Slashdot Mirror
Businesses Pay $100,000 To DDoS Extortionists Who Never DDoS Anyone (arstechnica.com)
Dan Goodin, reporting for Ars Technica: In less than two months, online businesses have paid more than $100,000 to scammers who set up a fake distributed denial-of-service (DDoS) gang that has yet to launch a single attack. The charlatans sent businesses around the globe extortion e-mails threatening debilitating DDoS attacks unless the recipients paid as much as $23,000 by Bitcoin in protection money, according to a blog post published Monday by CloudFlare, a service that helps protect businesses from such attacks. Stealing the name of an established gang that was well known for waging such extortion rackets, the scammers called themselves the Armada Collective.An excerpt from CloudFlare blog post:Given that the attackers can't tell who has paid the extortion fee and who has not, it is perhaps not surprising to learn that they appear to treat all victims the same: attacking none of them. To date, we've not seen a single attack launched against a threatened organization. This is in spite of nearly all of the threatened organizations we're aware of not paying the extortion fee. We've compared notes with fellow DDoS mitigation vendors and none of them have seen any attacks launched since March against organizations that have received Armada Collective threats.
The least they could do is send out a list of all companies who paid extortion fees so people could identify inept management who should be replaced.
-- All that is necessary for the triumph of evil is that good men do nothing. -- Edmund Burke
What the hell can you possibly hope to gain by paying off DDoSers? If you do pay them, they have literally no incentive not to just keep extorting you, and then others can do the same. Ya getting DDoS'd sucks but the good news is any sizable DDoS costs them money too, they have to rent out a botnet so they can't sustain it for very long.
This is much different than paying "protection money" to a criminal organization in the physical world. While, yes, it is still extortion at least there you have a benefit you get: They will legitimately protect you from other criminals. Organized crime is not interested in others muscling in on their business so they do actually work to protect businesses that buy them off. It is a heavy handed situation, as if you don't pay they will go after you themselves, but you can see why it would make some sense for a business to buy in. If the police are unwilling or unable to protect them, this can.
With DDoS gangs on the Internet, there's nothing of the sort. They are just saying "Pay us and we won't bother you," but they can go back on that, or double dip. They can easily pretend to be someone else and demand you pay up, and others can also demand you pay up. I think the more you pay the more likely you are to have a reputation of an easy mark who can be extorted at will.
... it would be a pity if anything happened to it.
"The extortion emails encourage targeted victims to Google for the Armada Collective," CloudFlare CEO Matthew Prince wrote. "I'm hopeful this article will start appearing near the top of search results and help organizations act more rationally when they receive such a threat."
... and it did: https://www.google.com/search?q=armada+collective has as a top hit Empty DDoS Threats: Meet the Armada Collective - CloudFlare
It's a sad day when you can't trust extortionist to make good on their threats. Where's the pride in their craft? Where's the work ethic? Society is in decline.
-Dave
See, they COULD setup DDOS infrastructure, they could spend time herding bots, and refreshing their botnet, but, every bit of effort they spend is cost. Cost that is being spent on something other than finding people who will pay.
It is like going to trial, a lot more companies will threaten legal action than will go through with it. Its cheap to threaten, its expensive to follow through, especially if it doesn't work out and becomes 100% cost.
In short, contacting someone takes effort, following through with a threat takes more on top. The follow through is, quite literally, throwing good money after bad, and has a much lower ROI than the initial contact.
All they have done is cut out the unprofitable part of their business.
"I opened my eyes, and everything went dark again"
Simply by asking them to pay different, specific amounts. That amount clears? Check off the company who was "charged" that much.
I was talking to one of my managers about this sort of thing recently. It wasn't too many years ago that you would get a bill for "paper/toner/etc." You didn't actually buy these products from this company, but they would send out tons of bills and a percentage of companies blindly paid them. It was enough to keep the scammer in business sending out more and more letters.
On the IT side, we used to get notices from Domain Registry of America to "renew" our domains for the low, low price of $45 a year! Of course, we didn't register our domains with them, their "low price" was over 3 times what we paid for our registration, and reading the fine print showed that this was a domain transfer to them and NOT a renewal. We were lucky that the managers who got these notices just forwarded them on to me to take care of. (My method of "taking care of them" involved ripping and tossing into the trash.)
My sci-fi novel, Ghost Thief, is now available from Amazon.com.