Technology can help fight the growing cyberextortion threat, but experts say not enough companies are prepared
It's the kind of E-mail that grabs you by the collar and doesn't let go. On a Saturday afternoon last January, a message hit the in-box of BetCBSports.com, threatening to knock the online gambling site offline in prime sports-betting season if the company didn't pay up.
"You have 3 choices. You can make a deal with us now before the attacks start. You can make a deal with us when you are under attack. You can ignore us and plan on losing your Internet business," the E-mail read.
A denial-of-service attack knocked WagerWeb offline for about a day, senior VP and oddsmaker Dan Johnson says. Photo by Carlos Charpentier/Live Images
Photo by Carlos Charpentier/Live Images
It was no bluff. Within three hours, the site was taken down by what's known as a distributed denial- of-service attack. The first attack lasted five minutes and then ceased. "They were showing us what they could do," says Thomas Burns, who runs the business-technology systems for what's now known as WagerWeb.com, operated by CasaBlanca Gaming.
Such threats happen more often than most people realize. A survey by Carnegie Mellon University's H. John Heinz III School of Public Policy, in conjunction with InformationWeek's Summer Research Fellowship, found extortion attacks are surprisingly common: 17% of the 100 companies surveyed say they've been the target of some form of cyberextortion. The study, authored by graduate student Gregory M. Bednarski, queried small and midsize businesses about cyberextortion and other types of computer fraud.
The findings come as no surprise to FBI special agent Thomas Grasso, who helped with the study. "The majority of the cybercrimes we investigate involve some type of monetary motivation," Grasso says. "This business of people going out and compromising sites just to prove how much they know is a myth."
WagerWeb was knocked offline for about a day, says Dan Johnson, senior VP and senior oddsmaker at the site. Rather than pay off the attackers, the company called on its technical forces to build a defense and enlisted the help of Internet security-services provider Prolexic Technologies Inc. The vendor's services, at about $100,000 a year, aren't cheap. But, "I'd rather pay the $100,000 than pay the extortionists," Johnson says. The gamble paid off. "As soon as we got the service running, the attack stopped," technology manager Burns says.
Cyberextortion mostly travels under the radar, but not always. Earlier this year, Myron Tereshchuk, 42, of Maryland, pleaded guilty to one count of attempting to extort $17 million from intellectual-property company MicroPatent LLC. He faces up to 20 years in jail. Tereshchuk threatened to leak confidential information and launch denial-of-service attacks against intellectual-property attorneys worldwide if he wasn't paid.
Building A Mobile Business MindsetAmong 688 respondents, 46% have deployed mobile apps, with an additional 24% planning to in the next year. Soon all apps will look like mobile apps – and it's past time for those with no plans to get cracking.