Child Porn Accusation As Online Extortion Tactic

Glenn writes "There's a story on silicon.com about a new twist in the tactics used by online extortionists trying to blackmail ecommerce sites with denial of service attacks. Yesterday one blackmailer threatened to send out child pornography emails in UK gambling site Blue Square's name if it didn't pay up 7000 Euros." This sounds even worse than simple DoS threats.

It's all SMTP's fault!

[LostCluster]

Using SMTP as our default e-mail system has got to go...

SMTP is wide open to the kind of attack that is being discussed here. Since there's no authentication of the sender, anybody can send out messages with the "From:" address of the desigated victim, and can smear their reputation into being anything from a spammer to a pornographer.

The only surprise to me is that it took the bad guys this long to make the connection into this being something to make extortion threats over. It's not like this was a well-hidden problem with SMTP, sender spoofing has been done by spammers and phishers for years.

We need to retire this standard and find a better way to move e-mail with the ability to authenticate that the claimed sender is the real sender. It'd solve this problem and a whole bunch of other ones at the same time.

Re:It's all SMTP's fault!

[terraformer]

Actually, this could be done with the world's postal systems as well... Although it would cost more. The problem is not with SMTP itself, but people reliance on it for authentication, which it was never designed for. What needs to happen is the widespread adoption and use of technology like SMIME. A technology that was designed to be used for authentication.

Re:It's all SMTP's fault!

[Albanach]

SMTP is wide open to the kind of attack that is being discussed here. Since there's no authentication of the sender, anybody can send out messages with the "From:" address of the desigated victim, and can smear their reputation into being anything from a spammer to a pornographer.

But we have technology that works almost perfectly with existing SMTP servers that combats this very threat. SPF, Sender ID et al are designed to confirm that the sender or sending domain is reflected accurately.

Why should we change every MUA & MTA, almost certainly handing control of email to big business in the process, when we hold a solution in our hands. If your ISP doesn't support SPF, point them to this and suggest they adopt it. If you don't publish SPF records, set some up. If you get a virus warning from another company where your email address was forged, email them and suggest they start SPF checking. There are alwyas going to be threats to internet protocols - this threat is one we can already deal with.

Distribution of child pornodraphy for profit

[Scrameustache]

It should, however, get the attentio of the authorities much more readily though.
These guys admit to having illegal photographic material in their possession and are attempting to use it to make a buck. Catching these would be much better publicity for the enterprising copppers than some two-bit hackers.

blackEmail

[Doc+Ruby]

Blackmailers like this provide the test cases that clean up Internet law by building case history. A judge's decision showing the blackmailer is liable protects other victims later, diluting the force of unfounded accusations with trivially contrived evidence.

heh

[JeanBaptiste]

sounds just like an idea i had for a virus about 5 years ago. (no, I didn't write it).

The virus would load a couple of nastypics onto the victims machine, then send out an email to the FBI. The first virus that would get you arrested.

It was just an idea, I have never written a virus that has been let loose into the wild...

Joe Jobs.

[SeanDuggan]

Sounds like a fairly standard Joe Job such as has happened with DarkProfits. Only difference being here, they're actually extorting on the threat rather than simply trying to damage someone's reputation. Thing is, this could be very damaging. When it comes to child pornography, people tend to get very irrational and seldom check for any form of proof or second opinion. It's kind of like being accused of being a child molester IRL. Even once you prove your innocence, no one will quite look at you the same again and some people will never truly believe your innocence. Heck, the more squeaky-clean of life you lead, the more guilty you may seem to them. After all, you must have something to hide.

Hmmm...

[temojen]

On reading the headline I thought the extortionists were threatening to upload child pornography to their servers then call the authorities.

This would likely get their servers seized at least long enough to figure out that they'd been hacked. To an on-line business, that may just be long enough to put them out of business.

With just emailing in their name, all the extortionists are doing is causing a breif blip of bad publicity before they get the word out that they're being framed.

Risk vs Reward ?

[vhold]

The guy doing the extorting now has to actually have child porn and has to send it himself. The risk if he gets caught is -way- greater then if he were just cooridinating simple DDOS attacks. He'll get all kinds of scrutiny from all kinds of groups that oridinally wouldn't bother. If he's in some totally untouchable country, he's in the unique position that now if the locals find out they'll probably actually care.

I think the extra risk this behavior exposes the perpetrator to will go a long way to self regulate this trend.