Online extortion works
Submitted by Templar Titan on Tue, 01/11/2005 - 18:13.
Online extortion works
By Scott
<http://forms.theregister.co.uk/mail_author/?story_url=/2004/12/14/online_ex
tortion_works/> Granneman, SecurityFocus (scott at granneman.com)
Published Tuesday 14th December 2004 10:50 GMT
Opinion Online extortion is quietly affecting thousands of businesses, for
a
very simple reason: it works. The big question then becomes, how will you
and your company decide to respond? Many of us have seen Kenneth Branagh's
excellent 1989 <http://us.imdb.com/title/tt0097499/> motion picture
adaptation (http://us.imdb.com/title/tt0097499/) of Shakespeare's Henry V,
and the general impression that most people take away is that the King is
overall a good, valiant leader. Interestingly, though, Branagh left out an
important scene in his film, one that the 1944 version
<http://us.imdb.com/title/tt0036910/> (http://us.imdb.com/title/tt0036910/)
starring Laurence Olivier included. In Act
<http://www.online-literature.com/view.php/henryV/13?term=harfleur> III,
Scene 3 (http://www.online-literature.com/view.php/henryV/13?term=harfleur),
Henry and his men are before the gates of the beseiged French city of
Harfleur, and Henry explains to the Governor and the listening citizens of
Harfleur what will happen if they do not surrender to the English forces.
How yet resolves the governor of the town?
This is the latest parle we will admit;
Therefore to our best mercy give yourselves;
Or like to men proud of destruction
Defy us to our worst: for, ...
If I begin the battery once again,
I will not leave the half-achieved Harfleur
Till in her ashes she lie buried.
The gates of mercy shall be all shut up,
And the flesh'd soldier, rough and hard of heart,
In liberty of bloody hand shall range
With conscience wide as hell, mowing like grass
Your fresh-fair virgins and your flowering infants.
... Therefore, you men of Harfleur,
Take pity of your town and of your people,
Whiles yet my soldiers are in my command;
Whiles yet the cool and temperate wind of grace
O'erblows the filthy and contagious clouds
Of heady murder, spoil and villany.
If not, why, in a moment look to see
The blind and bloody soldier with foul hand
Defile the locks of your shrill-shrieking daughters;
Your fathers taken by the silver beards,
And their most reverend heads dash'd to the walls,
Your naked infants spitted upon pikes,
Whiles the mad mothers with their howls confused
Do break the clouds, as did the wives of Jewry
At Herod's bloody-hunting slaughtermen.
What say you? will you yield, and this avoid,
Or, guilty in defence, be thus destroy'd?
To my mind, this is one of the great extortion scenes in literature (and I'd
love to hear if my readers can think of any others). Henry is purposefully
frightening Harfleur, knowing that the people of the town are listening and
growing increasingly terrified as he speaks. He counts on the pressure that
they will bring on the Governor as a way to avoid conflict and win an easy
victory, and, sure enough, Harfleur yields immediately.
The lesson that Henry knew, and that is still known today by mobsters, loan
sharks, and, increasingly, cyber-criminals, is simple: extortion works.
How bad is online extortion getting? Alan
<http://news.com.com/Expert%3A+Online+extortion+growing+more+common/2100-734
9_3-5403162.html> Paller, a speaker at a London SANS Institute conference,
claims
(http://news.com.com/Expert%3A+Online+extortion+growing+more+common/2100-...
9_3-5403162.html) that, "Six or seven thousand organizations are paying
online extortion demands ... Every online gambling site is paying extortion.
Hackers use DDoS (distributed denial-of-service) attacks, using botnets to
do it. Then they say, 'Pay us $40,000, or we'll do it again.'"
Whether he's precisely accurate is not the point; the threat seems real with
regard to online gambling. Talk about low-hanging fruit: websites that are
on the more sordid side of the Net, raking in lots of cash that may or may
not be totally legal, and requiring an up-and-running web site or the entire
business is at risk. However, it's not just online
<http://www.cnn.com/2003/TECH/internet/12/29/cyber.blackmail.reut/index.html
> gambling
(http://www.cnn.com/2003/TECH/internet/12/29/cyber.blackmail.reut/index.h...
) that is facing a
<http://www.businessweek.com/bwdaily/dnflash/aug2000/nf20000822_308.htm>
rise in cyber-extortion
(http://www.businessweek.com/bwdaily/dnflash/aug2000/nf20000822_308.htm).
More legitimate businesses are increasingly at risk as well.
For example, Kentucky businessman Jay Broder received an email demanding
$10,000; when he refused to pay, his company's
<http://thewhir.com/marketwatch/fbi051004.cfm> website was down for a
week
(http://thewhir.com/marketwatch/fbi051004.cfm), the victim of a DDoS. At
first, Broder simply ignored the email, believing it to be spam. He learned
his lesson when the attack began, and it took a switch to a new IP address
and a new web host to solve his problem. Or maybe it's not solved. He could
get another email. Soon.
Even semi-silly threats work on semi-ignorant users. CNN
<http://www.cnn.com/2003/TECH/internet/12/29/cyber.blackmail.reut/index.html
> reported a year ago
(http://www.cnn.com/2003/TECH/internet/12/29/cyber.blackmail.reut/index.h...
) that blackmailers are increasingly sending emails to office workers in
which the bad guys explain something like the following:
1. I, the bad guy, have taken over your corporate network.
2. At any time, I can take over your computer.
3. Once I do that, I will erase your hard drive or worse, I will place child
pornography on your PC.
4. You will be disgraced, fired, and potentially arrested.
5. Pay me $25 and I'll leave you alone.
Now, everyone reading this column knows that the likelihood that steps 1-4
could be completed perfectly, in a way that would bring ruin to the lives of
the poor saps reading those emails, is very low. But if you're Joe (or Jane)
Officeworker, these emails could scare the hell out of you, and $25 really
isn't that much, so why not pay up and avoid getting fired, or arrested, or,
even worse, branded a sex offender?
So what can we do about this problem? Extortion is always a problem for law
enforcement, since the blackmailer has something over those he's
blackmailing. The threat of exposure, or the threat of further harm, work
together to keep victims silent. The fact that the extortionist resides on
another continent, in a country that is rather ... lax, shall we say, about
acting on American requests for law enforcement, only adds to the problem.
It's one thing to know that Bubba on the corner is shaking you down; it's
another when it's 4ack3rD00d out on the interweb.
So what can security pros and their clients do if they're faced with
cyber-extortion? You have three choices: counter-attack, pay up, or quietly
contact the authorities. I don't recommend that you counter-attack; that
will get everyone involved in a war of attrition that you'll never win. Pay
up? It's easy for me, sitting here at my computer, to tell you never to do
that, but I understand that situations can be sticky. I'd hate to see the
criminals win, though, and I know you would too. That leaves contacting the
authorities ... quietly. Let the FBI, or other appropriate authorities, know
about your issue and ask their advice. To pay up or not to pay up: that is
the question. Increasingly, it may be a question that you have to prepare to
answer.
Copyright C 2004, <http://www.securityfocus.com/> SecurityFocus
logo(http://www.securityfocus.com/)
Scott Granneman <mailto:scott@granneman.com> (mailto:scott@granneman.com)
is a senior consultant for Bryan Consulting Inc. in St. Louis. He
specializes in Internet Services and developing Web applications for
corporate, educational, and institutional clients.
