Slashdot Mirror

← Back to Stories (view on slashdot.org)

Fighting Online Extortion

Posted by CmdrTaco on from the more-common-than-we-think dept.

prostoalex writes "Information Week talks about those mornings, when an owner of an online business receives an e-mail message with his customer accounts and other personal information quoted, and extortionist asking for certain amount of money to be transferred to a foreign bank. Although 70% of the businesses surveyed for the article claim they never had to deal with extortion on the Internet, the article claims those small businesses who think they are not interesting for extortionists, are in for a surprise."

83 of 116 comments (clear)

  1. Sounds like a business opportunity. by lecithin · · Score: 3, Interesting

    Seems to me that a person could make a buck advertising and selling security services with this niche alone.

    Who would a person call if they had some problems like this?

    --
    It could be worse, it could be Monday.
    1. Re:Sounds like a business opportunity. by Nakkel · · Score: 5, Funny

      Who would a person call if they had some problems like this?

      Ghostbusters?

    2. Re:Sounds like a business opportunity. by cwebb1977 · · Score: 1, Interesting

      Call? Police, and hope you get someone on the phone who knows how to handle a mouse. And probably a private IT security company to get better results and safety.

      --
      www.weberseite.at
    3. Re:Sounds like a business opportunity. by Zocalo · · Score: 5, Interesting
      Who would a person call if they had some problems like this?

      In the US? The FBI I think; it's wire fraud which is a very serious offence and the foreign bank account angle takes it out of the jurisdiction of local/state police. I've been peripherally involved with something like this in the UK where the National High Tech Crime Unit got involved; the important things are not to panic and to contact the authorities immediately so they can do their thing.

      In my instance, the NHTCU took care of contacting the banks responsible for the various credit cards and everything, or at least passed the information along to the relevent organisation(s). I gather most of the banks simply issued a new credit card without making a fuss or the customer aware of the real reason for that matter. And yes, the perps got busted - or more accurately got stung due to the combination of information recovered from the compromised box and a few "creative" emails written by the NHTCU.

      --
      UNIX? They're not even circumcised! Savages!
    4. Re:Sounds like a business opportunity. by Tablizer · · Score: 3, Interesting

      Seems to me that a person could make a buck advertising and selling security services with this niche alone.

      I was thinking of a high-security service that stored most of the customer information. The only customer information on the e-store's server would be a customer number, and perhaps first name to serve as a greeting. The interface between the two servers would not allow open-ended queries. Only the type of queries needed would be allowed, which usually would only be verification that a customer is paid up. When a customer signs on or pays, they actually sign up at "customer server" service's site rather than the e-store site, and the customer number and payment status is sent back to the store site. The payment status may just be a confirmation that a requested amount can be covered and not the total amount in the account.

      An extortionist would have to bust into this customer server system/service, which would be carefully written to avoid such, perhaps with a guarentee of some kind.

      Thus, if a theif busted into the e-store, they would only find product information and perhaps a list of customer numbers with little else. Maybe even customer numbers don't have to be at the e-store.

      --
      Table-ized A.I.
    5. Re:Sounds like a business opportunity. by Anonymous Coward · · Score: 1, Interesting
      If you are only a small business owner of a small shop the chance of getting FBI to prioritize your case is close to zero.

      In many cases the FBI won't touch the case unles you can document $5000 in damgages or loss.

    6. Re:Sounds like a business opportunity. by evil_one666 · · Score: 2, Insightful
      No kidding! Have you ever noticed how articles about "new IT security threats" ALWAYS come with an infomercial buried in them somewhere. In this case-
      Rather than pay off the attackers, the company called on its technical forces to build a defense and enlisted the help of Internet security-services provider Prolexic Technologies Inc.
      Hmmm, but of course Prolexic Technologies Inc. has nothing to do with the publication of this article (ahem...)
    7. Re:Sounds like a business opportunity. by operagost · · Score: 3, Funny

      I think an email threatening damage unless $5000 is paid (according to this article, that amount is not uncommon) would constitute documentation.

      --

      Gamingmuseum.com: Give your 3D accelerator a rest.
    8. Re:Sounds like a business opportunity. by Txiasaeia · · Score: 1, Funny

      Motherfucker! I just sprayed Coke across my work computer! I'm sending you the bill ;)

      --
      Condemnant quod non intellegunt.
    9. Re:Sounds like a business opportunity. by DNS-and-BIND · · Score: 2, Informative
      I thought it was $50,000. At least, that's what they said when we tried to turn in a cracker at my old ISP job.

      As an aside, lie. Exaggerate the damages, get the FBI in. The worst that can happen is you revise the damage estimate downward later.

      --
      Shutting down free speech with violence isn't fighting fascism. It IS fascism!
  2. I worry for my employer by Anonymous Coward · · Score: 5, Interesting
    Posted anonymously for obvious reasons...

    My employer has a large site done in PHP that grew over the years, and is rife with opportunities for SQL injection.

    They know what needs to change, and there is a plan to get from here to there over the next year, including a new in-house white-box security testing team. In the mean time, we are standing around with our pants down.

    The thing that keeps me awake nights is: What happens if some disgruntled ex-employee (there are two floating around out there) decides to seek vengeance against us by targetting us in an extortion scheme?

    1. Re:I worry for my employer by Pig+Hogger · · Score: 2, Informative
      The thing that keeps me awake nights is: What happens if some disgruntled ex-employee (there are two floating around out there) decides to seek vengeance against us by targetting us in an extortion scheme?
      That one is easy to fix. Management only needs to make sure that there are no ex-disgruntled employees...
    2. Re:I worry for my employer by ScrewMaster · · Score: 2, Insightful

      That only works when both sides are always reasonable.

      --
      The higher the technology, the sharper that two-edged sword.
    3. Re:I worry for my employer by YankeeInExile · · Score: 4, Funny

      That one is easy to fix. Management only needs to make sure that there are no ex-disgruntled employees...
      Here at Xyzzycorp, we never have to give out references for former employees, because 100% of our departed associates coincidentally fall into cranberry crushers.
      --
      How does the Slashdot Effect happen given that no slashdotters ever RTFA?
    4. Re:I worry for my employer by ilsa · · Score: 2, Interesting

      Management only needs to make sure that there are no ex-disgruntled employees

      There it is, the most important thing to remember.

      And the easiest way to do that is not to hire nutcases that are apt to become disgruntled former employees. This involves better checking of applications than many people are really interested in doing. Take this guy for example: mental health counselor takes pit bulls to office in hurricane, orders them to attack others (coworkers?), goes out to his car. He has previously been arrested for almost every type of assault you can think of. It should not have been too difficult to filter this guy's resumé out of the applicant pool. Preventing disgruntled employees is about more than data security, it's about plain old fashioned general security.

      Of course there is also a lot to be said for terminating passwords and accounts immediately when terminating an employee, even a really nice one.

      --
      -- I Am Not A Terrorist.
    5. Re:I worry for my employer by justins · · Score: 2, Interesting
      They know what needs to change, and there is a plan to get from here to there over the next year, including a new in-house white-box security testing team. In the mean time, we are standing around with our pants down.

      The thing that keeps me awake nights is: What happens if some disgruntled ex-employee (there are two floating around out there) decides to seek vengeance against us by targetting us in an extortion scheme?

      The only "quick fix" in that scenario is to implement some kind of screening of incoming HTTP requests at the edge of the network, or perhaps on the web servers, to catch malformed requests. Definitely not a perfect solution, but still, it might save you until things are fixed.
      --
      Now before I get modded down, I be to remind whoever might read this that what I am saying is FACT. - bogaboga
    6. Re:I worry for my employer by Code+Dark · · Score: 1

      The thing that keeps me awake nights is: What happens if some disgruntled ex-employee (there are two floating around out there) decides to seek vengeance against us by targetting us in an extortion scheme?

      Well, if it is in fact a disgruntled ex-employee (as some many modern cyber attacks are), then don't worry about it: just accuse one, and you have a 50% chance of hitting the right one! Seriously, though, you should set up a temporary fix so you don't have to worry about it- at least until you can permanently secure your systems.

      --
      - Code Dark
    7. Re:I worry for my employer by Lehk228 · · Score: 1

      don't set up a temporary fix, if you do the management will put the permenant fix on the back burner untill the quick and dirty setup is breeched.

      --
      Snowden and Manning are heroes.
    8. Re:I worry for my employer by laird · · Score: 1

      While it's a good idea to have a firewall block malformed packets, etc., this is pretty close to useless in defending from disgruntled ex-employees. Most security violations take place from inside the firewall, because the disgruntled ex-employees know passwords, have friends back in the company, etc. And most attacks that do come from outside the company aren't at the level of malformed packets -- they're application-level vulnerabilities, or simply people that try default passwords, etc.

      It's not a bad idea to have a Firewall, because it's easy, but it certainly doesn't make you secure.

      --
      Enable 3D printed prosthetics!
  3. So who are the extortionists? by mindaktiviti · · Score: 5, Interesting

    "WagerWeb was knocked offline for about a day, says Dan Johnson, senior VP and senior oddsmaker at the site. Rather than pay off the attackers, the company called on its technical forces to build a defense and enlisted the help of Internet security-services provider Prolexic Technologies Inc. The vendor's services, at about $100,000 a year, aren't cheap. But, "I'd rather pay the $100,000 than pay the extortionists," Johnson says. The gamble paid off. "As soon as we got the service running, the attack stopped," technology manager Burns says."

    THAT is really freaky.

    1. Re:So who are the extortionists? by lukewarmfusion · · Score: 4, Interesting

      Well, depending on the vendor's services I might call that a pretty unreasonable price. On the other hand, a large company might spend a lot more than that on hardware, software, audits, staff, etc. All to prevent such extortion...

      --anecdote time--
      If you're a small business, $100,000 might not be feasible. But then again, most small businesses won't need that kind of service. I've seen far too many sites ready to be discovered and attacked. One of my selling methods when I'm talking to a potential client is to visit their existing site and point out security holes. In one instance, I did a real quick SQL injection method to gain access to the "secure client login" area. Right in front of the client, we're staring at their largest client's account details.

      "Can you fix it for me?"
      --end anecdote--

      I generally charge $75/hour; that's 1,333 hours and 20 minutes of work before they'd pay $100k. Even with failover servers, load distributing, etc., getting out of the extortionists' crosshairs doesn't have to be so expensive.

    2. Re:So who are the extortionists? by Anonymous Coward · · Score: 1, Interesting

      I think the followup posts to this are missing the point. What's freaky is that the attack stopped as soon as he paid Prolexic $100,000 a year. Makes one wonder how he heard about Prolexic.

    3. Re:So who are the extortionists? by Anonymous+Luddite · · Score: 3, Informative


      I'd hope they are getting more than a "firewall + script" for 100G.

      A quick look at Prolexic's web site make me think it's selling a distributed proxy service. Don't see why it wouldn't work.

      As far as the reasonability of cost, I doubt 100G is a big number for them.. ..they're bookies.

      --
      http://request-header.info
    4. Re:So who are the extortionists? by renoX · · Score: 1

      Mmm, you know probably better than me, but having a secure server (one without security holes either in the OS or in the app) is the easy part (yes, I know it is hard).

      Being able to resist to a DDOS seems to me the hard part! That's why they paid 100k in the article..

    5. Re:So who are the extortionists? by GigsVT · · Score: 2, Insightful

      Yeah, but most companies are run by idiots. Seriously. They think nothing of dropping $100,000 on ISO9660 consultants, $100,000 on "efficiency experts", etc, etc.

      When your revenue is several tens of million a year (for a mid sized company), 100,000 looks cheap, even if it is something that could be handled a lot cheaper.

      One thing I've noticed, people are resistant to change generally. But if that change comes from highly overpaid consultants, people are more willing to change the way they do things. Of course that doesn't much address the problem of stagnant employees and managers.

      --
      I've had enough abrasive sigs. Kittens are cute and fuzzy.
    6. Re:So who are the extortionists? by jrockway · · Score: 1

      ISO9660 consultants? ISO9660 is the standard for CD filesystems...

      --
      My other car is first.
    7. Re:So who are the extortionists? by darkmeridian · · Score: 1

      But you are undercharging. It's easy for you, but the guy is obviously willing to pay double what you are asking for.

      --
      A NYC lawyer blogs. http://www.chuangblog.com/
    8. Re:So who are the extortionists? by Bios_Hakr · · Score: 2, Insightful

      We had a team come in to examine our NOC. The first thing they wanted when they came in was valid IPs and subnet listings. In front of my boss, I told them to get stuffed. If they want to do a test, let them come. But I'm not giving them any help at all.

      In any event, they charged a lot and found little. In the outbrief, they made even the smallest problems seem huge. I guess they may have had a point.

      IMHO, the team that came to see us charged a lot and did not really acomplish anything.

      --
      I'd rather you do it wrong, than for me to have to do it at all.
    9. Re:So who are the extortionists? by GigsVT · · Score: 1

      Yes, I'm an idiot.

      Or you can take it as some clever joke. That I ... meant... yeah... to do.

      (Of course I mean ISO 9000/9001, et al) :)

      --
      I've had enough abrasive sigs. Kittens are cute and fuzzy.
  4. Certainly different from legal forms of extortion by The+I+Shing · · Score: 4, Interesting

    A legal extortionist, say, a patent troll or industry trade group, has to consider how much they can actually get out of a victim, since there are legal costs involved in filing the suit in the first place. These organized criminal enterprises, on the other hand, only have to do some hacking, and then fling their crap in every direction to see what sticks. Just as street criminals drive small businesses out of neighborhoods, leaving nothing but blight and boarded-up, rat-infested buildings, these online criminals could drive all the small e-commerce sites off the web and essentially cripple the web as a business method for all but the largest, wealthiest companies. So don't look for the authorities to step up efforts to combat this anytime soon.

    --
    You are in error. No-one is screaming. Thank you for your cooperation.
  5. Finally! by Pig+Hogger · · Score: 3, Insightful
    A clued-in story submitter who submits the print link.

    Bravo!

    * * *

    There are plenty of ways of preventing DDOS attacks, most of which, unfortunately, call for SKILLED network operators.

    1. Re:Finally! by AndroidCat · · Score: 1

      And if you don't have skilled network operators, just change your domain to point to 216.250.128.21 until the attack blows over.

      --
      One line blog. I hear that they're called Twitters now.
    2. Re:Finally! by Pig+Hogger · · Score: 1

      Are you the "Android Cat" on NANAE?

    3. Re:Finally! by AndroidCat · · Score: 1

      No, that it what I am called on NANAE.

      --
      One line blog. I hear that they're called Twitters now.
    4. Re:Finally! by HermanAB · · Score: 1
      At last, a funny SCO joke...

      I wonder if anyone else got it.

      --
      Oh well, what the hell...
  6. Trace the money by dealsites · · Score: 3, Interesting

    Can anyone explain how this actually works? Same with spammers too. If you transfer money, I'd think there would be an electronic trail of the money being transferred. After 9/11 they traced bank account of suspects, why can't they do it all the time? A lot of spam also generates sales, but why can't the money trail be followed to catch the bad guys?
    --
    Live deals online with a new server, can withstand a Slashdotting now.

    1. Re:Trace the money by YankeeInExile · · Score: 4, Insightful
      1. Phish for some schmoes Citibank account.
      2. Target BigWebsite.COM for extortion.
      3. Use patsy's bank as a drop box.
      4. Move as soon as the cash is in hand.
      --
      How does the Slashdot Effect happen given that no slashdotters ever RTFA?
    2. Re:Trace the money by Beryllium+Sphere(tm) · · Score: 2, Interesting

      Easy -- extortionist has the victim cable the money to some country full of corrupt officials. Extortionist gives corrupt officials a cut of the proceeds. In return, corrupt officials deny or delay any attempt to trace the transfer.

      Or simpler yet, extortionists tell victim "if anything stops us from getting the money undetected, the attack will go ahead".

    3. Re:Trace the money by mabhatter654 · · Score: 2, Interesting
      The Trouble is that many of the busineses targeted are "fringe" businesses. In the example given of online-betting, they neglected to mention that such businesses are ILLEGAL in the US... even if you're a US citizen with the hosting off-shore you can't do anything Legally about it. The same with many of the businesses they would target...

      Think Sex-toys, porn, "grey" software, Xbox hacks, etc... depending on where you're at the local authourities may not even know you're in business....heck they may see the "blackmailer" as performing a community service because your a "malcontent" selling "naughty" stuff.

      businesses like Best Buy are stupid to blackmail...they're above board, tax-paying, legal corporations [and they can pay Laywers to protect their backs FROM the cops too!]...They are "out in the open" businesses...holding them up is akin to holding up the store itself. it's easy for them to get FBI sympathy for the case. Your local OSS project may have much more hassle getting stuff in order... Police lately seem to "victimize" small business that report crimes nearly worse than the criminals!!! You're lible to find your small business sued by the locality for "petty" violations like building codes, accounting errors, zoning [if it's out of your house] etc. Hence the "right thing" is often worse than finding another way to deal with the attacker.

    4. Re:Trace the money by kbahey · · Score: 1

      Not that simple.

      That schmoe's account that the extortionist got via phishing has to transfer the money somewhere else (to the extortionist). It will be detected once the shmoe finds out and complains.

      So, it may make detection harder or may take longer to detect, but eventually he will be caught.

      Unless he withdraws cash from Citibank, but yet again, the cameras at the bank has his picture.

      --
      2bits.com, Inc: Drupal, WordPress, and LAMP performance tuning.
    5. Re:Trace the money by cdrguru · · Score: 1

      That is what banking privacy laws are for. You have a Swiss bank account that people send the money to and the Swiss will never disclose who you are. Same process can be done in the Cayman Islands where they have strong banking privacy.

    6. Re:Trace the money by bot24 · · Score: 1

      5. Profit :)
      Please remember to close your list next time. /. readers might get confused by your non-terminated list and start reading the rest of the comments as items in your list!

  7. You are so stupid if you pay! by earthstar · · Score: 5, Insightful
    Atleast this extortion wont leave people in a dilemma whetehr to pay or not because there simply cannot be any question of paying, whatsoever may be the data!!

    This extortion isnt like conventional extortions where in you get your thing back when you pay.

    The extortionist obviously would have made copied of the data, and would hav given to so many of his friends.....If someones gonna pay,would he be paying to every one of the mails asking for the same data he had paid?


    LOL


    Sorry, but I think the website owner has already lost the battle - Unless the extortionist get caught - provided the duplicated data doesnt isnt with anyone!

    --

    Why does yahoo do this
    1. Re:You are so stupid if you pay! by Beryllium+Sphere(tm) · · Score: 4, Interesting

      Anecdotes in the security community say that what you predict is already happening. A bank will pay an extortionist to keep quiet, congratulate itself on cheaply avoiding a scandal, and then they're marked as a Target Which Pays and more extortion demands come in from other crooks.

    2. Re:You are so stupid if you pay! by Nos. · · Score: 2, Insightful

      I don't doubt it, but as you say its a short term "victory". If they paid once, they'll probably pay again. Repeat until they finally get some security. This is another situation where some up front investment (in security) will pay off in the long run, not to mention that actually protecting your customers data is the "right thing to do".

    3. Re:You are so stupid if you pay! by nomadic · · Score: 1

      then they're marked as a Target Which Pays and more extortion demands come in from other crooks.

      How would they be marked? It's not like they're getting the front page of Online Blackmailer Magazine. If it's done quietly then the information doesn't go public, and contrary to popular belief there isn't some "underworld" where criminals stay in constant communication with each other.

    4. Re:You are so stupid if you pay! by red+floyd · · Score: 1

      This is why IBM did not buy out SCOX when the whole fiaSCO started.

      --
      The only reason we have the rights we have is that people just like us died to gain those rights. -- Cheerio Boy
  8. This ocurred to me by Anonymous Coward · · Score: 2, Insightful

    I have a small ecommerce site and this ocurred to me one time.
    I received an email with my personal data and asking me to contact him.
    I contacted host service and investigate for possible bugs and raw logs, but I never reply. Finally I think they get my data from whois services.

  9. Once again, a bad summary. by damiangerous · · Score: 4, Informative
    Although 70% of the businesses surveyed for the article claim they never had to deal with extortion on the Internet,

    No, it doesn't say that at all. It says:

    "According to Carnegie Mellon's survey, 70% of those threatened with extortion say the attempts were unsuccessful."
    It does talk about how many businesses have had to deal with 'cyberextortion', and that percentage is just over half of the submitter's claims:
    "17% of the 100 companies surveyed say they've been the target of some form of cyberextortion."
    1. Re:Once again, a bad summary. by damiangerous · · Score: 2, Insightful

      Oh, and the other thing I forgot to mention about the summary is that the story isn't even about stealing customer data and using it for extortion. The story is about threatening random sites with DDoSing if they don't pay. Very different scenarios since it's far more difficult to protect against the later. Once again, good job submitter.

    2. Re:Once again, a bad summary. by dema · · Score: 4, Informative

      If you look at the chart on the left side of the screen, you'll see the question: Has your company or any employee been the target of cyberextortion?. And, as indicated in the pie chart, 70% of those surveyed said No, just as the poster indicated. And in reference to the story only being about DDoSing, if you read the whole article you see:

      Cyberextortion mostly travels under the radar, but not always. Earlier this year, Myron Tereshchuk, 42, of Maryland, pleaded guilty to one count of attempting to extort $17 million from intellectual-property company MicroPatent LLC. He faces up to 20 years in jail. Tereshchuk threatened to leak confidential information and launch denial-of-service attacks against intellectual-property attorneys worldwide if he wasn't paid.

      In January, Thomas Ray, 25, of Mississippi, was indicted for allegedly claiming to have found a security flaw in Best Buy Co.'s systems and threatening to expose and exploit that flaw unless he was paid $2.5 million. A trial is expected this fall. And last year, Kazakhstan hacker Oleg Zezev was sentenced to 51 months for illegally entering Bloomberg L.P.'s systems and threatening to disclose the break-in if he wasn't paid $200,000.

      The first one threatened DDoSing in addition to leaking info, and the other examples had nothing to do with DDoS.

    3. Re:Once again, a bad summary. by damiangerous · · Score: 1
      Okay, so I was wrong about the pie chart, but who the hell is "unsure" about being the target of extortion? Those people should be counted as "No".

      As for the method of extortion I stand by my statement. The article starts off with the sentence about an email received, the same as the summary does. That email though, threatened DDoSing, not leaking of customer data. The other anecdotes are more about the other types of extortion out there and aren't really the focus.

      I still say it was a rushed, poorly written summary that missed the thrust of the article.

    4. Re:Once again, a bad summary. by dema · · Score: 1

      Okay, so I was wrong about the pie chart, but who the hell is "unsure" about being the target of extortion? Those people should be counted as "No".

      Haha yeah I thought that too. I also like how they just have the chart sitting over there with no mention of it. The article itself just isn't very good, could've safely stayed in the ugly IT section :P

    5. Re:Once again, a bad summary. by DZign · · Score: 1

      The company I work for recently had another type of extortion attempt. Our it manager got a phone call from some 'a domain registration company' in Rotterdam who said 'one of their clients' wanted to register a domain name and link it to a porn site. The url was the name of one of the companies in our group. This domain registration company however first checked if the name existed, and therefor wanted to know if our company wanted to buy it first for $1000..
      They couldn't send us any information, just wanted a credit card number, or they would register the domain name and link to a porn site.
      Reaction of management: the name you are going to use is a registered trademark and we will do everything legally possible to enforce it.
      I haven't checked yet if they registered the name or not.

      --
      Learn about pinball machines on www.flippers.be
  10. International Banking by xyote · · Score: 4, Insightful
    Without it, international extortion would be impossible. If you made the banks liable no matter how far the chain went, that kind of extortion would stop, just like that.

    There are analogies with the telcos enabling dial out frauds by sticking it to the customer. If the telcos and banks were responsible, they'd be real careful who they gave other people's money to.

  11. This story is part advertisement by Cryofan · · Score: 3, Insightful

    Like most media "news" stories.....

    --
    eat shiat and bark at the moon
  12. Victim does online gambling; shady = vulnerable by Nova+Express · · Score: 5, Interesting
    It seems that just like in the real world, extortionists like to target operations of dubious legality. I suspect the low-hanging fruit for people looking to carry out this kind of spam are businesses in the gray area of legality and respectability (online gambling, porn sites, "Mexican Drug Stores," etc.). Though profitable, these sites might have more to fear with going to the police than paying the extortionist. This is why, here in the real, non-virtual world, criminals often pray on illegal immigrant businesses for "protection" money. I also wonder whether the firms being targeted are also vulnerable because they're too shady to deal with firms like Akamai.

    Now if only cyber-extortionists would target well-known spammers...

    --
    Lawrence Person (lawrencepersonh@gmailh.com (remove all "h"s to mail)

    http://www.lawrenceperson.com/

    1. Re:Victim does online gambling; shady = vulnerable by asdfghjklqwertyuiop · · Score: 1

      What puts porn sites in a legal grey area? If everyone involved is a consenting adult, they shouldn't have anything to fear from using the legal system for defense.

    2. Re:Victim does online gambling; shady = vulnerable by dougmc · · Score: 2, Insightful
      If everyone involved is a consenting adult, they shouldn't have anything to fear from using the legal system for defense.
      In theory, you are correct. In practice, it's not so simple. Often law enforcement members themselves don't care for porn and won't take such complaints very seriously. Or they may see this as an opportunity to scrutinize the business and make their life difficult as they look for illegal things to bust them for (and even if there aren't any, that doesn't mean it's not a big problem for the business.)

      Last I heard, Hustler magazine spent over one million dollars per year just on legal expenses, and generally they do not violate the law. This is probably an extreme example, but I imagine that lots of porn business spend above average amounts on legal expenses just because of the nature of their business. Anything that draws attention to you could very well increase that ...

    3. Re:Victim does online gambling; shady = vulnerable by One+Childish+N00b · · Score: 1

      I think it's the 'respectability' grey area rather than the legal ones. You'd probably be more willing to stand up in court against someone for DDoS'ing your site selling wicker baskets, for example, than you would to say "yes, your honour, on the first of last month I received an email from a Mr 'I. R. Leet' threatening to DDoS our site, InflateAGranny.com, if we did not pay him the sum of $100,000".

      --
      Dealing with lawyers would be a lot less tedious if they all looked like Casey Novak.
  13. insurance coverage by coklat · · Score: 3, Interesting

    isnt there already an insurance policy for this kind of event... "business interruption policy"?

    --
    http://aip.corolla.or.id/
  14. They'd be the first to be investigated by Toxygen · · Score: 1, Insightful

    I'm sure the first thing the authorities (or anybody even) would do is check out who has the highest motive for starting an extortion scheme like that. If it's well known that these 2 people have issues with the company, the first thing any competent investigator would do is question them first. This is not to say that the damage wouldn't have already been done at this point, but it should at least be some comfort that they would most likely be caught and made an example of.

  15. Insurance! by Anonymous Coward · · Score: 2, Insightful

    That is the way to go. Yes, security is a good start but it is impossible to completely become immune to attacks.

    Therefore I say to spend the resources on insurance and simply ignore the threats and attacks. The extortionist get nothing and may waste his power on absolutely nothing, running a serious risk of getting caught - all for nothing.

    The company has their assets insured and lose nothing.

    In a few days all the extortionists go back to breaking legs for the local loanshark. There they at least get something for their efforts.

    It's a lot like terror - it only works (for the terrorists) if they get something out of their efforts. Saying no to them and hitting them back just as hard will make them think twice. They get nothing but trouble out of their efforts and this will - in the long run - make them change their MO and possibly go back to their farms or whatever their dayjob used to be.

    1. Re:Insurance! by TheLink · · Score: 1

      Maybe the extortionist should buy shares in insurance company for insurance ;).

      Insurance companies here are a scam.

      --
  16. Re:Misleading /. story by catwh0re · · Score: 1

    I was wondering this also. Is there another part to this article that I have missed, can someone fill me in?

  17. really? by 7-Vodka · · Score: 2, Insightful

    Is it really the extortionists driving the companies out of buisness, or is it that the companies played fast and loose with OUR personal data and now they are worried about the lawsuits?
    They figure the lawsuits and lost sales from this leaked information would cost X amount of money so they're willing to pay less than X to stop the leak. Maybe they should have kept the sensitive information safer in the first place.
    This is a result of either incompetence or knowingly cutting corners. (or just plain using Microsoft software. which is both.)

    --

    Liberty.

  18. Re:Certainly different from legal forms of extorti by AndroidCat · · Score: 1
    These organized criminal enterprises

    Do they have web sites? Post them on /. so everyone can have a look. :)

    --
    One line blog. I hear that they're called Twitters now.
  19. Re:Certainly different from legal forms of extorti by Technician · · Score: 1

    I know of a few small businesses that are in the boarded up mode. The web page contains nothing except yellow pages type information. It's a hosted site, so no exploitable information is even hackable. Hours of operation, some contact information, and list of products and services are all that's listed.

    All in all I think some businesses are too small to be exploited simply because they have too little exposure.

    --
    The truth shall set you free!
  20. out-scumbagging a scumbag by Tablizer · · Score: 2, Funny

    Here at Xyzzycorp, we never have to give out references for former employees, because 100% of our departed associates coincidentally fall into cranberry crushers.

    We have e-cam evidence of these murders. If you don't pay us 2 million bucks, we will release the videos over the 'net. -- Rocko

    --
    Table-ized A.I.
  21. It doesn't cost $100K to stop a DDoS attack! by Mordant · · Score: 3, Funny

    All you have to do is send me $100/month for the next 12 months, and you're golden.

    We're good like that, right? ;>

  22. Dont pay. by jellomizer · · Score: 4, Insightful

    Contact the FBI or some other from of crime investigation unit. Change all the accounts if possible. Also you should make a bunch of fake accounts before hand (As well as tightening up your computer security, and for god sake Hire an independent consultant to run security audits on your network and your code as well if possible)

    --
    If something is so important that you feel the need to post it on the internet... It probably isn't that important.
  23. Re:Where is Xyzzy? by onebuttonmouse · · Score: 1

    Was it the upper-left or upper-right pixel? Brings back 3.11 memories.

    --
    MacBook Pro. Worst name since the Bicycle
  24. Threaten to put them on Slashdot by MinimeMongo · · Score: 4, Funny

    Pay me one million dollars or I'll post your website URL on Slashdot.

  25. Re:Where is Xyzzy? by red+floyd · · Score: 1

    Sorry, dude, but Xyzzy goes WAAAY back before Minesweeper. It was the magic word to the original ADVENT (Crystal Cave).

    --
    The only reason we have the rights we have is that people just like us died to gain those rights. -- Cheerio Boy
  26. Sarbanes-Oxley? by hughk · · Score: 2, Informative

    If you are a public corporation, then Sarbanes-Oxley applies. This mandates disclosure of any issues that may affect share price. Any time bombs waiting to go off, i.e., major systems problems, that are known about must be disclosed. If senior management is aware of a serious problem that they do not disclose, then they can be in serious trouble.

    --
    See my journal, I write things there
  27. Re:Where is Xyzzy? by Zerth · · Score: 1

    Upper left hand

  28. 70% don't have to deal with it?!?!?!? by Impy+the+Impiuos+Imp · · Score: 1

    > Although 70% of the businesses surveyed for
    > the article claim they never had to deal with
    > extortion on the Internet,

    And 30% [b]have had to deal with it?

    Jebus H. Christ[/b]. And here I was bitching because the tard-o-matic Feds couldn't handle throwing half the popup blockers in jail because they cause the popups themselves.

    Oh.

    My.

    God.

    Let's get some ass in gear, eh, George or John?

    --
    (-1: Post disagrees with my already-settled worldview) is not a valid mod option.
  29. Banks pass on the risks to their customers by xyote · · Score: 1
    This allows them to take chances that they would not otherwise take if it was their money. Even if they are held responsible they take risks and really make you go thru a lot of trouble. All this because it's more convenient for their purposes. They've recently changed checking accounts so they're basically a debit card account whether you want one or not. Someone could always wire money from your account without your permission. Well, it's now gotten a lot easier. And of course you have all the protection of a debit card, that is to say none. You're protected but you have to report it to the police and wait a while for the bank to credit you. Meanwhile your checks have all bounced, your creditors are really pissed at you, and your credit rating is probably damaged beyond repair.

    There's always going to be a certain amount of risk in the banking business. The banks would rather just pass the costs and risks onto their customers rather than manage and minimize the risk. As far as they're concerned it's easier and more profitable that way.

  30. Pre-emptive solutions by cdrguru · · Score: 1
    The problem isn't that a business gets hit with one of these guys and then has hard decisions to make. The real problem - like many others - is deciding that offering an online business makes sense when there is the possibility of getting hung out to dry by this kind of thing.

    Assume you are as careful as you can be, but obviously there is always the possibility of something being overlooked and that exposure being exploited. If that happens, what is the maximum downside? If paying the extortion isn't an option and paying some outside service for a "rescue" isn't practical either, what do you do? Since it is known that law enforcement isn't going to be all that much help, where do you turn?

    Unfortunately for the advancement of use of the Internet, the simple solution is to find some other way of doing business that isn't open to this kind of attack. This isn't all that difficult, but it may preclude using the Internet for much.

    Now the more geeky folks may argue that there is a way of preventing these sorts of attacks. However, what needs to be understood is that the geek doesn't usually get a say in these decisions. They are made by lawyers, CEOs and maybe CIOs. The technical prowess of these folks is seriously lacking and the decision isn't make on technical merits.

  31. Extortionists get paid either way except... by CristalShandaLear · · Score: 1

    WagerWeb was knocked offline for about a day, says Dan Johnson, senior VP and senior oddsmaker at the site. Rather than pay off the attackers, the company called on its technical forces to build a defense and enlisted the help of Internet security-services provider Prolexic Technologies Inc. The vendor's services, at about $100,000 a year, aren't cheap. But, "I'd rather pay the $100,000 than pay the extortionists," Johnson says. The gamble paid off. "As soon as we got the service running, the attack stopped," technology manager Burns says.

    1. Find Security Holes
    2. Send extortion letters
    3. Exploit security holes to show you mean business.
    4. Company Pays extortion money
    5. Profit
    6. Extortionists hit them one time to many, company gets sick of it. Extortionists get caught and go to jail.

    OR
    4. Advertise solution to security problems under a different company name (i.e. Proicanfixit Technologies)
    5. Solve companies problem
    6. Profit to the tune of $100, 000 a year for life

    I'm sure there's a hole in this theory somewhere (collusion, racketeering, plain old thievery) and I'm sure one of you will kindly point out what it is.

  32. Re:Certainly different from legal forms of extorti by mpe · · Score: 1

    A legal extortionist, say, a patent troll or industry trade group, has to consider how much they can actually get out of a victim, since there are legal costs involved in filing the suit in the first place.

    Assuming there is always a clear demarkation between "legal" and "illegal" extortion.

    These organized criminal enterprises, on the other hand, only have to do some hacking, and then fling their crap in every direction to see what sticks. Just as street criminals drive small businesses out of neighborhoods, leaving nothing but blight and boarded-up, rat-infested buildings, these online criminals could drive all the small e-commerce sites off the web and essentially cripple the web as a business method for all but the largest, wealthiest companies.

    These being the same big wealthy companies who break the law when it suits them and put quite a bit of effort into buying laws...

  33. Capt. Long John Silver Is A Good Mentor by LifesABeach · · Score: 1

    U.S. jails are packed with failed excuses using Extortion.

    If you're going to extort someone, and get away with it; Go into politics.

  34. Bait accounts? by phorm · · Score: 1

    While this is a case of an extortion attempt, I'd imagine that very similar things happen with stolen CC #'s from various sites being used improperly. One idea to help stop this might be if Visa were to create "bait numbers." Basically these would be Visa accounts which only to lure attempted scammers, and set off all kinda of nice red alarms when somebody attempts to use them.

    If many sites/businesses started to support the bait concept and put an effort to turning in the scammers, perhaps this would make scammers a little more leery of using stolen accounts/CC #'s.