Security Experts:

Cyber-Extortion - Huge Profits, Low Risk

A few heart freezing moments:

• A phone call that begins with the words: We have your child – we want $250,000 to guarantee her safe return. If you go to the police, you will never see her again.

• You receive a thick manila envelope with compromising pictures of you and a young woman, not your wife. You’ve been invited to a local bar to talk.

• Your struggling coffee shop is visited by two very large guys who offer to protect you from the local thugs for just $100 a week – no telling what will happen without this service.

Cyber ExtortionThese moments come from the good old extortion schemes of days gone by.

The landscape has changed – we now live in a digital world where extortion happens on a cyber level, involving criminals living in cybercrime tolerant countries halfway around the world. These criminals are almost impossible to find, let alone prosecute. Often, the worst that can happen to a criminal in a cyber-extortion scam gone badly is for the victim not to pay.

For the most part, the cybercrime we hear about involves compromised databases and prominent web sites being brought down. And, we only hear about these crimes when the victim’s company or government entity can’t keep the breach or attack out of the news. Most cyber crimes, extortion and otherwise, are either never reported to authorities or never reach the public. There is no value in publically flaunting one’s own technical incompetence – it only destroys confidence.

This column will start with three cyber-extortion schemes; followed with a survey of cyber-extortion methods. Finally, I’ll touch on what the average consumer and business should be doing to avoid being a cyber-extortion target.

Data – the new hostage

In January 2012, one of WIT Walchi Innovation Technologies programmers (and minority shareholders), Jerome Westrick, allegedly broke into the company’s computer system, changed access codes and passwords, and effectively locked out the company and its customers from getting into the company’s information system.

Walchi alleged that Westrick asked for $300,000 in order to reveal the changed codes and passwords.

The crime was eventually thwarted by a court order that forced Westrick to give up the changed codes and passwords as well as prevented him from disclosing the codes and passwords to any third party.

The variations of this data hostage scheme are endless. This extortion attempt was launched by a Walchi employee however; it could have been just as easily done by a hacker who had broken into the Walchi network. If that hacker was located in a foreign country, China for example, then the US courts would have no power and Walchi might have been forced to pay the ransom.

Another variation of this theme - instead of restricting access to information, a hacker could just as easily have stolen the data from the company’s database and deleted that data from the company’s servers. An example of this comes from a note posted in 2009 on a public website for the Virginia Department of Health Professions:

"ATTENTION VIRGINIA I have your sh**! In *my* possession, right now, are 8,257,378 patient records and a total of 35,548,087 prescriptions. Also, I made an encrypted backup and deleted the original. Unfortunately for Virginia, their backups seem to have gone missing, too. Uhoh :("

It was reported that the Virginia Department of Health Professions responded by saying it was successfully able to recover the original data; but no additional information on the crime was ever released.

If it’s on the Internet, it must be true

In March 2010, Anthony Digati allegedly threatened to send millions of spam emails and host a malicious website in order to damage the reputation of New York Life. Digati, apparently upset over a premium dispute, sent emails to several New York Life executives that directed them to his website which included the following text:

• These things, unless you honor the below claim, WILL HAPPEN on March 8, 2010.

• As you have denied my claim I can only respond in this way. You no longer have a choice in the matter, unless of course you want me to continue with this outlined plan. I have nothing to lose, you have everything to lose.

• My demand is now for $198,303.88. This amount is NOT negotiable, you had your chance to make me an offer, now I call the shots.

• I have 6 MILLION emails going out to couples with children age 25-40, this e-mail campaign is ordered and paid for. 2 million go out on the 8th and every two days 2 million more for three weeks rotating the list. Of course it is spam, I hired a spam service, I could care less, The damge [sic] will be done.

• I am a huge social networker, and I am highly experienced. 200,000 people will be directly contacted by me through social networks, slamming your integrity and directing them to this website within days.

• I think you get the idea, I am going to drag your company name and reputation, through the muddiest waters imaginable. This will cost you millions in lost revenues, trust and credibility not to mention the advertising you will be buying to counter mine. Sad thing is it’s almost free for me!

• The process is in motion and will be released on March 8th, 2010. If you delay and the site goes live, The price will then be $3,000,000.00.

In this case, Digati was arrested and he was not able to begin his slander campaign.

While this extortion attempt failed for many reasons – primarily because Digati was easily found and arrested – similar extortion schemes from untraceable accounts or foreign countries would not be so easy to stop.

The common joke that anything on the Internet must be true is certainly just a joke; but we Americans do seem willing to accept as gospel anything we read on the Internet, or read in an email. We have recently seen Internet-based smear campaigns against corporate CEO’s, companies and even presidents – all easily done because of the anonymity of the Internet and the Internet’s inherent, if misguided, credibility. If nothing else, these entities were forced to defend themselves to these false claims – costing time and money.

On a personal front, consider the impact on your life if malicious and false rumors were to circulate about your sordid past, recent arrests or deviant behaviors. A few emails to your friends or office and you’ll find yourself the whispered object of gossips that you’d be hard pressed to stop. A denied accusation is often a believed accusation.

If I can steal your data, I can also plant my own

A countless number of computers in the U.S. are infected with malware – invisible programs that can monitor your every keystroke, track your Internet use, and scan your files and contacts. This malware, a bot, continually communicates with its bot herder (yes, that’s what he is called) to pass information and receive commands.

While it is worrisome to think about an invisible bot wandering through your private computer affairs, it may be just as disturbing to think that the same bot is storing files on your computer. When the police (or your spouse) come across some incriminating or distasteful files on your computer, the defense of not knowing how they got there may not suffice.

An inventive use of such malware is now popular in Russia where child pornography is planted on a victim’s computer along with the display of a large banner threatening to notify the authorities unless a $17 dollar (500-ruble) fee is paid. The malware also disables many of the computer’s basic functions to prevent the victim from deleting the pornography. However incredible this scam seems, keep in mind the fact that not all government authorities uphold the same standard of law enforcement that we have in the United States. The $17 fee is often paid out of fear of being railroaded by some overzealous crime hunter.

CybercrimeThe extortion opportunities when cyber-criminals invade personal computers are numerous. Even without planted data, many of us would be hard-pressed to explain the websites we visit, pirated music we own or programs that we never paid for. The simple threat of reporting seemingly innocent digital indiscretions to authorities or family might be sufficient to persuade the victim to transfer some small sum of money (maybe $100) to the extortionist.

Do that a few thousand times and one can see the enormous profits that can be made. Initiate this scam from Iran and not only might the crime generate huge profits, but the criminal is very unlikely to get caught. Not bad work if you can pull it off.

A survey of cyber-extortion

We’ve touched on a few examples of cyber-extortion above. I thought it might be instructive to catalog its different forms – if for no other reason than to get you thinking in a defensive mode.

Data held hostage

I do like a recent quote: “Data is the new oil of the digital age.” Holding data hostage can be as simple as stealing the most recent backup and wiping the original version from the corporate servers. Or it may be as complex as changing the encryption key (similar to a complex password) within a database and holding the new key hostage.

However the data is held hostage, the victim’s company may be put into data limbo while it negotiates with the cyber-criminal.

The release of protected or personal data

One of the biggest financial and reputation fears of corporations is the compromise of protected information (i.e., medical, identity, credit card). Such a compromise and public disclosure may result in huge government or industry fines, a flight of customers from an embarrassed or perceived technically incompetent company, or both.

Rather than use this stolen information for direct identity or financial theft, cyber-criminals will sometimes threaten the breached corporation with the disclosure that the information has been stolen. The payment of ransom may be a lot less expensive and damaging than the resulting cost and company-customer relationship fallout that a disclosure would cause.

While there may not be any financial upside to the cyber-extortionist for the release of protected information, medical information for example, there is also no legal downside to releasing the information. In fact, it may be to the cyber-criminal’s benefit to put corporations on notice that the cyber-extortion threats were real.

Selling corporate secrets

Corporate espionage, at the world and national levels, is rampant in the US and throughout the world. Cyber-thieves who are able to obtain corporate secrets (i.e., strategies, technologies, relationships) might be able to name their own price from a company willing to go to any lengths to protect their own vital information.

Unlike compromised medical information, for example, corporate secrets might have a significant resale value to other corporations around the globe. The threat of a resale of such secrets to competitive companies often has teeth and would certainly get the attention, if not the payment of the ransom, of the victimized company.

The release of private corporate or personal information

We only need to look back at the last year to ask the question ‘What were they thinking?’, as we consider the stream of dumb emails, texts, pictures and tweets from people who should know better – celebrities, athletes, and government officials. And this was the information that people went out of their way to make public.

One can only imagine the really damaging information that could be found on the personal computers and corporate IT systems that people thought were hidden from public view.

With many home computers compromised by malware and corporate IT systems being breached at an alarming rate, we can only speculate on the depth and breadth of extortion-worthy information in the hands of hackers.

You may remember the hit Apple stock took when Steve Jobs’ illness was announced or the corporate turmoil that resulted from Hewlett-Packard CEO Mark Hurd’s alleged sexual harassment case. A hacker, with access to such private information, might easily convince the compromised public figure or his corporation that, at any price, silence might be the preferred option.

Distributed Denial of Service (DDoS)

There are massive numbers of compromised personal computers (reported to be 50 percent of all home computers) that can each be directed to send an unlimited number of communication requests to any web site in the world. These malicious personal computer bots are managed by bot herders from cyber-crime tolerant countries around the world.

As the recent and successful DDoS on the CIA website has shown, an energized botnet (herd of bots) can easily wreak havoc on almost any commercial or government web site – overloading the site to the point where it gives up in cyber exhaustion. Imagine the fear within an e-commerce dependent company should a plausible DDoS threat be received. Even an hour of DDoS imposed downtime might cost the targeted company millions in on-line sales revenues, let alone the creditability and future sales the company might lose.

Because of the unstoppable nature of a DDoS, a cyber-extortionist can easily launch a DDoS attack on a company web site to validate his threat. It would just be a matter of negotiation after that.

Avoiding becoming a cyber-extortion victim

Most cyber victims, extortion and others, dig their own figurative grave by ignoring simple rules for cyber safety.

Businesses need to inspect and protect their physical IT environments as well as their web applications. Security audits should be run and deficiencies repaired as quickly as possible. Hackers will almost always pick low-hanging fruit – 70 percent of all websites with critical security flaws make it possible for even amateur script kiddies to break into a web application and steal private data.

Every departing employee should be viewed as a potential threat – possibly one who will return with a financial proposition concerning the safety or integration of your IT world. As soon as an IT-knowledgeable employee leaves, change any lock, code or password that the employee may of had access to.

On the home front, install quality virus and malware software and make sure your browsers and operating systems are current.

Finally, consider a plan to mitigate your cyber risk should it occur. Very similar to kidnapping insurance that some executives hold in volatile foreign countries, insurance companies are now writing policies to cover the extortion fees and expert technical costs incurred when a company is held as a cyber-hostage.

Yes, the world has changed.

Alan Wlasuk is a managing partner of 403 Web Security, a full service, secure web application development company. A Bell Labs Fellow award-winner with 18+ years of experience building secure web applications, Wlasuk is an expert in web security - from evaluation to web development and remediation.