Simply put, cyber-extortion is the practice of demanding money in exchange for not carrying out activities which could involve a victim’s cyber information being at risk. It is an organised criminal activity, intent on obtaining a ransom in advance from an individual/group/organisation, for not launching attack on their corporate database, transactional website and computer networking systems.
Nowadays it is a mere child’s play for a teenage hacker to hack someone’s confidential information. When organised criminal groups get involved, they are looking at financial gain. However, despite the potential possibility of an attack, the businesses do not seem to be taking the threat very seriously. In fact, one of the reasons such threats are kept under wraps is because organisations wants to protect their image. Consumers can lose confidence in an organization, thereby leading to huge losses, particularly in terms of revenue since the media coverage can result in negative publicity.
In the past, the practice of cyber extortion was restricted to leaking credit card details or personal data of the customers. But today, hackers can disrupt business activities. Extortionists can threaten to incapacitate the victim’s computer system or the transactional website. This is known as denial-of-service (DoS) at tack where the business system is made unavailable to the potential customers and intended users. While launching DoS attack, cyber extortionists typically target a high-profile website or service hosted on their servers such as web servers, data centre servers, credit card payment gateways and even on the root nameservers.
The DoS attackers typically follow two techniques: one that crashes the services and the other that floods it. Either way, the victim company stands to lose its online link with the customers, suppliers and partners. The cyber criminals quietly take control over the business information systems and then assemble them into a coordinated network that can be used to send electronic transmissions that deface the targeted business website. These hijacked information systems are individually referred to as ‘zombies’.
The coordinated networks of zombies-for-hire are referred to as ‘botnets’. The botnet armies do not have geographical limit and can be comprised of hundreds, thousands or even tens-of-thousands of computers. With network communications becoming more important to the companies today, as illustrated by the increased reliance upon online purchasing, the urgency to protect these systems has increased.
What is surprising is that organisa tions are increasingly hiring cyberextortionist to incapacitate their business competitors. If hired, they offer discounts to make these extortionists loyal customers and in return are assured protection that the organisation would not be attacked by other corporate competitors. People would always remember the Massachusetts businessman who allegedly paid members of the computer underground to launch an organised and crippling distributed denial of service (DDoS) attacks against three of his competitors. In what federal officials are calling the first criminal case to arise from a DoS-for-hire scheme, the resulting chaos cost the competitors almost two million US dollars.
After the popularity of online banking transactions, cyber-extortionists have adopted scientific techniques to obtain ransom from the victim. They open several anonymous bank accounts, both, in and outside the country of residence to hide their identity. The cyber-attackers demand ransom in small chunks of payments so as to escape money laundering watchdogs. The technique of receiving small chunks of money through several pseudonymous bank accounts is called ‘smurfing’ which comes under the umbrella of money laundering.
An effective deterrent against the cyber threats is both expensive and time consuming, requiring lots of trainings for the IT staff and customers. Heavy costs include testing, perpetual monitoring and co-location services such as off-site data and system backup. Other costs can include intrusion prevention systems, DDoS protection, information security consultants, record keeping, and liability insurance. Assessing the risks, such as risk of a successful DDoS attack, typically includes hiring an outside service to assess the company’s network weaknesses.
This may include developing a series of planned and controlled attacks, including initiating DDoS attacks on the company. IT security experts can raise awareness that the benefits of such a test outweigh the costs and risks of having a preventable attack. In ‘Prevention of Electronic Crime Ordinance 2007’, the Federal Investigation Agency (FIA) is held responsible for taking care of business organisations from internal and external threats. Liaison with FIA could be helpful in terms of facilitating communication with appropriate Law Enforcement agencies that specialise in cybercrime.
Law Enforcement agencies with appropriate expertise may be able to provide tactical assistance and other helpful information, such as whether the threat is from a known source, whether a similar attack was threatened in the past and whether the attack is credible.