Fighting Online Extortion

prostoalex writes "Information Week talks about those mornings, when an owner of an online business receives an e-mail message with his customer accounts and other personal information quoted, and extortionist asking for certain amount of money to be transferred to a foreign bank. Although 70% of the businesses surveyed for the article claim they never had to deal with extortion on the Internet, the article claims those small businesses who think they are not interesting for extortionists, are in for a surprise."

Re:I worry for my employer

[Pig+Hogger]

The thing that keeps me awake nights is: What happens if some disgruntled ex-employee (there are two floating around out there) decides to seek vengeance against us by targetting us in an extortion scheme?

That one is easy to fix. Management only needs to make sure that there are no ex-disgruntled employees...

Once again, a bad summary.

[damiangerous]

Although 70% of the businesses surveyed for the article claim they never had to deal with extortion on the Internet,

No, it doesn't say that at all. It says:

"According to Carnegie Mellon's survey, 70% of those threatened with extortion say the attempts were unsuccessful."

It does talk about how many businesses have had to deal with 'cyberextortion', and that percentage is just over half of the submitter's claims:

"17% of the 100 companies surveyed say they've been the target of some form of cyberextortion."

Re:Once again, a bad summary.

[dema]

If you look at the chart on the left side of the screen, you'll see the question: Has your company or any employee been the target of cyberextortion?. And, as indicated in the pie chart, 70% of those surveyed said No, just as the poster indicated. And in reference to the story only being about DDoSing, if you read the whole article you see:

Cyberextortion mostly travels under the radar, but not always. Earlier this year, Myron Tereshchuk, 42, of Maryland, pleaded guilty to one count of attempting to extort $17 million from intellectual-property company MicroPatent LLC. He faces up to 20 years in jail. Tereshchuk threatened to leak confidential information and launch denial-of-service attacks against intellectual-property attorneys worldwide if he wasn't paid.

In January, Thomas Ray, 25, of Mississippi, was indicted for allegedly claiming to have found a security flaw in Best Buy Co.'s systems and threatening to expose and exploit that flaw unless he was paid $2.5 million. A trial is expected this fall. And last year, Kazakhstan hacker Oleg Zezev was sentenced to 51 months for illegally entering Bloomberg L.P.'s systems and threatening to disclose the break-in if he wasn't paid $200,000.

The first one threatened DDoSing in addition to leaking info, and the other examples had nothing to do with DDoS.

Re:So who are the extortionists?

[Anonymous+Luddite]

I'd hope they are getting more than a "firewall + script" for 100G.

A quick look at Prolexic's web site make me think it's selling a distributed proxy service. Don't see why it wouldn't work.

As far as the reasonability of cost, I doubt 100G is a big number for them.. ..they're bookies.

Sarbanes-Oxley?

[hughk]

If you are a public corporation, then Sarbanes-Oxley applies. This mandates disclosure of any issues that may affect share price. Any time bombs waiting to go off, i.e., major systems problems, that are known about must be disclosed. If senior management is aware of a serious problem that they do not disclose, then they can be in serious trouble.

Re:Sounds like a business opportunity.

[DNS-and-BIND]

I thought it was $50,000. At least, that's what they said when we tried to turn in a cracker at my old ISP job.

As an aside, lie. Exaggerate the damages, get the FBI in. The worst that can happen is you revise the damage estimate downward later.