Criminals are increasingly targeting corporations with distributed denial-of-service (DDoS) attacks designed not to disrupt business networks but to be used as tools to extort thousands of dollars from the companies.
Those targeted are increasingly deciding to pay the extortionists rather than accept the consequences, experts say. While reports of this type of crime have circulated for several years, most victimized companies remain reluctant to acknowledge the attacks or enlist the help of law enforcement, resulting in limited awareness of the problem and few prosecutions.
Extortion is "becoming more commonplace," said Ed Amoroso, chief information security officer at AT&T. "It's happening enough that it doesn't even raise an eyebrow anymore."
"In the past eight months we have seen an uptick with the most organized groups of attackers trying to extort money from users," said Rob Rigby, director of managed security services at MCI Inc. "We try to do our best to get [customers] through it, but we leave it up to them to bring such attacks to the attention of law enforcement."
While MCI has been asked to help with prosecutions in other cybercrime cases, Rigby says he does not recall a service provider being subpoenaed in a DDoS extortion case.
Quantifying the extortion problem is difficult because the FBI, ISPs and third-party research firms can't provide figures on the number of DDoS attacks that include demands for money.
The FBI aggressively works daily on cases involving DDoS attacks and extortion, said bureau spokesman Paul Bresson.
"Almost all of them have an international connection," he says. "There aren't many cases where people doing this are from the U.S, and many times it is a juvenile subject to the laws of another country."
Bresson says such cases have been prosecuted, although he was unable to cite any. The FBI continues to encourage companies to report this crime to law enforcement, he says, yet "we understand there's a reluctance to do so."
An indeterminable number of victims are choosing to meet the demands of extortionists rather than turn to law enforcement because they're worried about negative publicity. The law does not prohibit paying, said Kathleen Porter, an attorney at Robinson & Cole LLP in Boston, who has extensive experience with e-commerce and Internet law.
"It's illegal to make the demand, but it's not illegal for companies to pay to make the attacks go away. It's analogous to ransom," Porter said. "It's something companies are doing because the costs of denial-of-service attacks are so expensive."
"The problem is, if companies keep paying, the attacks will continue," she said.
Even those who don't pay and instead work with their service provider to mitigate an attack are leery about reporting the crime.
"It's still taboo for users to talk about these attacks," Rigby said. "Users worry that just coming under attack can damage their brand."
Companies are not required by law to report these crimes, Porter said, adding that she suspects that many are reticent to do so because they fear being sued over the risks that such an attack might create for their customers.
"We've had [extortion attempts] happen to our customers," said Bruce Schneier, chief technology officer at managed security services provider Counterpane Internet Security. "More often than I'd like, they're paying up." Counterpane offers anti-DDoS services, he added, but they "aren't cheap."
Anti-DDoS services cost around US$12,000 per month from US carriers such as AT&T and MCI, said John Pescatore, an analyst at Gartner.
The most popular type of anti-DDoS equipment used by service providers is Cisco Systems Inc.'s Riverhead gear and Arbor Networks Inc.'s detection tools. This equipment can filter about 99% of the attack traffic, Pescatore said, although sometimes network response times drop by a few seconds.
Gartner advises clients not to pay extortion demands, but some have nonetheless dropped hundreds of thousands of dollars into Swiss or Cayman Island bank accounts controlled by criminals, Pescatore said. "We tell them they're better off going to AT&T and MCI for anti-DDoS protection," he added.
However, when a business needs multiple service providers for backup and bandwidth, the cost for obtaining anti-DDoS services from each can be seen as prohibitive. "So they think it's the same amount of money either way, the service provider or the extortionist," Pescatore said.
One company that refused to pay, Authorize.Net, also went public about its attack. Last year the payments-processing firm, which authorizes credit card transactions for more than 114,000 merchants, had its Internet-based service disrupted by extortionists demanding payment to cease a massive DDoS attack. Authorize.Net issued a statement apologizing for the intermittent disruption in its service and spoke out about the extortion demands.
"Today, we've not yet seen a successful apprehension of anyone involved," said Authorize.Net President Roy Banks. "As a payment-processing platform service, we're prepared in dealing with these threats all the time. We see them regularly."
His company has seen "demands from US$10,000 to several millions," Banks said. Authorize.Net's policy is not to pay. "We typically engage law enforcement immediately," he said.
As for protecting his company against future attacks?
"We've invested in [DDoS] equipment," said Banks, who declined to identify the type of equipment, saying he worries that might only help attackers. "It's a combination of hardware and software, both commercial and proprietary," he said.
Vendors such as Mazu Networks, Captus Networks and Arbor have products focused on mitigating DDoS attacks.
Banks said an important aspect of a DDoS defense is completing service-level agreements with Web hosting and bandwidth providers to create a "framework of cooperation."
There are a few ways these attacks get started. In some cases, businesses receive a threatening e-mail or phone call stating if they do not meet certain demands they will be victimized by a DDoS attack. Most often, the DDoS attack begins and then the business is contacted. The perpetrator sometimes stops an attack after 10 minutes or so and then contacts the company saying if it doesn't wire money to a specific account the extortionist will resume the attack.
Experts say the demands can be US$100,000 or more, but some criminals ask for smaller amounts.
The extortionists "want to make it real easy for someone to pay," said AT&T's Amoroso. "Think about it; if you're getting pounded and all you have to do is fork over $6,000 to this account and everything will be fine, it seems easy."
Countering the crime spree is likely to prove more difficult, and some say it will take an increased willingness on the part of victims to go to the authorities.
"There's been a certain laggardness in addressing this at a more formal level," said Banks. Speaking out might help raise awareness that vendors, online businesses and law enforcement need to work together more closely to catch the extortionists. "This involves countries outside the U.S., too, so we should really be dealing with it internationally."