Slashdot Mirror

← Back to Stories (view on slashdot.org)

Businesses Pay $100,000 To DDoS Extortionists Who Never DDoS Anyone (arstechnica.com)

Posted by msmash on from the the-curious-case-of-bitcoin dept.

Dan Goodin, reporting for Ars Technica: In less than two months, online businesses have paid more than $100,000 to scammers who set up a fake distributed denial-of-service (DDoS) gang that has yet to launch a single attack. The charlatans sent businesses around the globe extortion e-mails threatening debilitating DDoS attacks unless the recipients paid as much as $23,000 by Bitcoin in protection money, according to a blog post published Monday by CloudFlare, a service that helps protect businesses from such attacks. Stealing the name of an established gang that was well known for waging such extortion rackets, the scammers called themselves the Armada Collective.An excerpt from CloudFlare blog post:Given that the attackers can't tell who has paid the extortion fee and who has not, it is perhaps not surprising to learn that they appear to treat all victims the same: attacking none of them. To date, we've not seen a single attack launched against a threatened organization. This is in spite of nearly all of the threatened organizations we're aware of not paying the extortion fee. We've compared notes with fellow DDoS mitigation vendors and none of them have seen any attacks launched since March against organizations that have received Armada Collective threats.

52 comments

  1. Identify Poor Management by ranton · · Score: 3, Insightful

    The least they could do is send out a list of all companies who paid extortion fees so people could identify inept management who should be replaced.

    --
    -- All that is necessary for the triumph of evil is that good men do nothing. -- Edmund Burke
    1. Re:Identify Poor Management by bondsbw · · Score: 2

      Except, of course,

      the attackers can't tell who has paid the extortion fee and who has not

      --
      All my liberal friends think I'm a conservative, all my conservative friends think I'm a liberal.
    2. Re:Identify Poor Management by Anonymous Coward · · Score: 1

      That's hard to believe, but true:

      CloudFlare also pointed out that the group asked multiple victims to send precisely the same payment amounts to the same Bitcoin addresses, a lapse that would make it impossible to know which recipients paid the blood money and which ones didn't.

    3. Re:Identify Poor Management by fustakrakich · · Score: 1

      Killing the golden goose, are we?

      --
      “He’s not deformed, he’s just drunk!”
    4. Re:Identify Poor Management by Big+Hairy+Ian · · Score: 1

      http://farm2.static.flickr.com...

      --

      Build a Man a Fire, and He'll Be Warm for a Day. Set a Man on Fire, and He'll Be Warm for the Rest of His Life.

    5. Re:Identify Poor Management by ArsenneLupin · · Score: 1

      Only if the attackers are as inept as their victim. If they know what they are doing, they set up a different Bitcoin address to receive the funds of each victim.

    6. Re:Identify Poor Management by aardvarkjoe · · Score: 1

      If they're not going to retaliate anyway, what's the point?

      --

      How can we continue to believe in a just universe and freedom to eat crackers if we have no ale?
    7. Re:Identify Poor Management by ArsenneLupin · · Score: 2

      If they're not going to retaliate anyway, what's the point?

      ... to know whom they can hit up for more money...

    8. Re:Identify Poor Management by irving47 · · Score: 1

      Nah, I can think of an easy way.
      This is how I'd do it.
      Actually, many of those who have had ebay or paypal or other 'real money'-linked have had to do this... (Maybe they still do. I have no idea.)
      When signing up for the service, they wanted to verify you had the checking account/information you signed up with. So they'd send you a transfer of anywhere from one cent to $2 or $3 and change. The only way to 'verify' was to use that deposit (some did it twice) as the confirmation code.

      So as long as they custom-wrote each threat so it had a unique extortion amount, they could know who sent them $2000.23 via bitcoin (xxx.com) or $2333.22 (yyy.com)

      --
      I had a sucky sig.
  2. Floating by Anonymous Coward · · Score: 0

    Still surprised that these sort of people end up floating in the water somewhere. Scammers must be more hated than tax inspectors by now...

    Apparently they are very good at hiding their sorry asses...

  3. I can't understand how companies can be so stupid by Sycraft-fu · · Score: 4, Insightful

    What the hell can you possibly hope to gain by paying off DDoSers? If you do pay them, they have literally no incentive not to just keep extorting you, and then others can do the same. Ya getting DDoS'd sucks but the good news is any sizable DDoS costs them money too, they have to rent out a botnet so they can't sustain it for very long.

    This is much different than paying "protection money" to a criminal organization in the physical world. While, yes, it is still extortion at least there you have a benefit you get: They will legitimately protect you from other criminals. Organized crime is not interested in others muscling in on their business so they do actually work to protect businesses that buy them off. It is a heavy handed situation, as if you don't pay they will go after you themselves, but you can see why it would make some sense for a business to buy in. If the police are unwilling or unable to protect them, this can.

    With DDoS gangs on the Internet, there's nothing of the sort. They are just saying "Pay us and we won't bother you," but they can go back on that, or double dip. They can easily pretend to be someone else and demand you pay up, and others can also demand you pay up. I think the more you pay the more likely you are to have a reputation of an easy mark who can be extorted at will.

  4. That's a nice network you have there... by PvtVoid · · Score: 3

    ... it would be a pity if anything happened to it.

  5. Who cares? by Anonymous Coward · · Score: 0

    I sure as hell don't.

  6. Re:your wife by JcMorin · · Score: 1

    As suggest in the above comment, your should seek replacement.

  7. Admire the criminals by gurps_npc · · Score: 1

    They figured out you don't have to actually do the crime, just threaten to do it convincingly.

    --
    excitingthingstodo.blogspot.com
  8. Why would you DDoS extortionists? by Anonymous Coward · · Score: 0

    Is that a "fight fire with fire" kind of thing?

  9. How do they not know who paid? by Anonymous Coward · · Score: 0

    Did they send the same bitcoin wallet address to all the victims? Generating a new wallet address costs nothing and is easily scripted. Not a bright bunch...

  10. They could tell who paid, if they wanted... by ArsenneLupin · · Score: 1

    Given that the attackers can't tell who has paid the extortion fee and who has not,

    Theoretically they could. Just set up a different wallet (or bitcoin address, or whatever the correct term is...) to receive the ransom for each potential victim.

    But if they don't, and 2 victims compare notes, then it is easy to spot.

  11. Re:I can't understand how companies can be so stup by roman_mir · · Score: 1

    Well, most companies are ran by people who have been conditioned by the government Mafia 'to pay or else', so this is the only way they know. I don't have any issues going directly after the specific people that want to steal from me, most folks out there cannot even imagine doing that.

    --
    You can't handle the truth.
  12. Nice quick Google bomb :-) by ArsenneLupin · · Score: 3, Funny

    "The extortion emails encourage targeted victims to Google for the Armada Collective," CloudFlare CEO Matthew Prince wrote. "I'm hopeful this article will start appearing near the top of search results and help organizations act more rationally when they receive such a threat."

    ... and it did: https://www.google.com/search?q=armada+collective has as a top hit Empty DDoS Threats: Meet the Armada Collective - CloudFlare

  13. give me all your money... by Anonymous Coward · · Score: 0

    I have a Gub

    1. Re:give me all your money... by ole_timer · · Score: 1

      woody allen

      --
      nothing to see here - move along
  14. sad by bigdavex · · Score: 4, Funny

    It's a sad day when you can't trust extortionist to make good on their threats. Where's the pride in their craft? Where's the work ethic? Society is in decline.

    --
    -Dave
    1. Re:sad by Jason+Levine · · Score: 1

      These are the script kiddies of extortionists. They like to call themselves by the cool sounding name ("hacker" or "extortionist") but don't really have the skills needed to pull off what actual hackers/extortionists do. So they bluff their way through and fake some grand schemes in the hopes of gaining everyone's fear/respect for elite skills that they clearly don't have.

      --
      My sci-fi novel, Ghost Thief, is now available from Amazon.com.
    2. Re:sad by Gavagai80 · · Score: 1

      In this case, since they never actually run a DDoS script, they're scriptless kiddies.

      --
      This space intentionally left blank
  15. Its better than actually doing a DDOS by Anonymous Coward · · Score: 0

    I almost (but not quite) like the cut of their jib.

  16. The invisible hand of the market by Anonymous Coward · · Score: 1

    The invisible hand of the market is sometimes attached to an invisible idiot.

  17. Wrong by Anonymous Coward · · Score: 1

    Against scammers you can use and defend with logic.

    You cant use logic when dealing with tax inspectors.

  18. What about the old days where they just paided bil by Joe_Dragon · · Score: 1

    What about the old days where they just paided bills for stuff like web services where some admin (non IT) just got a bill from some out side place for stuff that they did not even have as part of a scam.

  19. mob days by Joe_Dragon · · Score: 1

    You have a nice place hear it will be a shame if something bad where to happen.

  20. Re:$100,000? by U2xhc2hkb3QgU3Vja3M · · Score: 1

    www.realdoll.com

  21. Opportunity cost wins by TheCarp · · Score: 3, Insightful

    See, they COULD setup DDOS infrastructure, they could spend time herding bots, and refreshing their botnet, but, every bit of effort they spend is cost. Cost that is being spent on something other than finding people who will pay.

    It is like going to trial, a lot more companies will threaten legal action than will go through with it. Its cheap to threaten, its expensive to follow through, especially if it doesn't work out and becomes 100% cost.

    In short, contacting someone takes effort, following through with a threat takes more on top. The follow through is, quite literally, throwing good money after bad, and has a much lower ROI than the initial contact.

    All they have done is cut out the unprofitable part of their business.

    --
    "I opened my eyes, and everything went dark again"
    1. Re:Opportunity cost wins by Hentes · · Score: 1

      I'm not so sure this "hacking" group has any idea how to build a botnet. They have no more technical knowledge than Nigerian scammers.

    2. Re:Opportunity cost wins by TheCarp · · Score: 1

      Exactly, makes it even cheaper to not include people with skills they don't actually need. This makes them a lot more lean and increases ROI substantially.

      --
      "I opened my eyes, and everything went dark again"
    3. Re:Opportunity cost wins by tnk1 · · Score: 1

      I totally agree. Why actually execute an attack, with all the infrastructure setup that entails, when you can just pretend to be a feared attacker and have none of that cost? If they don't pay up, you didn't lose anything. If they do? Your margins are very, very good.

      Obviously, this falls apart if few enough people pay up that your costs for discovering them are higher than your returns. So, there has to at least be a minimum effort to craft your threat in a convincing way.

  22. The extortionists could easily track who paid by IheatMyAptWithCPUs · · Score: 2

    Simply by asking them to pay different, specific amounts. That amount clears? Check off the company who was "charged" that much.

  23. Oh that's funny by Anonymous Coward · · Score: 0

    I thought they were talking about CloudFlare - seeing as they are the primary beneficiaries of all these DDoS attacks.

  24. Re:Bitcoin do that with unique address by JcMorin · · Score: 1

    In the bitcoin world you track payer with addresses. If you sell song for 99, you give each user a unique address with all the same amount and you know who paid by checking the addresses. Unlike banking, there is unlimited number of addresses you can hold on a single wallet.

  25. Re:I can't understand how companies can be so stup by Dwedit · · Score: 1

    "Protection money" doesn't cover protection from other criminals, it only means "nice business you got there, shame if something were to happen to it".

  26. Re:What about the old days where they just paided by Jason+Levine · · Score: 2

    I was talking to one of my managers about this sort of thing recently. It wasn't too many years ago that you would get a bill for "paper/toner/etc." You didn't actually buy these products from this company, but they would send out tons of bills and a percentage of companies blindly paid them. It was enough to keep the scammer in business sending out more and more letters.

    On the IT side, we used to get notices from Domain Registry of America to "renew" our domains for the low, low price of $45 a year! Of course, we didn't register our domains with them, their "low price" was over 3 times what we paid for our registration, and reading the fine print showed that this was a domain transfer to them and NOT a renewal. We were lucky that the managers who got these notices just forwarded them on to me to take care of. (My method of "taking care of them" involved ripping and tossing into the trash.)

    --
    My sci-fi novel, Ghost Thief, is now available from Amazon.com.
  27. Re: I can't understand how companies can be so stu by Anonymous Coward · · Score: 0

    "If you do pay them, they have literally no incentive not to just keep extorting you, and then others can do the same"

    And yet people continue to pay taxes.

  28. Re:I can't understand how companies can be so stup by LiENUS · · Score: 1

    "Protection money" doesn't cover protection from other criminals, it only means "nice business you got there, shame if something were to happen to it".

    Not in any sane protection racket scheme, even wikipedia can tell you this
    https://en.wikipedia.org/wiki/Protection_racket

    In an extortion racket, the racketeers agree simply to not attack a business. In a protection racket the criminals agree to defend a business from any attack. Conversely, extortion racketeers will have to defend their clients if threatened by a rival gang to avoid the client transferring their allegiance.

    Yes it's possible for the people running the racket to be morons, but the end result is someone else will come in and sway their client to them and actually protect them from the original gang.

  29. Another win for bitcoin! by Anonymous Coward · · Score: 0

    There goes the "can't pay taxes with it" argument; it's backed by the full faith and credit of crackers!

    All the crackers need to do now is set up a voting-for-DDoS system where most people don't actually vote or have a rational incentive to do so, the votes aren't all counted, when they are counted it's by machines that don't work properly or keep records, and determines the winner using a bugged algorithm that causes a spoiler effect... then this tax will be legitimate too.

    You can't expect to live in a civilized society brought about by online extortionists and then refuse to pay your fair share. If you don't like it, move to North Korea!

  30. the new Danegeld by Anonymous Coward · · Score: 0

    The new Danegeld
    https://en.wikipedia.org/wiki/Danegeld

  31. extortion hypothetical by orgelspieler · · Score: 1

    What if, instead of threatening DDoS, they had chosen their words more carefully. "We have received actionable intelligence that your company is being targeted by $SCARY_HACKER_GROUP. They will DDoS your site on or around $DATE. We have the ability to thwart their actions, but we request a one-time fee of ##BTC to help cover our costs. Please send the payment to $BTC_ADDRESS." Would this be extortion? Is it equivalent to "Nice bar you have here, it would be a shame if something were to happen to it."

    1. Re:extortion hypothetical by Gavagai80 · · Score: 1

      While people like to imagine they can get away with things on a technicality of careful wording, I expect this would be up to the judgement of the judge/jury of the intent. In this case, if you can't show exactly how you received your intelligence and exactly how you'd stop the hackers, you'll be judged to have criminal intent.

      --
      This space intentionally left blank
  32. A fool and his money by John.Banister · · Score: 1

    are soon parted. To the 14 year olds with $100k in bitcoin: The next scam would be to set yourselves up as an "email threat assessment service." It's a slightly longer con, but they're primed to buy in.

  33. Re:I can't understand how companies can be so stup by wisnoskij · · Score: 1

    "no incentive not to just keep extorting you, and then others can do the same."
    Except for honour, and not wanting to ruin a good thing by convincing the other gazillion businesses to not pay them. They have everyone reason in the world to go on down the list of inexhaustible businesses you have not extorted yet. On a purely profit motive, it is probably not even worth launching a DDoS if your extortion fails, most of the time. You just need a few public demonstrations of what will happen, if 99% of the failed extortions never lead to anything and remain private it does not matter.

    --
    Troll is not a replacement for I disagree.
  34. Once again, we had advance warning. by Krishnoid · · Score: 1

    We've known about these miscreants for many years, and yet remained negligent. We only have ourselves to blame.

  35. Re:What about the old days where they just paided by Anonymous Coward · · Score: 0

    I think DROA itself was finally shut down, but that scam is still ongoing with different business names. I get at least a dozen spams a week wanting to "renew" domains. Been awhile since I've received one in the dead tree mail.