Cyber extortionists pose growing threat to tech firms
If you live out your life on the internet, getting knocked offline can ruin your day.
But if you make your living on the internet, then someone killing your connection is a whole lot more serious. Your entire business could be in jeopardy.
That is the threat that a new wave of cyber extortionists are holding over tech companies.
The weapon the extortionists use is a distributed denial of service (DDoS) attack to block access to their websites, accompanied by demands for money to stop the attack.
Such attacks, using multiple compromised computer systems to target a single system, are increasing in frequency, complexity and length, reports suggest.
"The attack started on a Thursday morning early," says Gary Burns, chief technology officer of New York-based Meetup, a social network for community groups.
"We received an email asking for money to stop the attacks.
"Within a few minutes of receiving the email, we saw large surges in traffic that quickly disabled Meetup.
"That was the start of a five-day battle to bring the site back up."
Matthew Prince, chief executive officer of CloudFlare, a San Francisco-based company that helps businesses protect their networks, said such attacks were essentially aimed at filling up a website's resources so that legitimate requests could not get through.
"In the physical world, you could think of it as a sit-in, or if you had all of your friends going to a store, fill the entire space and not actually buy anything."
Meetup is unusual in that it is happy to talk about its battle with the extortionists.
I've spoken to many more companies that have had similar experiences - the same exhausting battle to keep the site up and the same demand for money to make the attack go away.
Risk to reputation
The difference though is they don't want anyone to know about it. One reason is the risk to their reputation.
For a small to medium-sized tech company, there might be a perception that the attack was caused by their own technical mistakes or, worse, that it led to the loss of customer data.
Both of those perceptions are wrong.
Another reason might be that they've paid up.
The fact is that the extortionists typically ask for a comparatively small amount of money, about $300 to $500 (£178 to £297).
That's a fraction of the cost to the companies of trying to defend themselves.
The risk with giving in though is that there is nothing to stop the extortionists coming back for more and bigger sums.
So why is this happening now?
Matthew Prince says it's all about the virus writers looking for a new way of making money.
Viagra no more
The old way was to create a huge network of infected computers (known as a botnet) that would spew out spam, but that no longer works so well.
"As anti-spam technologies have got better, we are seeing less spam making its way into our inbox," he says.
"That has actually hurt the business model of spammers and, in turn, it has hurt the business model of virus writers."
Instead of offering us Viagra or pretending to be a Nigerian bank manager, the botnets are now put to work launching DDoS attacks.
In its DDoS Threat Report 2013, global IT company NSFocus reported:
- It had tracked more than 244,703 attacks globally across the year
- Cyber criminals were constantly changing methods to try to stay ahead of computer defences
- Companies have reported losing between $10,000 and $100,000 per hour they have been offline during an attack
- There is added cost in terms of inconvenienced customers who never return
- DDoS is often being used as a smokescreen to enable other criminal activity to take place
- Most attacks are short, but DDoS attack capabilities are growing
There are plenty of companies like CloudFlare that will offer businesses protection for a price, but the police have had some success in peeling back the layers of attacks to find out who was behind them.
Last December, police in Greater Manchester secured the UK's first conviction of cyber extortionists.
Piotr Smirnow and Patryk Surmacki both pleaded guilty to two counts of blackmail and one count of conspiracy to access, use and impair computers without authorisation and were jailed for five years and four months.
Police said the pair had targeted an online gambling company, with an annual turnover of £30m, by threatening to shut down its website if it did not hand over a 50% share of the business.
The threats were reported to the police, but the pair launched a cyber attack and the firm's customers were unable to access the site for five hours, costing the company about £32,000 ($53,900).
Det Insp Chris Mossop, of Greater Manchester Police, suspects the pair had tried to extort money from companies all over Europe, but those attempts weren't reported to police.
The UK case was made easier to crack because the criminals were known to their victim.
But there doesn't have to be a connection for an investigation to be successful.
Mr Mossop says: "They still have to communicate in some way with the victim.
"And if they are attacking a number of different companies, then they might be using the same email addresses with the same kind of language in the email.
"It means you can quickly start to build a threat profile."
The ultimate solution though is more likely to come from a technical change in the way the internet works, putting some restrictions and checks on the open architecture.
Meanwhile, many tech companies take the view that it's better to pay up the small amounts of money being demanded and hope the extortionists move on to someone else.