Slashdot Mirror

← Back to Stories (view on slashdot.org)

Child Porn Accusation As Online Extortion Tactic

Posted by timothy on from the sounds-like-an-fbi-method dept.

Glenn writes "There's a story on silicon.com about a new twist in the tactics used by online extortionists trying to blackmail ecommerce sites with denial of service attacks. Yesterday one blackmailer threatened to send out child pornography emails in UK gambling site Blue Square's name if it didn't pay up 7000 Euros." This sounds even worse than simple DoS threats.

44 of 321 comments (clear)

  1. It's all SMTP's fault! by LostCluster · · Score: 5, Insightful

    Using SMTP as our default e-mail system has got to go...

    SMTP is wide open to the kind of attack that is being discussed here. Since there's no authentication of the sender, anybody can send out messages with the "From:" address of the desigated victim, and can smear their reputation into being anything from a spammer to a pornographer.

    The only surprise to me is that it took the bad guys this long to make the connection into this being something to make extortion threats over. It's not like this was a well-hidden problem with SMTP, sender spoofing has been done by spammers and phishers for years.

    We need to retire this standard and find a better way to move e-mail with the ability to authenticate that the claimed sender is the real sender. It'd solve this problem and a whole bunch of other ones at the same time.

    1. Re:It's all SMTP's fault! by DaHat · · Score: 4, Insightful

      I'm all for the retirement of SMTP... but don't you think it would be wise to have a well known, well supported and well used standard already in place before throwing out SMTP? Such a plan would go something like...

      Phase 1: Retire SMTP
      Phase 2: Panic
      Phase 3: Develop, implement and distribute new e-mail sending system (maybe profit)

      Personally, I fear Phase 2!

      --
      Help Brendan pay off his student loans
    2. Re:It's all SMTP's fault! by terraformer · · Score: 5, Insightful

      Actually, this could be done with the world's postal systems as well... Although it would cost more. The problem is not with SMTP itself, but people reliance on it for authentication, which it was never designed for. What needs to happen is the widespread adoption and use of technology like SMIME. A technology that was designed to be used for authentication.

      --
      Who are you? The new #2 Who is #1? You are #617565. I am not a number, I am a free man! Muhahaha.
    3. Re:It's all SMTP's fault! by Albanach · · Score: 5, Insightful
      SMTP is wide open to the kind of attack that is being discussed here. Since there's no authentication of the sender, anybody can send out messages with the "From:" address of the desigated victim, and can smear their reputation into being anything from a spammer to a pornographer.

      But we have technology that works almost perfectly with existing SMTP servers that combats this very threat. SPF, Sender ID et al are designed to confirm that the sender or sending domain is reflected accurately.

      Why should we change every MUA & MTA, almost certainly handing control of email to big business in the process, when we hold a solution in our hands. If your ISP doesn't support SPF, point them to this and suggest they adopt it. If you don't publish SPF records, set some up. If you get a virus warning from another company where your email address was forged, email them and suggest they start SPF checking. There are alwyas going to be threats to internet protocols - this threat is one we can already deal with.

    4. Re:It's all SMTP's fault! by gl4ss · · Score: 4, Insightful

      it wouldn't really solve anything.

      because basically the threat is that their name would get associated with child pornography.

      you can't really fight against such threats any other way than making it national news that someone is extorting you that way...

      --
      world was created 5 seconds before this post as it is.
    5. Re:It's all SMTP's fault! by suso · · Score: 3, Insightful

      Really, there should never be panic before development. That is when bad implementations happen. Look at the panic that led to the Patriot Act.

    6. Re:It's all SMTP's fault! by nolife · · Score: 2, Insightful

      Since there's no authentication of the sender, anybody can send out messages with the "From:" address of the desigated victim, and can smear their reputation into being anything from a spammer to a pornographer.

      On that note, all of the technical people already know this so the smear campaign will not work against them. I can not even make a guess about the percentage of "plain folks" that might be fooled but probably not as many as you think. I'm sure every person in the world with an email account has got and noticed email with a fake from field considering the amount of spam and worm artifacts flying around. Child porn is a different level when compared to a scam email, a virus, a security breach, a click me from your friend, m0Rtg4Ge L000an, or a phishing attempt. Child porn would stand out as something a business obviuosly would not send. I do not believe the impact would be that great, maybe some sour feelings by the business owners and employees but not much bottom line impact. Maybe I am wrong..

      --
      Bad boys rape our young girls but Violet gives willingly.
    7. Re:It's all SMTP's fault! by dgatwood · · Score: 4, Insightful
      SenderID isn't an acceptable solution. It relies on DNS, which is a fundamentally broken authentication mechanism. Remember a few years ago when all the rage was to require reverse DNS to be reasonable for SMTP requests? Remember why people stopped doing that? It wasn't because it didn't work. It was because:

      1. Lots of sites never got their RDNS entries right.
      2. DNS is unreliable.
      3. DNS resolution is usually not parallelizable.
      The result is that the spam we have now could be a denial of service attack in two ways:

      1. By overloading DNS servers of small companies.
      2. By using bogus domain names that cause 30 second stalls in your inbound traffic.
      It also fails to solve the phishing problem by providing no real, legitimate means to track the email back to an actual person, as it is trivial to register a domain like ebay-secure.com....

      To make a long story short, mechanisms like Sender-ID are impractical and aren't even a stop-gap solution because they don't solve the -real- problem, which is determining the source of a message. Instead, they solve an irrelevant side problem, that of being able to send a message with a faked source domain. That would have solved the spam problem five years ago (when this was the usual means for sending this stuff). Now, it's too little, too late.

      We need a mechanism based on verifiable key signing with the public keys transferred as an attachment to the message itself. With such a mechanism, you'd be able to track your way back through a chain of a handful of certifying keys until you get back to the certifying agency key. At that point, you have a verifiable audit trail for determining who sent the email message, and spammers will be effectively shut out unless they're willing to send messages that can be traced back to their home postal address, real email address, and real telephone number.

      Further, with a key-based mechanism, a list of legitimate IP numbers for the domain could also be sent along with the message, signed with the private key. This would give the (modest) added benefit of Sender-ID without the (potentially devastating) use of DNS to do it.

      Just my $0.03 (price adjusted due to inflation).

      --

      Check out my sci-fi/humor trilogy at PatriotsBooks.

    8. Re:It's all SMTP's fault! by timster · · Score: 3, Insightful

      Of course, the systems currently being discussed do NOT require the domain administrator to "bless" a mail server; rather, they ALLOW a domain administrator to create restrictions.

      If I'm Citigroup, I'd sure like to be able to place restrictions on mail coming from citigroup.com, because otherwise people might think a falsified communication is actually from their bank -- bad news. If I'm the owner of "alumni.almamata.edu" I probably don't care.

      Spam has zero, zilch, zip to do with any of this since a spammer can easily own a DNS record. The only goal of systems like SPF is to prevent fraud. Sometimes spammers commit fraud but SPF does nothing to address those who do not.

      --
      I have seen the future, and it is inconvenient.
    9. Re:It's all SMTP's fault! by legirons · · Score: 4, Insightful

      Phase 1: Retire SMTP
      Phase 2: Panic
      Phase 3: Develop, implement and distribute new e-mail sending system (maybe profit)

      Phase 4: Learn to cope with all the spam on the new system
      Phase 5: Wonder why you have to pay for every email
      Phase 6: Develop, implement, and distribute something SMTP-like again, and start signing emails.

    10. Re:It's all SMTP's fault! by garett_spencley · · Score: 4, Insightful

      you can't really fight against such threats any other way than making it national news that someone is extorting you that way...

      Scary thing about such threats is that even that doesn't work. I wonder how many people out there will never go see another "The Who" show as long as they live because of the Pete Townshend incident.

      First it was "innocent until proven guilty", then it was "guilty until proven innocent" .. and now I'm inclined to believe that it's "just guilty because the public wants it to be that way".

      If someone accuses you of being a pedofile it doesn't matter if you're guilty or not .. your life is over. And it doesn't matter what you say to defend yourself because you're a monster and a liar in the public's eye.

    11. Re:It's all SMTP's fault! by jandrese · · Score: 3, Insightful

      I hate to tell you this, but nobody considers your livejournal rants "important communication". Email is still used for almost everything business related and that is not going to change any time soon.

      --

      I read the internet for the articles.
    12. Re:It's all SMTP's fault! by Anonymous Coward · · Score: 2, Insightful

      The Patriot Act was hardly a panic development. They had much of it allready ready, they merely took advantage of the paniced public to get it passed.

    13. Re:It's all SMTP's fault! by triskaidekaphile · · Score: 3, Insightful
      Pehaps the Powers-That-Be do not want the unwashed masses to learn about encryption.

      Or perhaps the People might learn how thin is their illusion of privacy.

      Or perhaps -- just perhaps -- someone is afraid it would actually succeed! I wonder... who might that be?

      Perhaps.

      --
      @HbFyo0$k8 tH!$
    14. Re:It's all SMTP's fault! by geoffspear · · Score: 2, Insightful

      Umm, anyone can send child porn spam from your email address, to the 99.99% of the people on the Internet who have never heard of you, don't know you sign all of your messages, and wouldn't even care to have your public key if they knew about it. They probably can't ruin your reputation with anyone crypto-savvy who you regularly email, but so what?

      --
      Don't blame me; I'm never given mod points.
  2. Same solution as always by Anonymous Coward · · Score: 1, Insightful

    Publicize that this is in fact a lie and the truth shall set you free.

    In other words, once this scam is publicly known, it will be worthless for the scammers.

    1. Re:Same solution as always by 93,000 · · Score: 2, Insightful

      I disagree. Even though he was eventually cleared (but is still a dumbass), what comes to mind when you think of Pete Townshend? Sort of a different scenario, I know, but mud still sticks.

      It's not so much about fear of actual jail/persacution as it is about fear of the shitstorm that arises in the time it inevitably takes for the truth to be found.

      The charges were dropped against old Pete, but he still had his name mentioned in the same sentence as 'child porn' countless times in print and on the net.

      --
      Sweet informative mod.
  3. Distribution of child pornodraphy for profit by Scrameustache · · Score: 5, Insightful



    It should, however, get the attentio of the authorities much more readily though.
    These guys admit to having illegal photographic material in their possession and are attempting to use it to make a buck. Catching these would be much better publicity for the enterprising copppers than some two-bit hackers.

    --

    You can't take the sky from me...

  4. So, let the guy hurt himself by Dejohn · · Score: 2, Insightful

    What, this extortionist thinks that people will honestly believe that a legitimate organization is now sending child porn? I think not. Let him send out all this child porn, thus not only proving that he has it, but also that he's willing to commit extortion and probably a number of other crimes. Good luck to him...

    1. Re:So, let the guy hurt himself by Juvenall · · Score: 2, Insightful

      That's the thing though. The same idiots who buy from spammers or open attachments titled "10_YEAR_OLD_SEX.jpg" will be the same to report the email to whatever authority in their country deals with this crap. It sucks, but it's an effective way to bring unwanted headlines like "Company XYZ under investigation for child porn mailing".

    2. Re:So, let the guy hurt himself by Spad · · Score: 2, Insightful

      What, someone thinks that people will honestly believe that Hotmail wants them to forward an email to 20 people or their account will be closed down.

      People will believe anything that they read on the internet - the fact that everyone is still falling for phishing scams and getting rooted via email tojans should be proof enough of that fact.

  5. blackEmail by Doc+Ruby · · Score: 5, Insightful

    Blackmailers like this provide the test cases that clean up Internet law by building case history. A judge's decision showing the blackmailer is liable protects other victims later, diluting the force of unfounded accusations with trivially contrived evidence.

    --

    --
    make install -not war

  6. It really took this long? by Juvenall · · Score: 4, Insightful

    ..really, I'm shocked. The company I worked for a few months back on a contract basis was getting threats like "If you don't ____________ we'll spam in your name/send people fales rates for your service/send a virus from your accounts/send magic pixies to rearrange in your sock drawer". This really seems like the natural progression of things, as sad as that sounds. You can really only hope for one of two options. Either inform the media and hope if and when it goes down, enough people are "in the know" that you can avoid any backlash or keep your fingers crossed that one of the proposed email verification ideas takes off.

  7. good luck with that by poptones · · Score: 2, Insightful

    since they're probably in some flea bit FSU state. and given what many (if not most) in the US call "pornography" (when it comes to children) it wouldn't be hard at all to fill that promise by sending out a few pictures of the local kids playing on the beach.

    You seem to have forgotten that the internet doesn't end at the coasts?

    This isn't about framing them legally - it's about smearing their reputation further. Any competent website op is going to have logs, and their tiering partners are going to have logs as well. It would be almost trivial to prove to the FBI the "bad stuff" didn't come from them, but it would likely be a fair sight harder getting the luser recipients of said material to believe it.

  8. Re:Man... by crimethinker · · Score: 2, Insightful
    Couldnt they just find this suckers IP and track him down and get him fined or arrested?

    RTFA. These are online gambling sites. Most gambling has a large amount of organized crime involved. I think that getting fined/arrested should be the least of these scumbags' worries. And whatever the mob would do to them, they would deserve it.

    -paul

    --
    Pistol caliber is like religion: everyone has their favourite, and theirs is the only right choice.
  9. It's all USPS's fault! by thisissilly · · Score: 4, Insightful

    Using US Postal Service as our default mail system has got to go...

    USPS is wide open to the kind of attack that is being discussed here. Since there's no authentication of the sender, anybody can send out messages with the "From:" address of the desigated victim, and can smear their reputation into being anything from a spammer to a pornographer.

    The only surprise to me is that it took the bad guys this long to make the connection into this being something to make extortion threats over. It's not like this was a well-hidden problem with USPS, sender spoofing has been done by spammers and phishers for years.

    We need to retire this standard and find a better way to move mail with the ability to authenticate that the claimed sender is the real sender. It'd solve this problem and a whole bunch of other ones at the same time.

  10. Re:Whatever happened to "Laws" and "Rules"? by gorbachev · · Score: 2, Insightful

    Welcome to the world of international law enforcement on crimes committed over the Internet.

    Perps: in Russia
    Victims: UK and US

    Victim contacts Scotland Yard or the FBI. If they have time, they'll investigate and figure out the perp is quite likely in Russia, but they can't be sure, because they used an anonymous proxy in South Korea. It's now about 3 months after the incident.

    They contact the South Korean network with the open proxy. They answer after a month or two saying they didn't keep logs. Pass go, do not go to prison.

    They then contact the Russian authorities. The Russians answer you have no proof this falls under Russian jurisdiction, and even if you did, you have failed to show how which Russian law was broken, and even if you did prove Russian law was broken, the punishment under Russian law is 5 months probation, and no, we will not extradite the criminal to the US or UK.

    We're now at 5 - 6 months after the incident.

    That's assuming it's not the Russian mafia, who really doesn't give a shit whether or not the Russian cops bust them for $7K extortion scam.

    --
    In Soviet Russia, I ruled you
  11. Comment removed by account_deleted · · Score: 2, Insightful

    Comment removed based on user account deletion

  12. Re:People have said that. by sn0wflake · · Score: 2, Insightful

    What a load of crap. Spammers are in the game for profit.

  13. maybe it's just me..... by to_kallon · · Score: 2, Insightful

    but if a company, and granted i don't gamble so i don't know what their typical mailings are like, that i do business with sends me an e-mail with pornography in it my first thought is not going to be, "sick bastards! i'll never gamble there again!" it's going to be "one more victim, how sad." i think this type of thing get's blown out of preportion, which if i might add is what the spammers are really looking for (next to money). no i'm not proposing that if we ignore it the problem will go away, find the useless scum and string them up, but i think people in general are smart enough to figure out that the companies they do business with aren't involved in the child pornography industry. i see this as a hollow threat because even if it is followed through with it's an annoyance at best (spoken as someone who has an effective spam filter). the worst part about this is the precedent it sets because i can garauntee this is not the last we've heard about this.

    --


    The only way to get rid of a temptation is to yield to it.
    -Oscar Wilde
  14. Slander hurts, even if your reputation is good. by adb · · Score: 2, Insightful

    Like Lyndon Johnson said, it's doesn't have to be true; it's enough to make the poor bastard deny it.

  15. Re:Sigh, so many scumbags and thugs. by TrentTheWiseA · · Score: 2, Insightful

    TRUE free speech requires anonymity, to prevent reprisals from the government or other parties that disagree with the speech. It's the same reason that we have anonymous voting. If you had to put your name and address on your ballot, then someone outside the voting area could use your past record against you to 'influence' you (usually with a heavy object or projectile weapon). They also have a list of people to deal with before they get the chance to vote in the next election.

    Yes, we may get a high noise-to-signal ratio by allowing ANYONE to say things and be anonymous, but otherwise we would end up with only those people speaking the party propaganda actually safe from harm. (Think PRAVDA, or other Soviet-era news outlets).

    And 'filtering' free speech, by definition, makes it non-free.

  16. Hmmm... by temojen · · Score: 5, Insightful

    On reading the headline I thought the extortionists were threatening to upload child pornography to their servers then call the authorities.

    This would likely get their servers seized at least long enough to figure out that they'd been hacked. To an on-line business, that may just be long enough to put them out of business.

    With just emailing in their name, all the extortionists are doing is causing a breif blip of bad publicity before they get the word out that they're being framed.

  17. This is what happens... by MillionthMonkey · · Score: 4, Insightful

    ... when you establish thought crimes.

    If times were different the threat might be to send Communist propaganda.

    1. Re:This is what happens... by Anonymous Coward · · Score: 1, Insightful

      CNN owns footage of the WTC falling. A crime (or at the least a very bad thing) had to be committed for the WTC to fall. ... Connecting dots ... CNN condones the Sept. 11 attacks?

  18. Re:Huh? by NarrMaster · · Score: 1, Insightful

    One thing you're not understanding: it was Catholic policy to move the priests to different locations which led to more children in danger instead of getting them help. That is just one notch below endorsement. Its sick.

    --
    That's right. All your base.
  19. Re:Sigh, so many scumbags and thugs. by cowscows · · Score: 4, Insightful

    That's not what he said, jackass. He wasn't saying we should just take free speech away from people we don't like. Laws tend to take away rights in exchange for safety/order/efficiency/whatever. And hopefully the trade-off is worth it. Your parent post was implying dismay that a similar trade-off is almost looking appealing as people find more destructive ways to utilize the anonymity that the internet can provide.

    --

    One time I threw a brick at a duck.

  20. BULLSHIT by schon · · Score: 2, Insightful

    But we have technology that works almost perfectly with existing SMTP servers that combats this very threat.

    No, we most certainly don't.

    SPF, Sender ID et al are designed to confirm that the sender or sending domain is reflected accurately.

    And how, exactly, does this "combat" anything?

    Assume a scammer wants to extort money from "UpstandingCo.com". What's to stop them from registering "UpstandingCo.cx", "Upstanding-Co.com", "UpstandingCompany.com", or any one of a zillion other domains, setting up the appropriate SPF/SenderID record, and using that to send out their hoax emails?

    Anyone who would believe that "UpstandingCo.com" would send kiddie porn in the first place isn't going to be smart enough to realize that "Upstanding-Co.com" isn't the same outfit.

    *THAT* is the problem here. It's not a technical problem, it's a social one - and you can't solve a social problem with a technical solution.

  21. Couple of Things by Undefined+Parameter · · Score: 2, Insightful

    First off, it seems to me that the weak link in this extortion scheme would be the money transfer. The extortionist (not to be confused with "contortionist" or "exorcist", or some combination thereof) would have to be very clever not to be caught by the transfer. If it's something as simple as a wire or drop-off, catching the person or persons responsible would be a snap.

    Second, there is no reason to believe that the person(s) making the threat actually has child pornography (not that I'm defending him/her/them). The posession of the material is not required to make the threat. The extortionist could be like a bank robber without a firearm, either claiming to have one but not, or having a toy pistol (having "barely 18" pornography that looks like child pornography).

    In short, in order to actually pull something like this off without getting caught, one has to either be very smart or have a very stupid target.

    ~UP

    --
    Eat the Path.
  22. Re:Sigh, so many scumbags and thugs. by TrentTheWiseA · · Score: 2, Insightful

    Reprisals don't necessarily come from the government. Just because the government doesn't crack down on dissenting opinions, doesn't mean other groups or individuals don't. The call for anonymity protects the speaker from ALL sources of reprisals. The witness protection program, from organized crime reprisals. The whistleblower program (government protection for those uncovering corruption and/or misdeeds in the government processes) protect the person coming forward. News reporters protecting their sources is an old and honored practice, to prevent these sources from being endangered by 'forcing' them public. All of these are non-governmental persecution on free speech.

    Free speech is more than complaining about the government, it's the ability to say dissenting opinions about any subject. Individuals and groups unfortunately, respond with violence against these people that are publicly identified with their speech and/or policies. (Think presidental assassinations, the assassination of Martin Luthor King, Bobby Kennedy, many Equal Rights speakers during the 60's, church burnings, random killing of openly gay individuals, bombings of Planned Parenthood clinics, the list goes on.) Unpopular opinions can get one killed. Without anonymity, most of these people afraid for their safety would simply shut up.

  23. Even worse for the recipients? by thesandtiger · · Score: 2, Insightful

    Aside from the utter fucking nastiness of getting this stuff, it is just as bad to get busted receiving this shit as it is to be busted for sending it, in a frame-up such as this.

    I may be completely off here, but I seem to recall a case where a guy was persecuted/prosecuted based on some email he'd gotten via some group but hadn't requested. At least, that's what he claimed.

    Even if it were true that he requested it, the problem is with the ambiguity in the law but the complete lack of ambiguity in public opinion. Even if he were eventually found completely innocent and publically touted as a model citizen, there are still going to be all kinds of people who now know way more about his masturbation habits than he'd like, and probably quite a few who refuse to believe that he didn't do it - where there's smoke there's fire.

    I can't be certain, but I bet there are some people who have emailed child porn to people and then called the police to turn in the recipient, banking on exactly this kind of thing.

    What we need is one of 2 things:

    1: A system where we have some reasonable definition of what a person's intent is. Just because Joe Schmo signs up to recieve Hot Anal Action pictures from a Yahoo! group does not mean he is culpable when some asshole spams that group with child porn.

    2: A way to absolutely verify where an email came from and then ruthlessly bitchslap the person or people responsible for this kind of shit.

    In a reasonable world, I'd hope for 1, but who can say what'll happen.

    --
    Since I can't tell them apart, I treat all ACs as the same person.
  24. Why security matters by gmuslera · · Score: 2, Insightful
    Some time ago (when terrorist attack/paranoia/etc was on rise) my explanation to people for trying to be secure when online, and try to avoid virus, open shares, being hacked, etc, or just what kind of damage could do to him an enemy, is that is not just bandwidth that could be consumed, but in their computers/servers could be put an child pornography site, a fake al-qaeda site or a credit card sharing site, something that almost ensures that will have severe legal problems.

    Now, threatening with sending child porn with their email is not very serious. A lot of spam was sent with my email address (some spammers send spam with real email addresses instead of totally fake ones to try to have more luck, and being hit with that a few times), but checking mail headers normally clean a bit what really happened (why i would travel to mexico just to send spam? :).

    Of course, if the mail server of this people is an open relay or is hacked, and is used to send child pornography, spam, 419 scams, Al-Qaeda advertisement or any kind of law-breaking stuff, well, there mail headers will not help a lot, and they will have a bit of responsibility on that.

  25. Re:nothing new. by bani · · Score: 2, Insightful

    which city? which team? which tv station? names please

  26. Make it an offense to give in to blackmailers by johntromp · · Score: 3, Insightful

    Of course a smart company will realize that giving in to blackmail will do nothing except encourage more blackmailing, to the detriment of the whole industry. But in order for all companies to take this stance, it should be made an offense to pay off blackmailers, subject to heavy fines. That makes it much easier for a company to reply to scammers "i'm sorry, we'd love to pay you for your lack of services, but uncle sam won't let us." Such a law would be much more effective than a similar one for kidnappings and ransom, as it becomes more of a pure business decision rather than a moral and emotional dillema.