Online extortion is quietly affecting thousands of businesses, for a very simple reason: it works. The big question then becomes, how will you and your company decide to respond?
How yet resolves the governor of the town?
This is the latest parle we will admit;
Therefore to our best mercy give yourselves;
Or like to men proud of destruction
Defy us to our worst: for, ...
If I begin the battery once again,
I will not leave the half-achieved Harfleur
Till in her ashes she lie buried.
The gates of mercy shall be all shut up,
And the flesh'd soldier, rough and hard of heart,
In liberty of bloody hand shall range
With conscience wide as hell, mowing like grass
Your fresh-fair virgins and your flowering infants.
... Therefore, you men of Harfleur,
Take pity of your town and of your people,
Whiles yet my soldiers are in my command;
Whiles yet the cool and temperate wind of grace
O'erblows the filthy and contagious clouds
Of heady murder, spoil and villany.
If not, why, in a moment look to see
The blind and bloody soldier with foul hand
Defile the locks of your shrill-shrieking daughters;
Your fathers taken by the silver beards,
And their most reverend heads dash'd to the walls,
Your naked infants spitted upon pikes,
Whiles the mad mothers with their howls confused
Do break the clouds, as did the wives of Jewry
At Herod's bloody-hunting slaughtermen.
What say you? will you yield, and this avoid,
Or, guilty in defence, be thus destroy'd?
To my mind, this is one of the great extortion scenes in literature (and I'd love to hear if my readers can think of any others). Henry is purposefully frightening Harfleur, knowing that the people of the town are listening and growing increasingly terrified as he speaks. He counts on the pressure that they will bring on the Governor as a way to avoid conflict and win an easy victory, and, sure enough, Harfleur yields immediately.
The lesson that Henry knew, and that is still known today by mobsters, loan sharks, and, increasingly, cyber-criminals, is simple: extortion works.
How bad is online extortion getting? Alan Paller, a speaker at a London SANS Institute conference, claims that, "Six or seven thousand organizations are paying online extortion demands ... Every online gambling site is paying extortion. Hackers use DDoS (distributed denial-of-service) attacks, using botnets to do it. Then they say, 'Pay us $40,000, or we'll do it again.'"
Whether he's precisely accurate is not the point; the threat seems real with regard to online gambling. Talk about low-hanging fruit: web sites that are on the more sordid side of the Net, raking in lots of cash that may or may not be totally legal, and requiring an up-and-running web site or the entire business is at risk. However, it's not just online gambling that is facing a rise in cyber-extortion. More legitimate businesses are increasingly at risk as well.
For example, Kentucky businessperson Jay Broder received an email demanding $10,000; when he refused to pay, his company's web site was down for a week, the victim of a DDoS. At first, Broder simply ignored the email, believing it to be spam. He learned his lesson when the attack began, and it took a switch to a new IP address and a new web host to solve his problem. Or maybe it's not solved. He could get another email. Soon.
Even semi-silly threats work on semi-ignorant users. CNN reported a year ago that blackmailers are increasingly sending emails to office workers in which the bad guys explain something like the following:
1. I, the bad guy, have taken over your corporate network.
2. At any time, I can take over your computer.
3. Once I do that, I will erase your hard drive or worse, I will place child pornography on your PC.
4. You will be disgraced, fired, and potentially arrested.
5. Pay me $25 and I'll leave you alone.
Now, everyone reading this column knows that the likelihood that steps 1-4 could be completed perfectly, in a way that would bring ruin to the lives of the poor saps reading those emails, is very low. But if you're Joe (or Jane) Officeworker, these emails could scare the hell out of you, and $25 really isn't that much, so why not pay up and avoid getting fired, or arrested, or, even worse, branded a sex offender?
So what can we do about this problem? Extortion is always a problem for law enforcement, since the blackmailer has something over those he's blackmailing. The threat of exposure, or the threat of further harm, work together to keep victims silent. The fact that the extortionist resides on another continent, in a country that is rather ... lax, shall we say, about acting on American requests for law enforcement, only adds to the problem. It's one thing to know that Bubba on the corner is shaking you down; it's another when it's 4ack3rD00d out on the interweb.
So what can security pros and their clients do if they're faced with cyber-extortion? You have three choices: counter-attack, pay up, or quietly contact the authorities. I don't recommend that you counter-attack; that will get everyone involved in a war of attrition that you'll never win. Pay up? It's easy for me, sitting here at my computer, to tell you never to do that, but I understand that situations can be sticky. I'd hate to see the criminals win, though, and I know you would too. That leaves contacting the authorities ... quietly. Let the FBI, or other appropriate authorities, know about your issue and ask their advice. To pay up or not to pay up: that is the question. Increasingly, it may be a question that you have to prepare to answer.