Online Extortion: Pay Up, or Else … What?

In a new-millennium twist on the old protection money scheme, cyber criminals are now targeting business owners online - telling them to pay up, in virtual cash, or else. In this case, the “or else” involves a distributed denial-of-service (DDoS) attack on the company’s Web site.

For the casual business reader, a few questions are probably coming to mind. First, what is a DDoS attack? Second, is this a real threat or a scam? Is my business Web site susceptible to this? And, lastly, what should I do?

No. 1: What is DDoS?

A denial-of-service attack is when an attacker overwhelms a Web site or network host by flooding it with invalid or complicated requests. When this type of attack is “distributed,” it means that it is being carried out by a network of zombie computers (a.k.a., a “botnet”) - making it far more damaging and difficult to defend against.

There’s no need to go further into the technical details here, as there are several types and methods for doing this, but the best analogy I can think of is to imagine a time when your kid was asking you questions. Let’s say you were trying to read or work at home, and your child started in with question after question. Now imagine there are tens of thousands of kids asking you questions -- and you should now get the point.

No. 2: Are DDoS attacks common and easy to carry out?

Unfortunately, the answer here is “yes.” There are tools available online that make it relativity easy for unsophisticated cyber criminals and script kiddies to launch sophisticated DoS and DDoS attacks. However, since the DDoS also involves use of a “botnet”, that means the hacker must have access to one. Botnets can be rented for less than $100, so it’s not that hard to accomplish a DDoS.

No. 3: Is my business susceptible to DDoS?

Probably. There are several preventative measures that can be taken to make it harder to attack your network this way, but the reality is that every network is vulnerable to this type of attack. A massive DDoS attack was launched against U.S. government sites on July 4th, 2009.

No. 4: If my network is attacked, what should I do?

If your business receives an extortion e-mail, whatever you do, don’t pay them anything. Chances are it’s just a scam - and the attackers aren’t really capable of launching a DDoS. However, you would be advised to review your network security policies as well as to speak with a cybersecurity consultant who can analyze your network and improve your level of protection. If you hire a consultant, just make sure the person has these initials after his or her name - CISSP, CEH, or CISA.

Michael Gregg, CISSP, CISA, CEH, is a certified ethical hacker, author of several IT security training books and a consultant to Fortune 500s, U.S. government and the military. He is the COO of Houston-based Superior Solutions, and is hired by private companies and government agencies to hack their computer networks - in order to prevent malicious hackers from doing so.