Extortion Pattern

 
 
By Wayne Rash  |  Posted 2004-09-29
 
 
 

Authorize.Net Battles Extortion Attempts


Corey Mandell knew things werent good when he got the ransom letter. Mandell had experienced such things before, and he knew that Authorize.Net, a Bellevue, Wash., credit card processing company, would be in for a tough time. What he didnt realize until later is that it would be much worse than he had anticipated.

The DDoS (distributed denial of service) attacks began Sept. 15, and they continue to this day. "We received an extortion letter demanding a large sum of money," said Mandell, who is vice president of development and operations at Authorize.Net. "We were able to handle the attack" at first, he said, explaining that the company had tailored its response based on past attacks against it and others in the same business. But things got worse in a hurry.

"The second and third attacks were bigger than anything wed ever seen," Mandell said. He said it was clear that the attackers were using a bot network because of the wide number of IP addresses that they used.

Most of the attack was a SYN flood, in which the attacker sends a large number of TCP connection requests that soon overwhelm the servers (or the routers, depending on the design).

Once the volume of bogus requests ramped up for the new rounds of attacks, Mandell knew that additional steps were required. He quickly contacted trusted consultants and vendors and put together a plan to ward off the attacks. But he already knew that no single solution would be enough in this case.

"We installed a variety of appliances," he said, noting that because the new appliances use a mix of deterministic and heuristic methods, the multipronged defense would work. It did. In short order, while the attacks continued, his customers were reaching him without a problem.

Mandell said that when he chose the products to protect his enterprise, he didnt limit himself to just preventing SYN floods or even just DDoS attacks. He chose products that would protect against a wide variety of methods. While he declined to say what appliances and other products the company actually bought, he did say that the solution is capable of handling a much bigger business than his is now.

While the attacks no longer pose a significant threat to the operations of Authorize.Net, that doesnt mean the problem has gone away. Instead, the most important phase is now under way—tracking down and arresting the people who are attacking it.

Phishers have been spoofing an FDIC site to collect debit-card information. Click here to read more.

Mandell said one of the first things the company did was call the FBIs Cyber-Crime division in Utah and get them on the case. The FBI is actively involved in hunting down the bad guys. While that agency will not discuss an active investigation, Mandell said he has some indication that theyre making progress. "Theres a pattern here," he said, and that is leading the FBI to dig even deeper.

Next Page: A pattern of extortion?

Extortion Pattern


?"> Although Mandell doesnt know a lot about the investigation, he does know a few things. First, he said, the extortion attempts against Authorize.Net are part of a larger extortion pattern that has already hit other financial sites. He said the attacks appear to originate outside the United States, and they appear to be a protection scheme run by organized crime. He noted that some extortion attempts against other companies may go deeper. "Those seemed to be raising money for a reason," he said.

While his company seems to have gained the upper hand in todays cyber-crime battles, Mandell said he expects the such incidents to continue. Hes not alone. Peter Tippett, chief technology officer at of TruSecure, soon to become Cybertrust, said extortion rackets are up 20-fold this year. "Bot nets are the first to use new exploits," he said, and in many cases they take the lead on developing attacks on those exploits.

Read more here about the merger between Betrusted and TruSecure that will form Cybertrust, billed as the largest private security services provider in the world.

Tippett said the problem with bot nets and the DDoS attacks they produce is made worse by the vulnerability of so many commercial sites. He said all but the largest e-commerce sites seem to be waiting to move ahead with products that can prevent or at least mitigate such attacks, opting to hold back until one is already under way.

"They follow the money," said David Kennedy, a senior risk analyst at TruSecure. He said the trend started with some gaming sites in the United Kingdom, where the bad guys were emboldened by the success they had there in collecting ransom money. He said he wasnt surprised to see the attacks move to the financial services industry in the United States.

Kennedy said much of the activity and control over the bot nets are centered in eastern Europe, although it would be an oversimplification to say all of the attackers are based there. But he noted that some of the worst activity is ultimately based in the United States. In one case he knows of, Kennedy said one firm hired bot net controllers to attack rivals.

Unfortunately, there is no easy solution to stopping the extortions or the attacks that go with them. But Mandell suggested a few steps that he called vital, the most important of which is calling the FBI. He said the second most important step is for affected businesses to help each other deal with the attacks so they wont succeed. "We need to present a united front," he said.

Companies also should make sure that they have enough bandwidth so they cant be saturated by a DDoS attack, no matter how big, Mandell said. He warned that its necessary to take such preventive steps, since when attacks do come, they could effectively put an unprepared company out of business.

Click here to read about other companies strategies in battling cyber-crime.

Tippett suggested that companies that depend on e-commerce should have more than one pathway to the Internet, and there should be separate local loops to those pathways.

Tippet and Mandell both noted that while there is no single solution that works against all attacks, its important to start using solutions that do work, even if theyre not perfect. Tippett noted that by using two or three different technologies, a company can protect itself against nearly any attack of this sort.

But still, the attacks continue. Mandell said a new attack began against Authorize.Net Wednesday. "This one is different," he said, adding that since there has been no extortion letter with this latest round, it could have some other reason. He said he thinks all of the attention being paid to the first set of attacks against his company may have encouraged someone else.

He noted that the FBI is on the latest case as well. And meanwhile, two more companies, this time providers of credit card merchant accounts, are under attack. These companies, identified by Kennedy as Authorize-IT in Ohio and 2Checkout in Kentucky, may also have been the recipients of extortion attempts. No word from the FBI as to whether theyre on the case there.

Check out eWEEK.coms Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.

Be sure to add our eWEEK.com Security news feed to your RSS newsreader or My Yahoo page

Rocket Fuel