Slashdot Mirror

← Back to Stories (view on slashdot.org)

Fighting Online Extortion

Posted by CmdrTaco on from the more-common-than-we-think dept.

prostoalex writes "Information Week talks about those mornings, when an owner of an online business receives an e-mail message with his customer accounts and other personal information quoted, and extortionist asking for certain amount of money to be transferred to a foreign bank. Although 70% of the businesses surveyed for the article claim they never had to deal with extortion on the Internet, the article claims those small businesses who think they are not interesting for extortionists, are in for a surprise."

17 of 116 comments (clear)

  1. Finally! by Pig+Hogger · · Score: 3, Insightful
    A clued-in story submitter who submits the print link.

    Bravo!

    * * *

    There are plenty of ways of preventing DDOS attacks, most of which, unfortunately, call for SKILLED network operators.

  2. You are so stupid if you pay! by earthstar · · Score: 5, Insightful
    Atleast this extortion wont leave people in a dilemma whetehr to pay or not because there simply cannot be any question of paying, whatsoever may be the data!!

    This extortion isnt like conventional extortions where in you get your thing back when you pay.

    The extortionist obviously would have made copied of the data, and would hav given to so many of his friends.....If someones gonna pay,would he be paying to every one of the mails asking for the same data he had paid?


    LOL


    Sorry, but I think the website owner has already lost the battle - Unless the extortionist get caught - provided the duplicated data doesnt isnt with anyone!

    --

    Why does yahoo do this
    1. Re:You are so stupid if you pay! by Nos. · · Score: 2, Insightful

      I don't doubt it, but as you say its a short term "victory". If they paid once, they'll probably pay again. Repeat until they finally get some security. This is another situation where some up front investment (in security) will pay off in the long run, not to mention that actually protecting your customers data is the "right thing to do".

  3. Re:I worry for my employer by ScrewMaster · · Score: 2, Insightful

    That only works when both sides are always reasonable.

    --
    The higher the technology, the sharper that two-edged sword.
  4. This ocurred to me by Anonymous Coward · · Score: 2, Insightful

    I have a small ecommerce site and this ocurred to me one time.
    I received an email with my personal data and asking me to contact him.
    I contacted host service and investigate for possible bugs and raw logs, but I never reply. Finally I think they get my data from whois services.

  5. Re:Trace the money by YankeeInExile · · Score: 4, Insightful
    1. Phish for some schmoes Citibank account.
    2. Target BigWebsite.COM for extortion.
    3. Use patsy's bank as a drop box.
    4. Move as soon as the cash is in hand.
    --
    How does the Slashdot Effect happen given that no slashdotters ever RTFA?
  6. International Banking by xyote · · Score: 4, Insightful
    Without it, international extortion would be impossible. If you made the banks liable no matter how far the chain went, that kind of extortion would stop, just like that.

    There are analogies with the telcos enabling dial out frauds by sticking it to the customer. If the telcos and banks were responsible, they'd be real careful who they gave other people's money to.

  7. This story is part advertisement by Cryofan · · Score: 3, Insightful

    Like most media "news" stories.....

    --
    eat shiat and bark at the moon
  8. They'd be the first to be investigated by Toxygen · · Score: 1, Insightful

    I'm sure the first thing the authorities (or anybody even) would do is check out who has the highest motive for starting an extortion scheme like that. If it's well known that these 2 people have issues with the company, the first thing any competent investigator would do is question them first. This is not to say that the damage wouldn't have already been done at this point, but it should at least be some comfort that they would most likely be caught and made an example of.

  9. Insurance! by Anonymous Coward · · Score: 2, Insightful

    That is the way to go. Yes, security is a good start but it is impossible to completely become immune to attacks.

    Therefore I say to spend the resources on insurance and simply ignore the threats and attacks. The extortionist get nothing and may waste his power on absolutely nothing, running a serious risk of getting caught - all for nothing.

    The company has their assets insured and lose nothing.

    In a few days all the extortionists go back to breaking legs for the local loanshark. There they at least get something for their efforts.

    It's a lot like terror - it only works (for the terrorists) if they get something out of their efforts. Saying no to them and hitting them back just as hard will make them think twice. They get nothing but trouble out of their efforts and this will - in the long run - make them change their MO and possibly go back to their farms or whatever their dayjob used to be.

  10. Re:Once again, a bad summary. by damiangerous · · Score: 2, Insightful

    Oh, and the other thing I forgot to mention about the summary is that the story isn't even about stealing customer data and using it for extortion. The story is about threatening random sites with DDoSing if they don't pay. Very different scenarios since it's far more difficult to protect against the later. Once again, good job submitter.

  11. really? by 7-Vodka · · Score: 2, Insightful

    Is it really the extortionists driving the companies out of buisness, or is it that the companies played fast and loose with OUR personal data and now they are worried about the lawsuits?
    They figure the lawsuits and lost sales from this leaked information would cost X amount of money so they're willing to pay less than X to stop the leak. Maybe they should have kept the sensitive information safer in the first place.
    This is a result of either incompetence or knowingly cutting corners. (or just plain using Microsoft software. which is both.)

    --

    Liberty.

  12. Re:Victim does online gambling; shady = vulnerable by dougmc · · Score: 2, Insightful
    If everyone involved is a consenting adult, they shouldn't have anything to fear from using the legal system for defense.
    In theory, you are correct. In practice, it's not so simple. Often law enforcement members themselves don't care for porn and won't take such complaints very seriously. Or they may see this as an opportunity to scrutinize the business and make their life difficult as they look for illegal things to bust them for (and even if there aren't any, that doesn't mean it's not a big problem for the business.)

    Last I heard, Hustler magazine spent over one million dollars per year just on legal expenses, and generally they do not violate the law. This is probably an extreme example, but I imagine that lots of porn business spend above average amounts on legal expenses just because of the nature of their business. Anything that draws attention to you could very well increase that ...

  13. Dont pay. by jellomizer · · Score: 4, Insightful

    Contact the FBI or some other from of crime investigation unit. Change all the accounts if possible. Also you should make a bunch of fake accounts before hand (As well as tightening up your computer security, and for god sake Hire an independent consultant to run security audits on your network and your code as well if possible)

    --
    If something is so important that you feel the need to post it on the internet... It probably isn't that important.
  14. Re:So who are the extortionists? by GigsVT · · Score: 2, Insightful

    Yeah, but most companies are run by idiots. Seriously. They think nothing of dropping $100,000 on ISO9660 consultants, $100,000 on "efficiency experts", etc, etc.

    When your revenue is several tens of million a year (for a mid sized company), 100,000 looks cheap, even if it is something that could be handled a lot cheaper.

    One thing I've noticed, people are resistant to change generally. But if that change comes from highly overpaid consultants, people are more willing to change the way they do things. Of course that doesn't much address the problem of stagnant employees and managers.

    --
    I've had enough abrasive sigs. Kittens are cute and fuzzy.
  15. Re:Sounds like a business opportunity. by evil_one666 · · Score: 2, Insightful
    No kidding! Have you ever noticed how articles about "new IT security threats" ALWAYS come with an infomercial buried in them somewhere. In this case-
    Rather than pay off the attackers, the company called on its technical forces to build a defense and enlisted the help of Internet security-services provider Prolexic Technologies Inc.
    Hmmm, but of course Prolexic Technologies Inc. has nothing to do with the publication of this article (ahem...)
  16. Re:So who are the extortionists? by Bios_Hakr · · Score: 2, Insightful

    We had a team come in to examine our NOC. The first thing they wanted when they came in was valid IPs and subnet listings. In front of my boss, I told them to get stuffed. If they want to do a test, let them come. But I'm not giving them any help at all.

    In any event, they charged a lot and found little. In the outbrief, they made even the smallest problems seem huge. I guess they may have had a point.

    IMHO, the team that came to see us charged a lot and did not really acomplish anything.

    --
    I'd rather you do it wrong, than for me to have to do it at all.