Slashdot Mirror
Fighting Online Extortion
prostoalex writes "Information Week talks about those mornings, when an owner of an online business receives an e-mail message with his customer accounts and other personal information quoted, and extortionist asking for certain amount of money to be transferred to a foreign bank. Although 70% of the businesses surveyed for the article claim they never had to deal with extortion on the Internet, the article claims those small businesses who think they are not interesting for extortionists, are in for a surprise."
FP!
Seems to me that a person could make a buck advertising and selling security services with this niche alone.
Who would a person call if they had some problems like this?
It could be worse, it could be Monday.
Wow! First Post. Why haven't they learned about using protection.
My employer has a large site done in PHP that grew over the years, and is rife with opportunities for SQL injection.
They know what needs to change, and there is a plan to get from here to there over the next year, including a new in-house white-box security testing team. In the mean time, we are standing around with our pants down.
The thing that keeps me awake nights is: What happens if some disgruntled ex-employee (there are two floating around out there) decides to seek vengeance against us by targetting us in an extortion scheme?
"WagerWeb was knocked offline for about a day, says Dan Johnson, senior VP and senior oddsmaker at the site. Rather than pay off the attackers, the company called on its technical forces to build a defense and enlisted the help of Internet security-services provider Prolexic Technologies Inc. The vendor's services, at about $100,000 a year, aren't cheap. But, "I'd rather pay the $100,000 than pay the extortionists," Johnson says. The gamble paid off. "As soon as we got the service running, the attack stopped," technology manager Burns says."
THAT is really freaky.
A legal extortionist, say, a patent troll or industry trade group, has to consider how much they can actually get out of a victim, since there are legal costs involved in filing the suit in the first place. These organized criminal enterprises, on the other hand, only have to do some hacking, and then fling their crap in every direction to see what sticks. Just as street criminals drive small businesses out of neighborhoods, leaving nothing but blight and boarded-up, rat-infested buildings, these online criminals could drive all the small e-commerce sites off the web and essentially cripple the web as a business method for all but the largest, wealthiest companies. So don't look for the authorities to step up efforts to combat this anytime soon.
You are in error. No-one is screaming. Thank you for your cooperation.
Bravo!
* * *
There are plenty of ways of preventing DDOS attacks, most of which, unfortunately, call for SKILLED network operators.
Where in the article does it say anything about "customer accounts quoted"? The article is about extortion by dDOS attack, not theft of information.
Then turn them in. QED.
Can anyone explain how this actually works? Same with spammers too. If you transfer money, I'd think there would be an electronic trail of the money being transferred. After 9/11 they traced bank account of suspects, why can't they do it all the time? A lot of spam also generates sales, but why can't the money trail be followed to catch the bad guys?
--
Live deals online with a new server, can withstand a Slashdotting now.
This extortion isnt like conventional extortions where in you get your thing back when you pay.
The extortionist obviously would have made copied of the data, and would hav given to so many of his friends.....If someones gonna pay,would he be paying to every one of the mails asking for the same data he had paid?
LOL
Sorry, but I think the website owner has already lost the battle - Unless the extortionist get caught - provided the duplicated data doesnt isnt with anyone!
Why does yahoo do this
I have a small ecommerce site and this ocurred to me one time.
I received an email with my personal data and asking me to contact him.
I contacted host service and investigate for possible bugs and raw logs, but I never reply. Finally I think they get my data from whois services.
No, it doesn't say that at all. It says:
It does talk about how many businesses have had to deal with 'cyberextortion', and that percentage is just over half of the submitter's claims:There are analogies with the telcos enabling dial out frauds by sticking it to the customer. If the telcos and banks were responsible, they'd be real careful who they gave other people's money to.
Like most media "news" stories.....
eat shiat and bark at the moon
Now if only cyber-extortionists would target well-known spammers...
Lawrence Person (lawrencepersonh@gmailh.com (remove all "h"s to mail)
http://www.lawrenceperson.com/
isnt there already an insurance policy for this kind of event... "business interruption policy"?
http://aip.corolla.or.id/
These organized criminal enterprises, on the other hand, only have to do some hacking, and then fling their crap in every direction to see what sticks.
You mean like those letters the BSA sends out to every single business in a target city?
I'm sure the first thing the authorities (or anybody even) would do is check out who has the highest motive for starting an extortion scheme like that. If it's well known that these 2 people have issues with the company, the first thing any competent investigator would do is question them first. This is not to say that the damage wouldn't have already been done at this point, but it should at least be some comfort that they would most likely be caught and made an example of.
That is the way to go. Yes, security is a good start but it is impossible to completely become immune to attacks.
Therefore I say to spend the resources on insurance and simply ignore the threats and attacks. The extortionist get nothing and may waste his power on absolutely nothing, running a serious risk of getting caught - all for nothing.
The company has their assets insured and lose nothing.
In a few days all the extortionists go back to breaking legs for the local loanshark. There they at least get something for their efforts.
It's a lot like terror - it only works (for the terrorists) if they get something out of their efforts. Saying no to them and hitting them back just as hard will make them think twice. They get nothing but trouble out of their efforts and this will - in the long run - make them change their MO and possibly go back to their farms or whatever their dayjob used to be.
I AM OLIVER KABILA FROM THE DEMOCRATIC REPUBLIC OF CONGO ZAIRE, SON OF LATE LAURENT M. KABILA, THE FORMER PRESIDENT AND COMMANDER IN CHIEF OF THE ARMED FORCES REPUBLIC OF CONGO ZAIRE. PRESENTLY TAKING REFUGE HERE IN ACCRA GHANA (WEST AFRICA) AFTER THE SUDDEN DEMISE OF MY FATHER, FOLLOWING HIS ASSASINATION BY HIS PERSONAL BODY GUARD ON THE 16TH JANUARY 2001. I REFER YOU TO THE TIME MAGAZINE COVER STORY OF THE 12TH OF FEBRUARY. ON TRUST AND IN UTMOST CONFIDENCE, I AM ESTABLISHING THIS RELATIONSHIP WITH YOU IN BENEVOLENT SPIRIT AS TO ENHANCE IMMEDIATE RESOLUTION TO AN OPPORTUNITY RIGHTLY AT HAND. IN A CLOSE DOOR MEETING HELD WITH MY FATHER BEFORE HIS SUDDEN DEATH, HE DISCLOSED TO ME CERTAIN FACTS AND SECRETS ABOUT HIMSELF AND THAT OF MY STEP-BROTHER GENERAL JOSEPH KABILA (I MEAN THE PRESENT PRESIDENT OF MY COUNTRY). CERTAIN DOCUMENTS WAS GIVEN TO ME THAT DAY BY MY FATHER REGARDING 1000KG OF 22 KARATS GOLD WHICH HE DEPOSITED IN A PRIVATE VAULT OF A SECURITY FIRM HERE IN GHANA. IN ADDITION, $168 MILLION USA DOLLARS CASH IN TWO TRUNK BOXES ALSO IN THE VAULT. THE $168 MILLION USD WAS TO BE USED TO WORK ON LEADERS OF THE ECOWAS COMMUNITY, ENHANCING HIS FULL SUPPORT IN POWER. BUT THIS AIM WAS NOT ACHIEVED BEFORE HIS DEATH. THE ISSUE OF THIS MONEY AND THE GOLD HAS BEEN A SECRET BETWEEN MY FATHER AND I UNTILL HE DIED. THEREFORE, I AM TAKING THIS AS AN OPPORTUNITY TO ENRICH AND EQUIP MYSELF TO FACE MY SECRET AMBITION. AS NOBODY CAN CONVINCE ME THAT MY STEP-BROTHER (JOSEPH) IS NOT BEHIND THE DEATH OF MY FATHER. I HAVE SINCE BEEN IN THIS TOWN IN PURSUANCE OF THE CLEARANCE OF THIS CONSIGNMENT AND I AM SO FAR ABLE TO CLEARIFY/CERTIFY ALL PAPERS WITH THE SECURITY COMPANY (WHERE THE CONSIGNMENT IS BEING KEPT IN A PRIVATE VAULT). I HAVE INSPECTED THE BOX BUT COULD NOT OPEN IT DUE TO SECURITY REASONS. BECAUSE MY FATHER DID NOT DECLARE THE CONTENT AS MONEY BUT PERSONAL EFFECTS. ALL I NEED NOW IS A RELIABLE FOREIGN PARTNER WITH WHOM I CAN CLEAR AND TRANSFER THIS MONEY ABROAD.I HAVE AGREED TO GIVE A REASONABLE PERCENTAGE OF THE TOTAL VALUE OF THIS CONSIGNMENT AS YOUR SHARE. YOU MAY ASK IF I DON'T HAVE INTERNATIONAL CONTACTS TO ASSIST ME ON THIS ISSUE. THE ANSWER IS YES, BUT I HAVE AN AMBITION RIGHT NOW AND WANT TO LIVE IN DISGUISE UNTILL MY AMBITION IS FULFILLED. I EXPECT YOUR KIND URGENT RESPONSE BY PHONE OR EMAIL: mustty2@yahoo.com OR mustty1@yahoo.com TO ENABLE ME FURNISH YOU WITH MORE DETAILS ON THIS BUSINESS. THANKS IN ANTICIPATION. OLIVER KABILA CELL PHONE: + 233 24260633 (ON 24HRS) NB: I SHALL COUNT ON YOUR INDULGENCE TO PLEASE KEEP THIS INFORMATION VERY SECRET & CONFIDENTIAL. AND PLEASE, YOU SHOULD HENCEFORTH ADDRESS ME AS MR. MUSTAPHA OSENI. THAT IS THE NAME I AM NOW USING FOR SECURITY REASONS.
Dear Firend,
:frankjimk@yahoo.co.in
In order to transfer out (fifteen-million pounds sterling) from our bank here have the courage to look for a reliable and honest person who will be capable for this important transaction, believing that you will never
let le down either now or in future.
I am the auditor and head of computing department of a bank here in Scotland, United Kingdom. There is an account opened in this bank in 1995 and since
my inception into office in 2001, nobody has operated on this account again, after going through some old files, I discovered that if i do not remit this money out urgently, it will be forfeited for nothing.
How the money came about:
The owner of this account was Mr. John Hughes who was a foreigner and the manager of Petro chemical service here in London, a chemical engineer by
profession and he died since 1995.And then, since 2001, nobody knows about this account or anything concerning it, the account has no other beneficiary
and my investigation proved to me as well that his company does not know anything about this account and the amount involved is (15,000,000.00) pounds
sterling.
I want to transfer this money into a safe foreign account abroad but i don't know any foreigner, i am only contacting you as a foreigner because this
money can not be approved to any local bank here in Scotland, but can only be approved to any foreign account because the money is pounds sterling?s
and the former owner of the account is John Hughes and he was a foreigner too.
I know that this message will come to you as a surprise as we don't know our selves before neither have we let, but be sure that it is real and a genuine business. I believe in God that you will never let le down in this
investment.
When the transfer is approved and payment schedule is allocated overseas, through the offshore paying delegate for final clearance and signing of
the payment release form by the beneficiary, i want us to see at the oversea payment clearance office face to face for signing of the original binding agreement to bind us together so that, we can receive this money into a foreign account or any account of your choice where the fund will be remitted.
I am contacting you because of the need to involve a foreigner with a foreign account as the real beneficiary. i need your co-operation to make this work fine, because the management is ready to approve this payment to any foreigner who has the correct information to this account, which i will
Give to you when sure of your capability to handle such amount in strict confidence and trust according to my instructions and my advice for our mutual benefit because I don't want to make any mistake, I need your strong assurance and trust. I shall destroy all documents concerning these transactions immediately we receive this money leaving no trace at all.
I will use my position and influence on other staffs to effect the legal approvals and onward transfer of this money to your account with appropriate
clearance from foreign payment department. With assurance that this money will be intact pending my physical arrival in your country for the sharing
and possible investments.
please do reply me through
Thanks.
Sincerely,
Dr Frank Jim
Is it really the extortionists driving the companies out of buisness, or is it that the companies played fast and loose with OUR personal data and now they are worried about the lawsuits?
They figure the lawsuits and lost sales from this leaked information would cost X amount of money so they're willing to pay less than X to stop the leak. Maybe they should have kept the sensitive information safer in the first place.
This is a result of either incompetence or knowingly cutting corners. (or just plain using Microsoft software. which is both.)
Liberty.
Do they have web sites? Post them on /. so everyone can have a look. :)
One line blog. I hear that they're called Twitters now.
Parent has a valid point. Ill-informed moderators are the bane of slashdot.
I know of a few small businesses that are in the boarded up mode. The web page contains nothing except yellow pages type information. It's a hosted site, so no exploitable information is even hackable. Hours of operation, some contact information, and list of products and services are all that's listed.
All in all I think some businesses are too small to be exploited simply because they have too little exposure.
The truth shall set you free!
Feel free to email sexylad919@hotmail.com with as much junk as you can/want.
Much appreciated, thanks.
Here at Xyzzycorp, we never have to give out references for former employees, because 100% of our departed associates coincidentally fall into cranberry crushers.
We have e-cam evidence of these murders. If you don't pay us 2 million bucks, we will release the videos over the 'net. -- Rocko
Table-ized A.I.
All you have to do is send me $100/month for the next 12 months, and you're golden.
;>
We're good like that, right?
I know a bit about airport codes. Toronto, Ontario is YYZ and Victoria, BC is YYJ. Here are others:e s2.html
http://travelsucks.com/tools/airport-cod
I can't find Xyzzy anywhere. I would I contact them? I have been requested by the Nigerian National Petroleum Company to contact Xyzzycorp, for assistance in resolving a matter. The Nigerian National Petroleum Company has recently concluded a large number of contracts for oil exploration in the sub-Sahara region.
Time is of the essence in this matter; very quickly the Nigerian Government will realize that the Central Bank is maintaining this amount on deposit, and attempt to levy certain depository taxes on it.
If it will be possible for you to assist us, we would be most grateful.
Contact the FBI or some other from of crime investigation unit. Change all the accounts if possible. Also you should make a bunch of fake accounts before hand (As well as tightening up your computer security, and for god sake Hire an independent consultant to run security audits on your network and your code as well if possible)
If something is so important that you feel the need to post it on the internet... It probably isn't that important.
The ghostbusters.
Obviously.
Keybord error. Press F1 to resume.
Sorry, but good riddance. This is probably the same loser filling my email box with spam, and popping up windows every time I got browsing.
Fuck 'em. I hope they show up to break the guy's legs in person.
I got one of these SCAM emails. The trouble is I don't have an online shop... I called the bank they said I used(I don't) and they confirmed that this was known to them. Their advice (and that of the police) was to throw it in the bin unless it included the actual details of your real account. In that case, their advice was to change the supplier of your account factoring service.
AFAIK, this scam is being done by the same people as the Nigerian 419ers.
Pay me one million dollars or I'll post your website URL on Slashdot.
If you are a public corporation, then Sarbanes-Oxley applies. This mandates disclosure of any issues that may affect share price. Any time bombs waiting to go off, i.e., major systems problems, that are known about must be disclosed. If senior management is aware of a serious problem that they do not disclose, then they can be in serious trouble.
See my journal, I write things there
dood, get a brain. great grandparent was right on topic.
die
A competent editor will be be able to discern the difference between a compound sentence and a sentence with a compound predicate. In American English, no comma separates the compound predicate.
Incorrect:
Although 70% of the businesses surveyed for the article claim they never had to deal with extortion on the Internet, the article claims those small businesses who think they are not interesting for extortionists, are in for a surprise."
Correct:
Although 70% of the businesses surveyed for the article claim they never had to deal with extortion on the Internet, the article claims those small businesses who think they are not interesting for extortionists are in for a surprise."
Obviously, we made no attempt to correct the passive voice, hackneyed phrases and poor verb choice. This will be left to a future HOWTO.
> Although 70% of the businesses surveyed for
> the article claim they never had to deal with
> extortion on the Internet,
And 30% [b]have had to deal with it?
Jebus H. Christ[/b]. And here I was bitching because the tard-o-matic Feds couldn't handle throwing half the popup blockers in jail because they cause the popups themselves.
Oh.
My.
God.
Let's get some ass in gear, eh, George or John?
(-1: Post disagrees with my already-settled worldview) is not a valid mod option.
There's always going to be a certain amount of risk in the banking business. The banks would rather just pass the costs and risks onto their customers rather than manage and minimize the risk. As far as they're concerned it's easier and more profitable that way.
I'm sorry, but this isn't interesting. This is a troll post and the mods got caught.
You DDOS me, we Slashdot you...
Oh well, what the hell...
Assume you are as careful as you can be, but obviously there is always the possibility of something being overlooked and that exposure being exploited. If that happens, what is the maximum downside? If paying the extortion isn't an option and paying some outside service for a "rescue" isn't practical either, what do you do? Since it is known that law enforcement isn't going to be all that much help, where do you turn?
Unfortunately for the advancement of use of the Internet, the simple solution is to find some other way of doing business that isn't open to this kind of attack. This isn't all that difficult, but it may preclude using the Internet for much.
Now the more geeky folks may argue that there is a way of preventing these sorts of attacks. However, what needs to be understood is that the geek doesn't usually get a say in these decisions. They are made by lawyers, CEOs and maybe CIOs. The technical prowess of these folks is seriously lacking and the decision isn't make on technical merits.
Last update was last month...did you reach your goal?
... of bad color schemes, that is!
1 422247
http://shit.slashdot.org/article.pl?sid=04/09/19/
Got contacted by a company that I used to be a reseller for (web based, internet product). Seems that they had sent out monthly commission details to all their resellers as per usual, but this time the xls file had FULL credit card details of ALL the customers... I hadn't noticed it myself but someone else had! To quote the VP who called later, they "were dying the death of a thousand cuts". It goes to show that all your security can be bypassed by a silly mistake.
WagerWeb was knocked offline for about a day, says Dan Johnson, senior VP and senior oddsmaker at the site. Rather than pay off the attackers, the company called on its technical forces to build a defense and enlisted the help of Internet security-services provider Prolexic Technologies Inc. The vendor's services, at about $100,000 a year, aren't cheap. But, "I'd rather pay the $100,000 than pay the extortionists," Johnson says. The gamble paid off. "As soon as we got the service running, the attack stopped," technology manager Burns says.
1. Find Security Holes
2. Send extortion letters
3. Exploit security holes to show you mean business.
4. Company Pays extortion money
5. Profit
6. Extortionists hit them one time to many, company gets sick of it. Extortionists get caught and go to jail.
OR
4. Advertise solution to security problems under a different company name (i.e. Proicanfixit Technologies)
5. Solve companies problem
6. Profit to the tune of $100, 000 a year for life
I'm sure there's a hole in this theory somewhere (collusion, racketeering, plain old thievery) and I'm sure one of you will kindly point out what it is.
A legal extortionist, say, a patent troll or industry trade group, has to consider how much they can actually get out of a victim, since there are legal costs involved in filing the suit in the first place.
Assuming there is always a clear demarkation between "legal" and "illegal" extortion.
These organized criminal enterprises, on the other hand, only have to do some hacking, and then fling their crap in every direction to see what sticks. Just as street criminals drive small businesses out of neighborhoods, leaving nothing but blight and boarded-up, rat-infested buildings, these online criminals could drive all the small e-commerce sites off the web and essentially cripple the web as a business method for all but the largest, wealthiest companies.
These being the same big wealthy companies who break the law when it suits them and put quite a bit of effort into buying laws...
U.S. jails are packed with failed excuses using Extortion.
If you're going to extort someone, and get away with it; Go into politics.
While this is a case of an extortion attempt, I'd imagine that very similar things happen with stolen CC #'s from various sites being used improperly. One idea to help stop this might be if Visa were to create "bait numbers." Basically these would be Visa accounts which only to lure attempted scammers, and set off all kinda of nice red alarms when somebody attempts to use them.
If many sites/businesses started to support the bait concept and put an effort to turning in the scammers, perhaps this would make scammers a little more leery of using stolen accounts/CC #'s.