Fighting Online Extortion

prostoalex writes "Information Week talks about those mornings, when an owner of an online business receives an e-mail message with his customer accounts and other personal information quoted, and extortionist asking for certain amount of money to be transferred to a foreign bank. Although 70% of the businesses surveyed for the article claim they never had to deal with extortion on the Internet, the article claims those small businesses who think they are not interesting for extortionists, are in for a surprise."

I worry for my employer

Posted anonymously for obvious reasons...

My employer has a large site done in PHP that grew over the years, and is rife with opportunities for SQL injection.

They know what needs to change, and there is a plan to get from here to there over the next year, including a new in-house white-box security testing team. In the mean time, we are standing around with our pants down.

The thing that keeps me awake nights is: What happens if some disgruntled ex-employee (there are two floating around out there) decides to seek vengeance against us by targetting us in an extortion scheme?

So who are the extortionists?

[mindaktiviti]

"WagerWeb was knocked offline for about a day, says Dan Johnson, senior VP and senior oddsmaker at the site. Rather than pay off the attackers, the company called on its technical forces to build a defense and enlisted the help of Internet security-services provider Prolexic Technologies Inc. The vendor's services, at about $100,000 a year, aren't cheap. But, "I'd rather pay the $100,000 than pay the extortionists," Johnson says. The gamble paid off. "As soon as we got the service running, the attack stopped," technology manager Burns says."

THAT is really freaky.

You are so stupid if you pay!

[earthstar]

Atleast this extortion wont leave people in a dilemma whetehr to pay or not because there simply cannot be any question of paying, whatsoever may be the data!!

This extortion isnt like conventional extortions where in you get your thing back when you pay.

The extortionist obviously would have made copied of the data, and would hav given to so many of his friends.....If someones gonna pay,would he be paying to every one of the mails asking for the same data he had paid?

LOL

Sorry, but I think the website owner has already lost the battle - Unless the extortionist get caught - provided the duplicated data doesnt isnt with anyone!

Re:Sounds like a business opportunity.

[Nakkel]

Who would a person call if they had some problems like this?

Ghostbusters?

Victim does online gambling; shady = vulnerable

[Nova+Express]

It seems that just like in the real world, extortionists like to target operations of dubious legality. I suspect the low-hanging fruit for people looking to carry out this kind of spam are businesses in the gray area of legality and respectability (online gambling, porn sites, "Mexican Drug Stores," etc.). Though profitable, these sites might have more to fear with going to the police than paying the extortionist. This is why, here in the real, non-virtual world, criminals often pray on illegal immigrant businesses for "protection" money. I also wonder whether the firms being targeted are also vulnerable because they're too shady to deal with firms like Akamai.

Now if only cyber-extortionists would target well-known spammers...

Re:Sounds like a business opportunity.

[Zocalo]

Who would a person call if they had some problems like this?

In the US? The FBI I think; it's wire fraud which is a very serious offence and the foreign bank account angle takes it out of the jurisdiction of local/state police. I've been peripherally involved with something like this in the UK where the National High Tech Crime Unit got involved; the important things are not to panic and to contact the authorities immediately so they can do their thing.

In my instance, the NHTCU took care of contacting the banks responsible for the various credit cards and everything, or at least passed the information along to the relevent organisation(s). I gather most of the banks simply issued a new credit card without making a fuss or the customer aware of the real reason for that matter. And yes, the perps got busted - or more accurately got stung due to the combination of information recovered from the compromised box and a few "creative" emails written by the NHTCU.