Online extortion works

Pay up, or your server gets it

  • alert
  • submit to reddit

Using blade systems to cut costs and sharpen efficiencies

Opinion Online extortion is quietly affecting thousands of businesses, for a very simple reason: it works. The big question then becomes, how will you and your company decide to respond? Many of us have seen Kenneth Branagh's excellent 1989 motion picture adaptation of Shakespeare's Henry V, and the general impression that most people take away is that the King is overall a good, valiant leader. Interestingly, though, Branagh left out an important scene in his film, one that the 1944 version starring Laurence Olivier included. In Act III, Scene 3, Henry and his men are before the gates of the beseiged French city of Harfleur, and Henry explains to the Governor and the listening citizens of Harfleur what will happen if they do not surrender to the English forces.

How yet resolves the governor of the town?
This is the latest parle we will admit;
Therefore to our best mercy give yourselves;
Or like to men proud of destruction
Defy us to our worst: for, ...
If I begin the battery once again,
I will not leave the half-achieved Harfleur
Till in her ashes she lie buried.
The gates of mercy shall be all shut up,
And the flesh'd soldier, rough and hard of heart,
In liberty of bloody hand shall range
With conscience wide as hell, mowing like grass
Your fresh-fair virgins and your flowering infants.
... Therefore, you men of Harfleur,
Take pity of your town and of your people,
Whiles yet my soldiers are in my command;
Whiles yet the cool and temperate wind of grace
O'erblows the filthy and contagious clouds
Of heady murder, spoil and villany.
If not, why, in a moment look to see
The blind and bloody soldier with foul hand
Defile the locks of your shrill-shrieking daughters;
Your fathers taken by the silver beards,
And their most reverend heads dash'd to the walls,
Your naked infants spitted upon pikes,
Whiles the mad mothers with their howls confused
Do break the clouds, as did the wives of Jewry
At Herod's bloody-hunting slaughtermen.
What say you? will you yield, and this avoid,
Or, guilty in defence, be thus destroy'd?

To my mind, this is one of the great extortion scenes in literature (and I'd love to hear if my readers can think of any others). Henry is purposefully frightening Harfleur, knowing that the people of the town are listening and growing increasingly terrified as he speaks. He counts on the pressure that they will bring on the Governor as a way to avoid conflict and win an easy victory, and, sure enough, Harfleur yields immediately.

The lesson that Henry knew, and that is still known today by mobsters, loan sharks, and, increasingly, cyber-criminals, is simple: extortion works.

How bad is online extortion getting? Alan Paller, a speaker at a London SANS Institute conference, claims that, "Six or seven thousand organizations are paying online extortion demands ... Every online gambling site is paying extortion. Hackers use DDoS (distributed denial-of-service) attacks, using botnets to do it. Then they say, 'Pay us $40,000, or we'll do it again.'"

Whether he's precisely accurate is not the point; the threat seems real with regard to online gambling. Talk about low-hanging fruit: websites that are on the more sordid side of the Net, raking in lots of cash that may or may not be totally legal, and requiring an up-and-running web site or the entire business is at risk. However, it's not just online gambling that is facing a rise in cyber-extortion. More legitimate businesses are increasingly at risk as well.

For example, Kentucky businessman Jay Broder received an email demanding $10,000; when he refused to pay, his company's website was down for a week, the victim of a DDoS. At first, Broder simply ignored the email, believing it to be spam. He learned his lesson when the attack began, and it took a switch to a new IP address and a new web host to solve his problem. Or maybe it's not solved. He could get another email. Soon.

Even semi-silly threats work on semi-ignorant users. CNN reported a year ago that blackmailers are increasingly sending emails to office workers in which the bad guys explain something like the following:

1. I, the bad guy, have taken over your corporate network.

2. At any time, I can take over your computer.

3. Once I do that, I will erase your hard drive or worse, I will place child pornography on your PC.

4. You will be disgraced, fired, and potentially arrested.

5. Pay me $25 and I'll leave you alone.

Now, everyone reading this column knows that the likelihood that steps 1-4 could be completed perfectly, in a way that would bring ruin to the lives of the poor saps reading those emails, is very low. But if you're Joe (or Jane) Officeworker, these emails could scare the hell out of you, and $25 really isn't that much, so why not pay up and avoid getting fired, or arrested, or, even worse, branded a sex offender?

So what can we do about this problem? Extortion is always a problem for law enforcement, since the blackmailer has something over those he's blackmailing. The threat of exposure, or the threat of further harm, work together to keep victims silent. The fact that the extortionist resides on another continent, in a country that is rather ... lax, shall we say, about acting on American requests for law enforcement, only adds to the problem. It's one thing to know that Bubba on the corner is shaking you down; it's another when it's 4ack3rD00d out on the interweb.

So what can security pros and their clients do if they're faced with cyber-extortion? You have three choices: counter-attack, pay up, or quietly contact the authorities. I don't recommend that you counter-attack; that will get everyone involved in a war of attrition that you'll never win. Pay up? It's easy for me, sitting here at my computer, to tell you never to do that, but I understand that situations can be sticky. I'd hate to see the criminals win, though, and I know you would too. That leaves contacting the authorities ... quietly. Let the FBI, or other appropriate authorities, know about your issue and ask their advice. To pay up or not to pay up: that is the question. Increasingly, it may be a question that you have to prepare to answer.

Copyright © 2004, SecurityFocus logo

Scott Granneman is a senior consultant for Bryan Consulting Inc. in St. Louis. He specializes in Internet Services and developing Web applications for corporate, educational, and institutional clients.

Related stories

Gimme clean bandwidth
Net extortionists in child porn threat
Feds bust DDoS 'Mafia'

Boost IT visibility and business value

More from The Register

next story
Secure microkernel that uses maths to be 'bug free' goes open source
Hacker-repelling, drone-protecting code will soon be yours to tweak as you see fit
How long is too long to wait for a security fix?
Synology finally patches OpenSSL bugs in Trevor's NAS
Roll out the welcome mat to hackers and crackers
Security chap pens guide to bug bounty programs that won't fail like Yahoo!'s
Israel's Iron Dome missile tech stolen by Chinese hackers
Corporate raiders Comment Crew fingered for attacks
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
Researcher sat on critical IE bugs for THREE YEARS
VUPEN waited for Pwn2Own cash while IE's sandbox leaked
Four fake Google haxbots hit YOUR WEBSITE every day
Goog the perfect ruse to slip into SEO orfice
prev story


Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
Application security programs and practises
Follow a few strategies and your organization can gain the full benefits of open source and the cloud without compromising the security of your applications.
How modern custom applications can spur business growth
Learn how to create, deploy and manage custom applications without consuming or expanding the need for scarce, expensive IT resources.
Securing Web Applications Made Simple and Scalable
Learn how automated security testing can provide a simple and scalable way to protect your web applications.