Pay or they break the Internet! DDoS extortion

I’ve often heard the question: ”Why do they bother taking down sites with traffic, there is no gain”. But this is a wrong assertion. In fact this is one of most growing kinds of internet crimes. Consider this example:

You own a large web shop with high revenue per hour. You receive an email saying that you’ll have to pay 500$ or else your site will be taken down for 12 hours. What do you do?

If you have a decent understanding of economy you would probably choose to pay out and hope the attacker does not hit. This have been seen many times where an attacker have approached for a small amount, e.g. targeting a betting bureau, they pay out, and then right before a big sports event the attacker will approach again asking for a much greater amount. This kind of attack is the worst nightmare that many online businesses do not know about yet. And when they eventually experience it they pass it under the radar since they paid out, and the authorities are never notified. This makes it even harder to fight the growing tendency for local governments as international agencies.

Meetup.com, a popular social networking site for organizing group activities faced a similar scenario in March 2014. The extorter sent an email demanding a 300$ payment from Meetup that recently had gathered a 19$ million in venture capital. A short time after the attack began. It took several days for Meetup to stand against the attacks and the process was costly in security measures. CEO Scott Heiferman chose not to pay giving the following reasons.

We chose not to pay because:

  1. We made a decision not to negotiate with criminals.
  2. The extortion dollar amount suggests this to be the work of amateurs, but the attack is sophisticated. We believe this lowball amount is a trick to see if we are the kind of target who would pay. We believe if we pay, the criminals would simply demand much more.
  3. Payment could make us (and all well-meaning organizations like us) a target for further extortion demands as word spread in the criminal world.
  4. We were confident we can protect Meetup from this aggressive attack, even if it will take time.

The DDoS that hit Meetup.com had a peak of 179 gigabits per second. There is no way a simple shared webhost will be able to defend against it. This trend will probably lead to massive investment in private hosting and security measures to ensure a reliable service. Is your business secure? Feel free to write a comment about how you secure your business against attacks or about experience with a DDoS!

Leave a Reply

Your email address will not be published.

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>