Several writers on this blog have been calling attention to recent DDoS extortion campaigns. (See DDoS extortion campaigns on the rise and FBI Warning! Businesses Are Threatened with DDoS Attacks Unless Extortion Money Is Paid.) Now the FBI is sending notice to banks and other financial institutions to be on the watch for shakedown attempts. MarketWatch has reported that attackers have already made DDoS extortion attempts against more than 100 financial firms in recent months.
In an article on BankInfoSecurity, Matthew J. Schwartz describes the modus operandi:
Attackers' tactics are simple: Sometimes they threaten to disrupt a firm's website, preventing customers from accessing it. And other times they warn that they will release data - which they obtained by hacking into the firm - that contains sensitive information about the organization's employees and customers. Or, the attackers say, the organization can pay them off - typically via bitcoins - to call off the attack or delete the data.
Some of the companies have had demands to pay tens of thousands of dollars. While a few have paid the extortion money, most have ignored the demands. Gartner analyst and fraud expert Avivah Litan says most financial institutions are reluctant to talk about experiencing either the extortion demands or any ensuing attacks for fear of alarming their customers.
The growth rate of these extortion campaigns seems to be tied to the ease of launching a DDoS attack via various underground services. For just a couple of dollars, anyone can order an attack against a target for a few hours. This can be just enough to take the targeted business offline for a while, causing large revenue losses and frustration for customers.
A business might be tempted to pay the bitcoins to avoid the attack, but law enforcement officials say this isn't a good idea. A payoff sometimes leads to further demands for even more money.
Cybersecurity expert Brian Homan of BH Consulting offers the following recommendations for dealing with DDoS threats:
React: Take the threat seriously, and "spin up" an incident response team to deal with any such attacks or threats.
Defend: Review DDoS defenses to ensure they can handle attackers' threatened load, and if necessary contract with, subscribe to or buy an anti-DDoS service or tool that can help.
Alert: Warn the organization's data centers and ISPs about the threatened attack, which they may also be able to help mitigate.
Report: Tell law enforcement agencies about the threat - even if attackers do not follow through - so they can amass better intelligence to pursue the culprits.
Plan: Continually review business continuity plans to prepare for any disruption, if it does occur, to avoid excessive disruptions to the business.
If your company wants to learn more about getting prepared for a DDoS attack, talk to the folks at Corero. They'll help you make a plan so that you can defend against whatever type of DDoS attack someone wants to throw at you.