The first you hear of it is an e-mail that stands out from the usual torrent of spam. It will say something along the lines of "Pay us $20,000 or we'll take your site offline". Or you might get a phone call from someone saying the same. Whatever the case, it is real and it is something any information technology director dreads. What do you do? Pay up? Call their bluff? Call the police?
We are talking about online extortion. This growing form of cyber crime is, says Sharon Lemon, head of the National High Tech Crime Unit, "nothing more than an electronic protection racket". It is the kind of thing 1920s gangsters did, updated for the electronic age: cough up or we shut your online business down.
The ruse is simple: these people flood your site with requests. The traffic won 't be viruses or worms; in fact it will probably look just like legitimate requests. Nonetheless the sheer volume will crash your servers or eat up your bandwidth. Your site will be unavailable to your legitimate customers.
This is done via a DDOS (distributed denial of service) attack. Hackers, in this case sometimes known as "bot masters", control large groups of "zombie PCs" called "bot nets". A bot net is comprised of zombies (compromised PCs) that may be dotted all over the world. For the most part a zombie PC looks and acts like a normal PC, but it has been infected by a piece of malware. And when the zombie receives its wake-up call, it will start flooding the target server with requests.
Bot nets used to be made up of thousands of PCs, but now number in tens and even hundreds of thousands. "In some of the biggest attacks we can identify more than 10,000 computers," says Andrew Ross, Europe, Middle East and Africa business development manager at Prolexic, the online security experts. And, he adds, "If you've got 50,000 computers submitting apparently legitimate requests, it is almost impossible to distinguish the rogues."
Bot nets appeared in the late 1990s and their rapid growth over the past few years has been put down to the explosion in home use of broadband. Home computers tend to be less well protected than their corporate counterparts. "With broadband," says Tony Dyhouse, security director of QinetiQ, the global defence technology and security experts, "people leave PCs on and online overnight and they are happily doing other people's work."
This "work" could be sending vast amounts of spam (most of which comes from bot nets) or contributing to the success of an extortionist.
But is it so awful having your site taken down for a few hours? It is not like having your warehouse torched, is it? In some cases, however, the effects are similar. "It started with the online gambling organisations," says Mr Dyhouse. "if their service is interrupted they can't take bets." From there it has moved on to electronic retailers, online payment services and the financial industries, anyone for whom time offline costs money. Even message boards and forums, which usually make their money through advertising, are not immune.
One company that has been attacked several times is the online payment business Protx. "Each time they asked for $10,000," says chief executive officer Michael Alculumbrie. Protx didn't pay up and the criminals made good on their threat, flooding the secure port the site used for credit cards, which actually made the duff traffic easier to identify. Protx, says Mr Alculumbrie, is now probably one of the best-protected outfits in the business, although this comes at a cost. It spends about £500,000 ($876,000) annually on security.
Another business that has been targeted is William Hill, the bookmakers. "Everyone in our sector has the same problems," says David Hood, a company spokesman, adding that their attackers were rather incompetent. "We got a demand in very bad English - it was for about $35,000. But it didn't arrive until after the attack was over."
The company, says Mr Hood, had a number of measures in place that allow it to differentiate between a high volume of traffic and an attack. "When we were attacked, our experience was we could run at about 70 per cent capacity. Some sites fall straight to zero."
Both William Hill and Protx are adamant they would never pay up, but, say security industry insiders, quite a few businesses do. In a way, the economics of this make sense. The demands, says Ms Lemon, are "typically between $8,000 and $10,000 to stop the attack and allow the website to operate for 12 months". In fact, ransom demands have typically gone down with time, simply because companies are far more likely to pay smaller amounts. But while these sums might seem like small change compared with the cost of security, it is also worth remembering that hackers like to talk: pay one extortionist and others could beat a path to your server.
It should not be imagined here that we are dealing with the hackers of yesteryear. "It was spotty kids in bedrooms until 2000," says Pete Simpson, Threat Lab Manager at Clearswift, the digital protection company. "But now it is well-funded criminals." Such organisations as the Russian Mafia and Turkish and Moroccan gangs hire bot masters, much as one might enlist a hitman. "They are highly motivated and well-resourced financially," says Mr Simpson. "And they can afford the same people we can: picking up a couple of computer science graduates in the former Soviet Union is certainly an option."
As might be expected, with electronic extortion there are no bulging suitcases full of $50 bills in left luggage lockers. Rather the money is transferred electronically and washed through a cascade of accounts. "You know those stickers you see saying 'Earn F1,000 a month from home,' says Mr Dyhouse, "well some of them are real. They want to use your bank account to clean up their money."
So what should businesses be doing? First they ought to protect themselves as best they can. There are a number of hardware and software products available although attacks almost always work by overwhelming the weakest link. You can build in resilience by, say, having a second internet service provider -- and this is something the ISPs are doing a lot of work on themselves. In fact, some argue that those who supply fat pipe connections to homes have a duty of care to ensure they are not abused. Of course, you can just face them down - but this is pretty risky.
Ultimately, it is an arms race, where both sides have access to the same technologies and talent. For the foreseeable future, all you can do is ensure that your geeks and gadgets are better than theirs.
FT Syndication Service