DDoS being used in extortion schemes

Criminals are increasingly targeting corporations with distributed denial-of-service (DDoS) attacks designed not to disrupt business networks but to be used as tools to extort thousands of dollars from the companies.

Those targeted are increasingly deciding to pay the extortionists rather than accept the consequences, experts say. While reports of this type of crime have circulated for several years, most victimized companies remain reluctant to acknowledge the attacks or enlist the help of law enforcement, resulting in limited awareness of the problem and few prosecutions.

Extortion is "becoming more commonplace," said Ed Amoroso, chief information security officer at AT&T. "It's happening enough that it doesn't even raise an eyebrow anymore."

"In the past eight months we have seen an uptick with the most organized groups of attackers trying to extort money from users," said Rob Rigby, director of managed security services at MCI. "We try to do our best to get [customers] through it, but we leave it up to them to bring such attacks to the attention of law enforcement."

While MCI has been asked to help with prosecutions in other cybercrime cases, Rigby says he does not recall a service provider being subpoenaed in a DDoS extortion case.

Quantifying the extortion problem is difficult because the FBI, ISPs and third-party research firms can't provide figures on the number of DDoS attacks that include demands for money.

The FBI aggressively works daily on cases involving DDoS attacks and extortion, said bureau spokesman Paul Bresson.

"Almost all of them have an international connection," he says. "There aren't many cases where people doing this are from the U.S, and many times it is a juvenile subject to the laws of another country."

Bresson says such cases have been prosecuted, although he was unable to cite any. The FBI continues to encourage companies to report this crime to law enforcement, he says, yet "we understand there's a reluctance to do so."

An indeterminable number of victims are choosing to meet the demands of extortionists rather than turn to law enforcement because they're worried about negative publicity. The law does not prohibit paying, said Kathleen Porter, an attorney at Robinson & Cole LLP in Boston, who has extensive experience with e-commerce and Internet law.

"It's illegal to make the demand, but it's not illegal for companies to pay to make the attacks go away. It's analogous to ransom," Porter said. "It's something companies are doing because the costs of denial-of-service attacks are so expensive."

"The problem is, if companies keep paying, the attacks will continue," she said.

Even those who don't pay and instead work with their service provider to mitigate an attack are leery about reporting the crime.

"It's still taboo for users to talk about these attacks," Rigby said. "Users worry that just coming under attack can damage their brand."

Companies are not required by law to report these crimes, Porter said, adding that she suspects that many are reticent to do so because they fear being sued over the risks that such an attack might create for their customers.