Criminals are increasingly targeting corporations with distributed denial-of-service attacks designed not to disrupt business networks but to extort thousands of dollars from the companies.

Those targeted are increasingly deciding to pay the extortionists rather than accept the consequences, experts say. While reports of this type of crime have circulated for several years, most victimized companies remain reluctant to acknowledge the attacks or enlist the help of law enforcement, resulting in limited awareness of the problem and few prosecutions.

Extortion is "becoming more commonplace," says Ed Amoroso, chief information security officer at AT&T. "It's happening enough that it doesn't even raise an eyebrow anymore."

"In the past eight months we have seen an uptick with the most organized groups of attackers trying to extort money from users," says Rob Rigby, director of managed security services at MCI. "We try to do our best to get (customers) through it, but we leave it up to them to bring such attacks to the attention of law enforcement."

While MCI has been asked to help with prosecutions in other cybercrime cases, Rigby says he does not recall a service provider being subpoenaed in a distributed DoS extortion case.

Quantifying the extortion problem is difficult because the FBI, ISPs and third-party research firms can't provide figures on the number of distributed DoS attacks that include demands for money. The FBI aggressively works daily on cases involving distributed DoS attacks and extortion, says bureau spokesman Paul Bresson.

"Almost all of them have an international connection," he says. "There aren't many cases where people doing this are from the U.S, and many times it is a juvenile subject to the laws of another country."

Bresson says such cases have been prosecuted, although he was unable to cite any. The FBI continues to encourage companies to report this crime to law enforcement, he says, yet "we understand there's a reluctance to do so."

Paying up
An indeterminable number of victims are choosing to meet the demands of extortionists rather than turn to law enforcement for fear of negative publicity. The law does not prohibit paying, says Kathleen Porter, an attorney at Robinson & Cole in Boston, who has extensive experience with e-commerce and Internet law.

"It's illegal to make the demand, but it's not illegal for companies to pay to make the attacks go away. It's analogous to ransom," Porter says. "It's something companies are doing because the cost of denial-of-service attacks are so expensive. The problem is if companies keep paying, the attacks will continue," she says.

Even those who don't pay and instead work with their service provider to mitigate an attack are leery about reporting the crime. "It's still taboo for users to talk about these attacks," Rigby says. "Users worry that just coming under attack can damage their brand."

Companies are not required by law to report these crimes, Porter says, and she suspects a fear of being sued over the consequences an attack might pose to one's customers contributes to the reticence of many to do so.

"We've had (extortion attempts) happen to our customers," says Bruce Schneier, CTO at managed security services provider Counterpane Internet Security. "More often than I'd like, they're paying up." Counterpane offers anti-distributed DoS services, he adds, but they "aren't cheap."

Anti-distributed DoS services cost around US$12,000 per month from carriers such as AT&T and MCI, says John Pescatore, Gartner security analyst. The most popular type of anti-distributed DoS equipment used by service providers is Cisco's Riverhead gear and Arbor Networks' detection tools. This equipment can filter about 99 percent of the attack traffic, he says, although sometimes network response times drop by a few seconds.

Gartner advises clients not to pay extortion demands, but some have nonetheless dropped hundreds of thousands of dollars into Swiss or Cayman Island bank accounts controlled by criminals, Pescatore says. "We tell them they're better off going to AT&T and MCI for anti-(distributed) DoS protection," he adds.

However, when a business needs multiple service providers for backup and bandwidth, the cost for obtaining anti-distributed DoS services from each can be seen as prohibitive. "So they think it's the same amount of money either way, the service provider or the extortionist," he says.

One company that refused to pay, Authorize.Net, also went public about its attack. Last fall, the Bellevue, Wash., payments-processing firm that authorizes credit-card transactions for more than 114,000 merchants, had its Internet-based service disrupted by extortionists demanding payment to cease a massive distributed DoS attack. Authorize.Net issued a statement apologizing for the intermittent disruption in its service and spoke out about the extortion demands.

"Today, we've not yet seen a successful apprehension of anyone involved," says Roy Banks, Authorize.Net president. "As a payment-processing platform service, we're prepared in dealing with these threats all the time. We see them regularly."

His company has seen "demands from $10,000 to several millions," Banks says. Authorize. Net's policy is not to pay. "We typically engage law enforcement immediately," he says.

As for protecting his company against future attacks? "We've invested in (distributed) DoS equipment," says Banks, who declined to divulge exactly what that would be, saying he worries that might only help attackers. "It's a combination of hardware and software, both commercial and proprietary."

Vendors such as Mazu Networks, Captus Networks and Arbor have products focused on mitigating distributed DoS attacks. Banks says an important aspect of distributed DoS defense is completing service-level agreements with Web hosting and bandwidth providers to create a "framework of cooperation."

There are a few ways these attacks get started. In some cases businesses receive a threatening e-mail or phone call stating if they do not meet certain demands they will be victimized by a distributed DoS attack. Most often, the distributed DoS attack begins and then the business is contacted. The perpetrator sometimes stops an attack after 10 minutes or so and then contacts the company saying if it doesn't wire money to a specific account the extortionist will resume the attack.

Experts say the demands can be $100,000 or more, but some criminals ask for smaller amounts.

AT&T's Amoroso says the extortionists "want to make it real easy for someone to pay. . . . Think about it, if you're getting pounded and all you have to do is fork over $6,000 to this account and everything will be fine, it seems easy."

Countering the crime spree is likely to prove more difficult, and some say it will take an increased willingness on the part of victims to go to the authorities.

"There's been a certain laggardness in addressing this at a more formal level," Authorize.Net's Banks says. Speaking out might help raise awareness that vendors, online businesses and law enforcement need to work together more closely to catch the extortionists. "This involves countries outside the U.S., too, so we should really be dealing with it internationally."