Cyber-Extortion: Web Sites Pay Up or Shut Down
he Internet makes many things in life easier. Add extortion to that list. In a new version of blackmail tailor-made for the information age, Web sites of businesses ranging from online casinos, satellite TV companies, payment processors and gateway providers are hijacked by thousands of "zombie" computers.
These computers, also known as "bots," bring down the sites through "distributed denial of service" attacks, or DDoS.
To understand how zombie computers are created, think "Invasion of the Body Snatchers" or "Night of the Living Dead." Worms, viruses and other security exploits released by a hacker infect unprotected computers. Like an evil puppet master, the hacker then has control of hundreds, even thousands, of computers.
When the hacker decides to attack a particular site, he commands his zombies to use their total bandwidth capacities to bombard that site, making it inaccessible to customers, who are greeted with a denial of service message.
Essentially, the armies of bots shut down the appropriated Web sites. What makes the attacks different from other types of security breaches is that they're carried out not merely for the thrill of the hunt, but for financial gain.
The attacked businesses begin to receive e-mails demanding payment in order for them to resume conducting business. For some, that has meant coming up with large sums of cash for ransom.
It's almost impossible to trace the origin of the command to attack because there are so many bots pummeling the sites. It's nearly impossible for the hijacked sites to block the attack, also because of the number of bots; there have been incidents in which up to 120,000 bots were directed in a single attack.
While some experts say this new brand of extortion is growing, there is no definitive agreement on the size or scope of the problem.
Anti-virus software developer Symantec released its bi-annual "Internet Security Threat Report" in September 2004. The report found that 4,496 new Windows viruses and worms were released between January and June 2004, but that the daily volume of attacks from worms and viruses actually decreased.
Nearly 39% of the total volume of attacks was linked with Web applications; Symantec classified almost 82% of Web application vulnerabilities as easy to exploit.
That's not the scariest part. The daily average number of bots jumped from 2,000 to 30,000, and the number of variant bots increased 600% in the first six months of this year. Bots spread through peer-to-peer services, Internet relay chat and network file sharing. Adware accounts for half of the malicious code submissions, according to Symantec.
As with phishing and identity theft, incidents of cyber-extortion are increasing across e-commerce, which the Symantec report cited as the industry targeted most often, with 16% of all attacks directed against it.
When companies such as payment gateways or processors are targeted, many other sites belonging to their customers, merchants or subscribers are also affected.
Awareness of online extortion is increasing, however; it's been discussed recently on The Green Sheet's MLS Forum, as well as in articles online and in newspapers around the country, including on the cover of "The Wall Street Journal."
One Louisville, Ky.-based ISO was not eager to speak with The Green Sheet about his experience as a victim of cyber-extortion. But the FBI is investigating his claim that his Web site was brought down and held for $10,000 ransom in April. Because he refused to pay, his site stayed down for over a week. He said he doesn't know why his business was targeted and doesn't want any further publicity around the incident.
Bots also targeted Authorize.Net. Glen Zimmerman, a spokesman for the payment gateway's parent company, Lightbridge Inc., said the DDoS occurred in mid-September and caused "modest disruption" of service. "We took some paramount measures to the infrastructure to thwart that attack and any further attacks," he said. "We're operating without issues." This was the first such incident in the three years he's been with the company, he said.
Who's responsible for the attacks varies by situation. Eastern European organized crime; corrupt vendors who sell software solutions to prevent denial of service attacks; and disgruntled businessmen using hackers-for-hire to seek revenge when deals go bad have all been implicated in online extortion cases.
Many people feel the situation will get worse before it gets better. Unwitting consumers with high-speed broadband Internet connections don't realize their home computers are just ripe for the plucking. And, as zombie technology gets more sophisticated, 20,000 bots can attack one site and be instantly redirected to attack a different one; 20,000 can easily increase to 100,000 or 1 or 2 million.
|