Feeds

Online extortion works

Pay up, or your server gets it

  • alert
  • submit to reddit

5 things you didn’t know about cloud backup

Opinion Online extortion is quietly affecting thousands of businesses, for a very simple reason: it works. The big question then becomes, how will you and your company decide to respond? Many of us have seen Kenneth Branagh's excellent 1989 motion picture adaptation of Shakespeare's Henry V, and the general impression that most people take away is that the King is overall a good, valiant leader. Interestingly, though, Branagh left out an important scene in his film, one that the 1944 version starring Laurence Olivier included. In Act III, Scene 3, Henry and his men are before the gates of the beseiged French city of Harfleur, and Henry explains to the Governor and the listening citizens of Harfleur what will happen if they do not surrender to the English forces.

How yet resolves the governor of the town?
This is the latest parle we will admit;
Therefore to our best mercy give yourselves;
Or like to men proud of destruction
Defy us to our worst: for, ...
If I begin the battery once again,
I will not leave the half-achieved Harfleur
Till in her ashes she lie buried.
The gates of mercy shall be all shut up,
And the flesh'd soldier, rough and hard of heart,
In liberty of bloody hand shall range
With conscience wide as hell, mowing like grass
Your fresh-fair virgins and your flowering infants.
... Therefore, you men of Harfleur,
Take pity of your town and of your people,
Whiles yet my soldiers are in my command;
Whiles yet the cool and temperate wind of grace
O'erblows the filthy and contagious clouds
Of heady murder, spoil and villany.
If not, why, in a moment look to see
The blind and bloody soldier with foul hand
Defile the locks of your shrill-shrieking daughters;
Your fathers taken by the silver beards,
And their most reverend heads dash'd to the walls,
Your naked infants spitted upon pikes,
Whiles the mad mothers with their howls confused
Do break the clouds, as did the wives of Jewry
At Herod's bloody-hunting slaughtermen.
What say you? will you yield, and this avoid,
Or, guilty in defence, be thus destroy'd?

To my mind, this is one of the great extortion scenes in literature (and I'd love to hear if my readers can think of any others). Henry is purposefully frightening Harfleur, knowing that the people of the town are listening and growing increasingly terrified as he speaks. He counts on the pressure that they will bring on the Governor as a way to avoid conflict and win an easy victory, and, sure enough, Harfleur yields immediately.

The lesson that Henry knew, and that is still known today by mobsters, loan sharks, and, increasingly, cyber-criminals, is simple: extortion works.

How bad is online extortion getting? Alan Paller, a speaker at a London SANS Institute conference, claims that, "Six or seven thousand organizations are paying online extortion demands ... Every online gambling site is paying extortion. Hackers use DDoS (distributed denial-of-service) attacks, using botnets to do it. Then they say, 'Pay us $40,000, or we'll do it again.'"

Whether he's precisely accurate is not the point; the threat seems real with regard to online gambling. Talk about low-hanging fruit: websites that are on the more sordid side of the Net, raking in lots of cash that may or may not be totally legal, and requiring an up-and-running web site or the entire business is at risk. However, it's not just online gambling that is facing a rise in cyber-extortion. More legitimate businesses are increasingly at risk as well.

For example, Kentucky businessman Jay Broder received an email demanding $10,000; when he refused to pay, his company's website was down for a week, the victim of a DDoS. At first, Broder simply ignored the email, believing it to be spam. He learned his lesson when the attack began, and it took a switch to a new IP address and a new web host to solve his problem. Or maybe it's not solved. He could get another email. Soon.

Even semi-silly threats work on semi-ignorant users. CNN reported a year ago that blackmailers are increasingly sending emails to office workers in which the bad guys explain something like the following:

1. I, the bad guy, have taken over your corporate network.

2. At any time, I can take over your computer.

3. Once I do that, I will erase your hard drive or worse, I will place child pornography on your PC.

4. You will be disgraced, fired, and potentially arrested.

5. Pay me $25 and I'll leave you alone.

Now, everyone reading this column knows that the likelihood that steps 1-4 could be completed perfectly, in a way that would bring ruin to the lives of the poor saps reading those emails, is very low. But if you're Joe (or Jane) Officeworker, these emails could scare the hell out of you, and $25 really isn't that much, so why not pay up and avoid getting fired, or arrested, or, even worse, branded a sex offender?

So what can we do about this problem? Extortion is always a problem for law enforcement, since the blackmailer has something over those he's blackmailing. The threat of exposure, or the threat of further harm, work together to keep victims silent. The fact that the extortionist resides on another continent, in a country that is rather ... lax, shall we say, about acting on American requests for law enforcement, only adds to the problem. It's one thing to know that Bubba on the corner is shaking you down; it's another when it's 4ack3rD00d out on the interweb.

So what can security pros and their clients do if they're faced with cyber-extortion? You have three choices: counter-attack, pay up, or quietly contact the authorities. I don't recommend that you counter-attack; that will get everyone involved in a war of attrition that you'll never win. Pay up? It's easy for me, sitting here at my computer, to tell you never to do that, but I understand that situations can be sticky. I'd hate to see the criminals win, though, and I know you would too. That leaves contacting the authorities ... quietly. Let the FBI, or other appropriate authorities, know about your issue and ask their advice. To pay up or not to pay up: that is the question. Increasingly, it may be a question that you have to prepare to answer.

Copyright © 2004, SecurityFocus logo

Scott Granneman is a senior consultant for Bryan Consulting Inc. in St. Louis. He specializes in Internet Services and developing Web applications for corporate, educational, and institutional clients.

Related stories

Gimme clean bandwidth
Net extortionists in child porn threat
Feds bust DDoS 'Mafia'

Secure remote control for conventional and virtual desktops

More from The Register

next story
One HUNDRED FAMOUS LADIES exposed NUDE online
Celebrity women victimised as Apple iCloud accounts reportedly popped
Rubbish WPS config sees WiFi router keys popped in seconds
Another day, another way in to your home router
Goog says patch⁵⁰ your Chrome
64-bit browser loads cat vids FIFTEEN PERCENT faster!
NZ Justice Minister scalped as hacker leaks emails
Grab your popcorn: Subterfuge and slur disrupts election run up
NIST to sysadmins: clean up your SSH mess
Too many keys, too badly managed
Scratched PC-dispatch patch patched, hatched in batch rematch
Windows security update fixed after triggering blue screens (and screams) of death
Researchers camouflage haxxor traps with fake application traffic
Honeypots sweetened to resemble actual workloads, complete with 'secure' logins
Attack flogged through shiny-clicky social media buttons
66,000 users popped by malicious Flash fudging add-on
New Snowden leak: How NSA shared 850-billion-plus metadata records
'Federated search' spaffed info all over Five Eyes chums
prev story

Whitepapers

Endpoint data privacy in the cloud is easier than you think
Innovations in encryption and storage resolve issues of data privacy and key requirements for companies to look for in a solution.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Advanced data protection for your virtualized environments
Find a natural fit for optimizing protection for the often resource-constrained data protection process found in virtual environments.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
Next gen security for virtualised datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.