Slashdot Mirror

← Back to Stories (view on slashdot.org)

Fighting Online Extortion

Posted by CmdrTaco on from the more-common-than-we-think dept.

prostoalex writes "Information Week talks about those mornings, when an owner of an online business receives an e-mail message with his customer accounts and other personal information quoted, and extortionist asking for certain amount of money to be transferred to a foreign bank. Although 70% of the businesses surveyed for the article claim they never had to deal with extortion on the Internet, the article claims those small businesses who think they are not interesting for extortionists, are in for a surprise."

25 of 116 comments (clear)

  1. Sounds like a business opportunity. by lecithin · · Score: 3, Interesting

    Seems to me that a person could make a buck advertising and selling security services with this niche alone.

    Who would a person call if they had some problems like this?

    --
    It could be worse, it could be Monday.
    1. Re:Sounds like a business opportunity. by Nakkel · · Score: 5, Funny

      Who would a person call if they had some problems like this?

      Ghostbusters?

    2. Re:Sounds like a business opportunity. by Zocalo · · Score: 5, Interesting
      Who would a person call if they had some problems like this?

      In the US? The FBI I think; it's wire fraud which is a very serious offence and the foreign bank account angle takes it out of the jurisdiction of local/state police. I've been peripherally involved with something like this in the UK where the National High Tech Crime Unit got involved; the important things are not to panic and to contact the authorities immediately so they can do their thing.

      In my instance, the NHTCU took care of contacting the banks responsible for the various credit cards and everything, or at least passed the information along to the relevent organisation(s). I gather most of the banks simply issued a new credit card without making a fuss or the customer aware of the real reason for that matter. And yes, the perps got busted - or more accurately got stung due to the combination of information recovered from the compromised box and a few "creative" emails written by the NHTCU.

      --
      UNIX? They're not even circumcised! Savages!
    3. Re:Sounds like a business opportunity. by Tablizer · · Score: 3, Interesting

      Seems to me that a person could make a buck advertising and selling security services with this niche alone.

      I was thinking of a high-security service that stored most of the customer information. The only customer information on the e-store's server would be a customer number, and perhaps first name to serve as a greeting. The interface between the two servers would not allow open-ended queries. Only the type of queries needed would be allowed, which usually would only be verification that a customer is paid up. When a customer signs on or pays, they actually sign up at "customer server" service's site rather than the e-store site, and the customer number and payment status is sent back to the store site. The payment status may just be a confirmation that a requested amount can be covered and not the total amount in the account.

      An extortionist would have to bust into this customer server system/service, which would be carefully written to avoid such, perhaps with a guarentee of some kind.

      Thus, if a theif busted into the e-store, they would only find product information and perhaps a list of customer numbers with little else. Maybe even customer numbers don't have to be at the e-store.

      --
      Table-ized A.I.
    4. Re:Sounds like a business opportunity. by operagost · · Score: 3, Funny

      I think an email threatening damage unless $5000 is paid (according to this article, that amount is not uncommon) would constitute documentation.

      --

      Gamingmuseum.com: Give your 3D accelerator a rest.
  2. I worry for my employer by Anonymous Coward · · Score: 5, Interesting
    Posted anonymously for obvious reasons...

    My employer has a large site done in PHP that grew over the years, and is rife with opportunities for SQL injection.

    They know what needs to change, and there is a plan to get from here to there over the next year, including a new in-house white-box security testing team. In the mean time, we are standing around with our pants down.

    The thing that keeps me awake nights is: What happens if some disgruntled ex-employee (there are two floating around out there) decides to seek vengeance against us by targetting us in an extortion scheme?

    1. Re:I worry for my employer by YankeeInExile · · Score: 4, Funny

      That one is easy to fix. Management only needs to make sure that there are no ex-disgruntled employees...
      Here at Xyzzycorp, we never have to give out references for former employees, because 100% of our departed associates coincidentally fall into cranberry crushers.
      --
      How does the Slashdot Effect happen given that no slashdotters ever RTFA?
  3. So who are the extortionists? by mindaktiviti · · Score: 5, Interesting

    "WagerWeb was knocked offline for about a day, says Dan Johnson, senior VP and senior oddsmaker at the site. Rather than pay off the attackers, the company called on its technical forces to build a defense and enlisted the help of Internet security-services provider Prolexic Technologies Inc. The vendor's services, at about $100,000 a year, aren't cheap. But, "I'd rather pay the $100,000 than pay the extortionists," Johnson says. The gamble paid off. "As soon as we got the service running, the attack stopped," technology manager Burns says."

    THAT is really freaky.

    1. Re:So who are the extortionists? by lukewarmfusion · · Score: 4, Interesting

      Well, depending on the vendor's services I might call that a pretty unreasonable price. On the other hand, a large company might spend a lot more than that on hardware, software, audits, staff, etc. All to prevent such extortion...

      --anecdote time--
      If you're a small business, $100,000 might not be feasible. But then again, most small businesses won't need that kind of service. I've seen far too many sites ready to be discovered and attacked. One of my selling methods when I'm talking to a potential client is to visit their existing site and point out security holes. In one instance, I did a real quick SQL injection method to gain access to the "secure client login" area. Right in front of the client, we're staring at their largest client's account details.

      "Can you fix it for me?"
      --end anecdote--

      I generally charge $75/hour; that's 1,333 hours and 20 minutes of work before they'd pay $100k. Even with failover servers, load distributing, etc., getting out of the extortionists' crosshairs doesn't have to be so expensive.

    2. Re:So who are the extortionists? by Anonymous+Luddite · · Score: 3, Informative


      I'd hope they are getting more than a "firewall + script" for 100G.

      A quick look at Prolexic's web site make me think it's selling a distributed proxy service. Don't see why it wouldn't work.

      As far as the reasonability of cost, I doubt 100G is a big number for them.. ..they're bookies.

      --
      http://request-header.info
  4. Certainly different from legal forms of extortion by The+I+Shing · · Score: 4, Interesting

    A legal extortionist, say, a patent troll or industry trade group, has to consider how much they can actually get out of a victim, since there are legal costs involved in filing the suit in the first place. These organized criminal enterprises, on the other hand, only have to do some hacking, and then fling their crap in every direction to see what sticks. Just as street criminals drive small businesses out of neighborhoods, leaving nothing but blight and boarded-up, rat-infested buildings, these online criminals could drive all the small e-commerce sites off the web and essentially cripple the web as a business method for all but the largest, wealthiest companies. So don't look for the authorities to step up efforts to combat this anytime soon.

    --
    You are in error. No-one is screaming. Thank you for your cooperation.
  5. Finally! by Pig+Hogger · · Score: 3, Insightful
    A clued-in story submitter who submits the print link.

    Bravo!

    * * *

    There are plenty of ways of preventing DDOS attacks, most of which, unfortunately, call for SKILLED network operators.

  6. Trace the money by dealsites · · Score: 3, Interesting

    Can anyone explain how this actually works? Same with spammers too. If you transfer money, I'd think there would be an electronic trail of the money being transferred. After 9/11 they traced bank account of suspects, why can't they do it all the time? A lot of spam also generates sales, but why can't the money trail be followed to catch the bad guys?
    --
    Live deals online with a new server, can withstand a Slashdotting now.

    1. Re:Trace the money by YankeeInExile · · Score: 4, Insightful
      1. Phish for some schmoes Citibank account.
      2. Target BigWebsite.COM for extortion.
      3. Use patsy's bank as a drop box.
      4. Move as soon as the cash is in hand.
      --
      How does the Slashdot Effect happen given that no slashdotters ever RTFA?
  7. You are so stupid if you pay! by earthstar · · Score: 5, Insightful
    Atleast this extortion wont leave people in a dilemma whetehr to pay or not because there simply cannot be any question of paying, whatsoever may be the data!!

    This extortion isnt like conventional extortions where in you get your thing back when you pay.

    The extortionist obviously would have made copied of the data, and would hav given to so many of his friends.....If someones gonna pay,would he be paying to every one of the mails asking for the same data he had paid?


    LOL


    Sorry, but I think the website owner has already lost the battle - Unless the extortionist get caught - provided the duplicated data doesnt isnt with anyone!

    --

    Why does yahoo do this
    1. Re:You are so stupid if you pay! by Beryllium+Sphere(tm) · · Score: 4, Interesting

      Anecdotes in the security community say that what you predict is already happening. A bank will pay an extortionist to keep quiet, congratulate itself on cheaply avoiding a scandal, and then they're marked as a Target Which Pays and more extortion demands come in from other crooks.

  8. Once again, a bad summary. by damiangerous · · Score: 4, Informative
    Although 70% of the businesses surveyed for the article claim they never had to deal with extortion on the Internet,

    No, it doesn't say that at all. It says:

    "According to Carnegie Mellon's survey, 70% of those threatened with extortion say the attempts were unsuccessful."
    It does talk about how many businesses have had to deal with 'cyberextortion', and that percentage is just over half of the submitter's claims:
    "17% of the 100 companies surveyed say they've been the target of some form of cyberextortion."
    1. Re:Once again, a bad summary. by dema · · Score: 4, Informative

      If you look at the chart on the left side of the screen, you'll see the question: Has your company or any employee been the target of cyberextortion?. And, as indicated in the pie chart, 70% of those surveyed said No, just as the poster indicated. And in reference to the story only being about DDoSing, if you read the whole article you see:

      Cyberextortion mostly travels under the radar, but not always. Earlier this year, Myron Tereshchuk, 42, of Maryland, pleaded guilty to one count of attempting to extort $17 million from intellectual-property company MicroPatent LLC. He faces up to 20 years in jail. Tereshchuk threatened to leak confidential information and launch denial-of-service attacks against intellectual-property attorneys worldwide if he wasn't paid.

      In January, Thomas Ray, 25, of Mississippi, was indicted for allegedly claiming to have found a security flaw in Best Buy Co.'s systems and threatening to expose and exploit that flaw unless he was paid $2.5 million. A trial is expected this fall. And last year, Kazakhstan hacker Oleg Zezev was sentenced to 51 months for illegally entering Bloomberg L.P.'s systems and threatening to disclose the break-in if he wasn't paid $200,000.

      The first one threatened DDoSing in addition to leaking info, and the other examples had nothing to do with DDoS.

  9. International Banking by xyote · · Score: 4, Insightful
    Without it, international extortion would be impossible. If you made the banks liable no matter how far the chain went, that kind of extortion would stop, just like that.

    There are analogies with the telcos enabling dial out frauds by sticking it to the customer. If the telcos and banks were responsible, they'd be real careful who they gave other people's money to.

  10. This story is part advertisement by Cryofan · · Score: 3, Insightful

    Like most media "news" stories.....

    --
    eat shiat and bark at the moon
  11. Victim does online gambling; shady = vulnerable by Nova+Express · · Score: 5, Interesting
    It seems that just like in the real world, extortionists like to target operations of dubious legality. I suspect the low-hanging fruit for people looking to carry out this kind of spam are businesses in the gray area of legality and respectability (online gambling, porn sites, "Mexican Drug Stores," etc.). Though profitable, these sites might have more to fear with going to the police than paying the extortionist. This is why, here in the real, non-virtual world, criminals often pray on illegal immigrant businesses for "protection" money. I also wonder whether the firms being targeted are also vulnerable because they're too shady to deal with firms like Akamai.

    Now if only cyber-extortionists would target well-known spammers...

    --
    Lawrence Person (lawrencepersonh@gmailh.com (remove all "h"s to mail)

    http://www.lawrenceperson.com/

  12. insurance coverage by coklat · · Score: 3, Interesting

    isnt there already an insurance policy for this kind of event... "business interruption policy"?

    --
    http://aip.corolla.or.id/
  13. It doesn't cost $100K to stop a DDoS attack! by Mordant · · Score: 3, Funny

    All you have to do is send me $100/month for the next 12 months, and you're golden.

    We're good like that, right? ;>

  14. Dont pay. by jellomizer · · Score: 4, Insightful

    Contact the FBI or some other from of crime investigation unit. Change all the accounts if possible. Also you should make a bunch of fake accounts before hand (As well as tightening up your computer security, and for god sake Hire an independent consultant to run security audits on your network and your code as well if possible)

    --
    If something is so important that you feel the need to post it on the internet... It probably isn't that important.
  15. Threaten to put them on Slashdot by MinimeMongo · · Score: 4, Funny

    Pay me one million dollars or I'll post your website URL on Slashdot.