Child Porn Accusation As Online Extortion Tactic

Glenn writes "There's a story on silicon.com about a new twist in the tactics used by online extortionists trying to blackmail ecommerce sites with denial of service attacks. Yesterday one blackmailer threatened to send out child pornography emails in UK gambling site Blue Square's name if it didn't pay up 7000 Euros." This sounds even worse than simple DoS threats.

It's all SMTP's fault!

[LostCluster]

Using SMTP as our default e-mail system has got to go...

SMTP is wide open to the kind of attack that is being discussed here. Since there's no authentication of the sender, anybody can send out messages with the "From:" address of the desigated victim, and can smear their reputation into being anything from a spammer to a pornographer.

The only surprise to me is that it took the bad guys this long to make the connection into this being something to make extortion threats over. It's not like this was a well-hidden problem with SMTP, sender spoofing has been done by spammers and phishers for years.

We need to retire this standard and find a better way to move e-mail with the ability to authenticate that the claimed sender is the real sender. It'd solve this problem and a whole bunch of other ones at the same time.

Re:It's all SMTP's fault!

[DaHat]

I'm all for the retirement of SMTP... but don't you think it would be wise to have a well known, well supported and well used standard already in place before throwing out SMTP? Such a plan would go something like...

Phase 1: Retire SMTP
Phase 2: Panic
Phase 3: Develop, implement and distribute new e-mail sending system (maybe profit)

Personally, I fear Phase 2!

Re:It's all SMTP's fault!

[terraformer]

Actually, this could be done with the world's postal systems as well... Although it would cost more. The problem is not with SMTP itself, but people reliance on it for authentication, which it was never designed for. What needs to happen is the widespread adoption and use of technology like SMIME. A technology that was designed to be used for authentication.

Re:It's all SMTP's fault!

[Albanach]

SMTP is wide open to the kind of attack that is being discussed here. Since there's no authentication of the sender, anybody can send out messages with the "From:" address of the desigated victim, and can smear their reputation into being anything from a spammer to a pornographer.

But we have technology that works almost perfectly with existing SMTP servers that combats this very threat. SPF, Sender ID et al are designed to confirm that the sender or sending domain is reflected accurately.

Why should we change every MUA & MTA, almost certainly handing control of email to big business in the process, when we hold a solution in our hands. If your ISP doesn't support SPF, point them to this and suggest they adopt it. If you don't publish SPF records, set some up. If you get a virus warning from another company where your email address was forged, email them and suggest they start SPF checking. There are alwyas going to be threats to internet protocols - this threat is one we can already deal with.

Re:It's all SMTP's fault!

[gl4ss]

it wouldn't really solve anything.

because basically the threat is that their name would get associated with child pornography.

you can't really fight against such threats any other way than making it national news that someone is extorting you that way...

Re:It's all SMTP's fault!

[ajs]

There's nothing wrong with SMTP... The problem lies with the lack of consensus on authentication, authorization and reputation systems for electronic mail.

For example, using a combination of SPF and SMTP/AUTH you can easily prevent anyone who uses SPF from accepting invalid mail "from" your domain(s) while continuing to use the world's most pervasive mail transfer protocol.

Problem is that people aren't willing to apply the time and effort required to do this globally.

The next step is reputation, and as soon as you can be sure that the person claiming to be joe@example.com is in fact from example.com, you can begin assigning example.com a reputation. You'll see dozens of distributed reputation databases, just like IP-based blacklists, overnight.

Want to move the process along? Add an SPF record for your domain and add an SPF milter (or equivalent for your MTA technology) to your mail server. The sooner forgeries stop, the sooner we can start building reputation and end this.

Re:It's all SMTP's fault!

[Zangief]

Phase 1: Retire SMTP
Phase 2: Panic
Phase 3: Develop, implement and distribute new e-mail sending system (maybe profit)

Personally, I fear Phase 2!

But...your fear is developing according to your plan...so it is good, isn't it?

Re:It's all SMTP's fault!

[dgatwood]

SenderID isn't an acceptable solution. It relies on DNS, which is a fundamentally broken authentication mechanism. Remember a few years ago when all the rage was to require reverse DNS to be reasonable for SMTP requests? Remember why people stopped doing that? It wasn't because it didn't work. It was because:

1. Lots of sites never got their RDNS entries right.
2. DNS is unreliable.
3. DNS resolution is usually not parallelizable.

The result is that the spam we have now could be a denial of service attack in two ways:

1. By overloading DNS servers of small companies.
2. By using bogus domain names that cause 30 second stalls in your inbound traffic.

It also fails to solve the phishing problem by providing no real, legitimate means to track the email back to an actual person, as it is trivial to register a domain like ebay-secure.com....

To make a long story short, mechanisms like Sender-ID are impractical and aren't even a stop-gap solution because they don't solve the -real- problem, which is determining the source of a message. Instead, they solve an irrelevant side problem, that of being able to send a message with a faked source domain. That would have solved the spam problem five years ago (when this was the usual means for sending this stuff). Now, it's too little, too late.

We need a mechanism based on verifiable key signing with the public keys transferred as an attachment to the message itself. With such a mechanism, you'd be able to track your way back through a chain of a handful of certifying keys until you get back to the certifying agency key. At that point, you have a verifiable audit trail for determining who sent the email message, and spammers will be effectively shut out unless they're willing to send messages that can be traced back to their home postal address, real email address, and real telephone number.

Further, with a key-based mechanism, a list of legitimate IP numbers for the domain could also be sent along with the message, signed with the private key. This would give the (modest) added benefit of Sender-ID without the (potentially devastating) use of DNS to do it.

Just my $0.03 (price adjusted due to inflation).

Re:It's all SMTP's fault!

[legirons]

Phase 1: Retire SMTP
Phase 2: Panic
Phase 3: Develop, implement and distribute new e-mail sending system (maybe profit)

Phase 4: Learn to cope with all the spam on the new system
Phase 5: Wonder why you have to pay for every email
Phase 6: Develop, implement, and distribute something SMTP-like again, and start signing emails.

Re:It's all SMTP's fault!

[garett_spencley]

you can't really fight against such threats any other way than making it national news that someone is extorting you that way...

Scary thing about such threats is that even that doesn't work. I wonder how many people out there will never go see another "The Who" show as long as they live because of the Pete Townshend incident.

First it was "innocent until proven guilty", then it was "guilty until proven innocent" .. and now I'm inclined to believe that it's "just guilty because the public wants it to be that way".

If someone accuses you of being a pedofile it doesn't matter if you're guilty or not .. your life is over. And it doesn't matter what you say to defend yourself because you're a monster and a liar in the public's eye.

Whatever happened to "Laws" and "Rules"?

[Enigma_Man]

I thought they were supposed to prevent stuff like this... or is it a matter of "once the crime's been comitted, the damage is done permanently" so the law can't possibly compensate enough for the loss? Also, does it being probably international screw up the judicial process?

-Jesse

Distribution of child pornodraphy for profit

[Scrameustache]

It should, however, get the attentio of the authorities much more readily though.
These guys admit to having illegal photographic material in their possession and are attempting to use it to make a buck. Catching these would be much better publicity for the enterprising copppers than some two-bit hackers.

blackEmail

[Doc+Ruby]

Blackmailers like this provide the test cases that clean up Internet law by building case history. A judge's decision showing the blackmailer is liable protects other victims later, diluting the force of unfounded accusations with trivially contrived evidence.

heh

[JeanBaptiste]

sounds just like an idea i had for a virus about 5 years ago. (no, I didn't write it).

The virus would load a couple of nastypics onto the victims machine, then send out an email to the FBI. The first virus that would get you arrested.

It was just an idea, I have never written a virus that has been let loose into the wild...

Re:heh

[JeanBaptiste]

really? wow. I didn't even write a single line of code!

I'm going to have to use slashdot as a programming interface more often.

Sigh, so many scumbags and thugs.

[turnstyle]

It just makes me wonder sometimes if anonymity on the Internet protects way more scumbags and thugs than it does free speech.

And, it scares me miserably that I would even think about that as a tradeoff.

Re:Sigh, so many scumbags and thugs.

[cowscows]

That's not what he said, jackass. He wasn't saying we should just take free speech away from people we don't like. Laws tend to take away rights in exchange for safety/order/efficiency/whatever. And hopefully the trade-off is worth it. Your parent post was implying dismay that a similar trade-off is almost looking appealing as people find more destructive ways to utilize the anonymity that the internet can provide.

It really took this long?

[Juvenall]

..really, I'm shocked. The company I worked for a few months back on a contract basis was getting threats like "If you don't ____________ we'll spam in your name/send people fales rates for your service/send a virus from your accounts/send magic pixies to rearrange in your sock drawer". This really seems like the natural progression of things, as sad as that sounds. You can really only hope for one of two options. Either inform the media and hope if and when it goes down, enough people are "in the know" that you can avoid any backlash or keep your fingers crossed that one of the proposed email verification ideas takes off.

Joe Jobs.

[SeanDuggan]

Sounds like a fairly standard Joe Job such as has happened with DarkProfits. Only difference being here, they're actually extorting on the threat rather than simply trying to damage someone's reputation. Thing is, this could be very damaging. When it comes to child pornography, people tend to get very irrational and seldom check for any form of proof or second opinion. It's kind of like being accused of being a child molester IRL. Even once you prove your innocence, no one will quite look at you the same again and some people will never truly believe your innocence. Heck, the more squeaky-clean of life you lead, the more guilty you may seem to them. After all, you must have something to hide.

It's all USPS's fault!

[thisissilly]

Using US Postal Service as our default mail system has got to go...

USPS is wide open to the kind of attack that is being discussed here. Since there's no authentication of the sender, anybody can send out messages with the "From:" address of the desigated victim, and can smear their reputation into being anything from a spammer to a pornographer.

The only surprise to me is that it took the bad guys this long to make the connection into this being something to make extortion threats over. It's not like this was a well-hidden problem with USPS, sender spoofing has been done by spammers and phishers for years.

We need to retire this standard and find a better way to move mail with the ability to authenticate that the claimed sender is the real sender. It'd solve this problem and a whole bunch of other ones at the same time.

Hmmm...

[temojen]

On reading the headline I thought the extortionists were threatening to upload child pornography to their servers then call the authorities.

This would likely get their servers seized at least long enough to figure out that they'd been hacked. To an on-line business, that may just be long enough to put them out of business.

With just emailing in their name, all the extortionists are doing is causing a breif blip of bad publicity before they get the word out that they're being framed.

This is what happens...

[MillionthMonkey]

... when you establish thought crimes.

If times were different the threat might be to send Communist propaganda.

Risk vs Reward ?

[vhold]

The guy doing the extorting now has to actually have child porn and has to send it himself. The risk if he gets caught is -way- greater then if he were just cooridinating simple DDOS attacks. He'll get all kinds of scrutiny from all kinds of groups that oridinally wouldn't bother. If he's in some totally untouchable country, he's in the unique position that now if the locals find out they'll probably actually care.

I think the extra risk this behavior exposes the perpetrator to will go a long way to self regulate this trend.