goes on.

    --
    -jon
  18. Karmic in a way... by CaptTofu · · Score: 4, Interesting

    For the outsourcing some companies have been doing. You let some Ukrainian company design software for integral parts of your organisation's business and later get screwed by some thugs blackmailing you, well, this is one of those cases where maybe you should have paid a little more to hire domestic programmers who come from a less thugocratic society.

    Saving a buck has its limits!

  19. Any company that pays is stupid by cyberlotnet · · Score: 3, Insightful

    Its not like Gang A can Stop Gang B from DDos attacking a network.. This is not the slums where they can have hired henchmen beat anyone else trying to inch into there area.

    You pay gang A to go away.. a month later gang B hits you.. You complain to gang A.. They tell you its not them.. You pay gang B.. a month later gang C hits you.. WASH and Repeat till your company is broke

    --
    Personal Website
  20. To put this in perspective... by InfraredEyes · · Score: 5, Interesting

    ...the targets need not be large companies with high-profile Websites. My small (5 person) company is just now recovering from a DDOS attack against the DNS server used by our ISP; as of yesterday evening, they were getting repeated hits from at least 15,000 zombies. Our email and our Website were completely inaccessible for about 24 hours, and many other DNS customers will have suffered similarly. Various changes in server IP address etc. seem to have fixed the problem for now. The advice from the DNS server people is to use at least two independent DNS services in future. It must hurt to have to tell customers, in effect, to do business with your competitors to ensure service.

  21. Re:Wrong, it is ILLEGAL! by milkman_matt · · Score: 3, Funny
    Well, it's more like a big store than a house; And the hackers are effectively (and deliberately) blocking the entrance to the store for paying customers. It doesn't matter what means they use to achieve this effect.

    So if blocking a big store is like hacking.. and hackers are terrorists... All those grocery store employees striking here in California are terrorists!?
    :)

    -matt

  22. How to collect? by gr8_phk · · Score: 3, Insightful

    How do these guys expect to collect the money without being caught? You need to show up in person to accept cash (or at least show up at a drop point) and large transfers can be tracked... Can't they? So how do they collect?

  23. Something easy to steal != cupable for theft by baileytal · · Score: 3, Insightful
    ...an automobile manufacturer makes a car that can be easily stolen (say by jiggling the door handle, and a key is not required to start it) if someone steals this car, and drives it through a business's window, should the car manufacturer be liable?
    No. Theft of property is an act seperate from the nature of that property. The fact that I left my wallet on the window sill does not mean that I am in any way responsible for your choice to take it, or the subsequent fact that you used the money to finance a criminal act. The fact that a car is easy to steal does not weaken the law against stealing the car. There is no such thing (at least not in any jurisdiction I'm aware of) as aggravated theft. Whatever the thief did with the car is entirely his or her responsibility. Now, if the car's brakes were of a faulty design...
    --
    Never at a loss for words... because of the voices.