Online extortion works

Pay up, or your server gets it


Opinion Online extortion is quietly affecting thousands of businesses, for a very simple reason: it works. The big question then becomes, how will you and your company decide to respond? Many of us have seen Kenneth Branagh's excellent 1989 motion picture adaptation of Shakespeare's Henry V, and the general impression that most people take away is that the King is overall a good, valiant leader. Interestingly, though, Branagh left out an important scene in his film, one that the 1944 version starring Laurence Olivier included. In Act III, Scene 3, Henry and his men are before the gates of the beseiged French city of Harfleur, and Henry explains to the Governor and the listening citizens of Harfleur what will happen if they do not surrender to the English forces.

How yet resolves the governor of the town?
This is the latest parle we will admit;
Therefore to our best mercy give yourselves;
Or like to men proud of destruction
Defy us to our worst: for, ...
If I begin the battery once again,
I will not leave the half-achieved Harfleur
Till in her ashes she lie buried.
The gates of mercy shall be all shut up,
And the flesh'd soldier, rough and hard of heart,
In liberty of bloody hand shall range
With conscience wide as hell, mowing like grass
Your fresh-fair virgins and your flowering infants.
... Therefore, you men of Harfleur,
Take pity of your town and of your people,
Whiles yet my soldiers are in my command;
Whiles yet the cool and temperate wind of grace
O'erblows the filthy and contagious clouds
Of heady murder, spoil and villany.
If not, why, in a moment look to see
The blind and bloody soldier with foul hand
Defile the locks of your shrill-shrieking daughters;
Your fathers taken by the silver beards,
And their most reverend heads dash'd to the walls,
Your naked infants spitted upon pikes,
Whiles the mad mothers with their howls confused
Do break the clouds, as did the wives of Jewry
At Herod's bloody-hunting slaughtermen.
What say you? will you yield, and this avoid,
Or, guilty in defence, be thus destroy'd?

To my mind, this is one of the great extortion scenes in literature (and I'd love to hear if my readers can think of any others). Henry is purposefully frightening Harfleur, knowing that the people of the town are listening and growing increasingly terrified as he speaks. He counts on the pressure that they will bring on the Governor as a way to avoid conflict and win an easy victory, and, sure enough, Harfleur yields immediately.

The lesson that Henry knew, and that is still known today by mobsters, loan sharks, and, increasingly, cyber-criminals, is simple: extortion works.

How bad is online extortion getting? Alan Paller, a speaker at a London SANS Institute conference, claims that, "Six or seven thousand organizations are paying online extortion demands ... Every online gambling site is paying extortion. Hackers use DDoS (distributed denial-of-service) attacks, using botnets to do it. Then they say, 'Pay us $40,000, or we'll do it again.'"

Whether he's precisely accurate is not the point; the threat seems real with regard to online gambling. Talk about low-hanging fruit: websites that are on the more sordid side of the Net, raking in lots of cash that may or may not be totally legal, and requiring an up-and-running web site or the entire business is at risk. However, it's not just online gambling that is facing a rise in cyber-extortion. More legitimate businesses are increasingly at risk as well.

For example, Kentucky businessman Jay Broder received an email demanding $10,000; when he refused to pay, his company's website was down for a week, the victim of a DDoS. At first, Broder simply ignored the email, believing it to be spam. He learned his lesson when the attack began, and it took a switch to a new IP address and a new web host to solve his problem. Or maybe it's not solved. He could get another email. Soon.

Even semi-silly threats work on semi-ignorant users. CNN reported a year ago that blackmailers are increasingly sending emails to office workers in which the bad guys explain something like the following:

1. I, the bad guy, have taken over your corporate network.

2. At any time, I can take over your computer.

3. Once I do that, I will erase your hard drive or worse, I will place child pornography on your PC.

4. You will be disgraced, fired, and potentially arrested.

5. Pay me $25 and I'll leave you alone.

Now, everyone reading this column knows that the likelihood that steps 1-4 could be completed perfectly, in a way that would bring ruin to the lives of the poor saps reading those emails, is very low. But if you're Joe (or Jane) Officeworker, these emails could scare the hell out of you, and $25 really isn't that much, so why not pay up and avoid getting fired, or arrested, or, even worse, branded a sex offender?

So what can we do about this problem? Extortion is always a problem for law enforcement, since the blackmailer has something over those he's blackmailing. The threat of exposure, or the threat of further harm, work together to keep victims silent. The fact that the extortionist resides on another continent, in a country that is rather ... lax, shall we say, about acting on American requests for law enforcement, only adds to the problem. It's one thing to know that Bubba on the corner is shaking you down; it's another when it's 4ack3rD00d out on the interweb.

So what can security pros and their clients do if they're faced with cyber-extortion? You have three choices: counter-attack, pay up, or quietly contact the authorities. I don't recommend that you counter-attack; that will get everyone involved in a war of attrition that you'll never win. Pay up? It's easy for me, sitting here at my computer, to tell you never to do that, but I understand that situations can be sticky. I'd hate to see the criminals win, though, and I know you would too. That leaves contacting the authorities ... quietly. Let the FBI, or other appropriate authorities, know about your issue and ask their advice. To pay up or not to pay up: that is the question. Increasingly, it may be a question that you have to prepare to answer.

Copyright © 2004, SecurityFocus logo

Scott Granneman is a senior consultant for Bryan Consulting Inc. in St. Louis. He specializes in Internet Services and developing Web applications for corporate, educational, and institutional clients.

Related stories

Gimme clean bandwidth
Net extortionists in child porn threat
Feds bust DDoS 'Mafia'


Other stories you might like

  • AI tool finds hundreds of genes related to human motor neuron disease

    Breakthrough could lead to development of drugs to target illness

    A machine-learning algorithm has helped scientists find 690 human genes associated with a higher risk of developing motor neuron disease, according to research published in Cell this week.

    Neuronal cells in the central nervous system and brain break down and die in people with motor neuron disease, like amyotrophic lateral sclerosis (ALS) more commonly known as Lou Gehrig's disease, named after the baseball player who developed it. They lose control over their bodies, and as the disease progresses patients become completely paralyzed. There is currently no verified cure for ALS.

    Motor neuron disease typically affects people in old age and its causes are unknown. Johnathan Cooper-Knock, a clinical lecturer at the University of Sheffield in England and leader of Project MinE, an ambitious effort to perform whole genome sequencing of ALS, believes that understanding how genes affect cellular function could help scientists develop new drugs to treat the disease.

    Continue reading
  • Need to prioritize security bug patches? Don't forget to scan Twitter as well as use CVSS scores

    Exploit, vulnerability discussion online can offer useful signals

    Organizations looking to minimize exposure to exploitable software should scan Twitter for mentions of security bugs as well as use the Common Vulnerability Scoring System or CVSS, Kenna Security argues.

    Better still is prioritizing the repair of vulnerabilities for which exploit code is available, if that information is known.

    CVSS is a framework for rating the severity of software vulnerabilities (identified using CVE, or Common Vulnerability Enumeration, numbers), on a scale from 1 (least severe) to 10 (most severe). It's overseen by First.org, a US-based, non-profit computer security organization.

    Continue reading
  • Sniff those Ukrainian emails a little more carefully, advises Uncle Sam in wake of Belarusian digital vandalism

    NotPetya started over there, don't forget

    US companies should be on the lookout for security nasties from Ukrainian partners following the digital graffiti and malware attack launched against Ukraine by Belarus, the CISA has warned.

    In a statement issued on Tuesday, the Cybersecurity and Infrastructure Security Agency said it "strongly urges leaders and network defenders to be on alert for malicious cyber activity," having issued a checklist [PDF] of recommended actions to take.

    "If working with Ukrainian organizations, take extra care to monitor, inspect, and isolate traffic from those organizations; closely review access controls for that traffic," added CISA, which also advised reviewing backups and disaster recovery drills.

    Continue reading

Biting the hand that feeds IT © 1998–2022