Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror
×
Security Bitcoin Businesses

Businesses Pay $100,000 To DDoS Extortionists Who Never DDoS Anyone (arstechnica.com) 52

Dan Goodin, reporting for Ars Technica: In less than two months, online businesses have paid more than $100,000 to scammers who set up a fake distributed denial-of-service (DDoS) gang that has yet to launch a single attack. The charlatans sent businesses around the globe extortion e-mails threatening debilitating DDoS attacks unless the recipients paid as much as $23,000 by Bitcoin in protection money, according to a blog post published Monday by CloudFlare, a service that helps protect businesses from such attacks. Stealing the name of an established gang that was well known for waging such extortion rackets, the scammers called themselves the Armada Collective.An excerpt from CloudFlare blog post:Given that the attackers can't tell who has paid the extortion fee and who has not, it is perhaps not surprising to learn that they appear to treat all victims the same: attacking none of them. To date, we've not seen a single attack launched against a threatened organization. This is in spite of nearly all of the threatened organizations we're aware of not paying the extortion fee. We've compared notes with fellow DDoS mitigation vendors and none of them have seen any attacks launched since March against organizations that have received Armada Collective threats.
This discussion has been archived. No new comments can be posted.

Businesses Pay $100,000 To DDoS Extortionists Who Never DDoS Anyone

Comments Filter:
  • by ranton ( 36917 ) on Tuesday April 26, 2016 @09:05AM (#51988957)

    The least they could do is send out a list of all companies who paid extortion fees so people could identify inept management who should be replaced.

    • by bondsbw ( 888959 )

      Except, of course,

      the attackers can't tell who has paid the extortion fee and who has not

      • by Anonymous Coward

        That's hard to believe, but true:

        CloudFlare also pointed out that the group asked multiple victims to send precisely the same payment amounts to the same Bitcoin addresses, a lapse that would make it impossible to know which recipients paid the blood money and which ones didn't.

        • by irving47 ( 73147 )

          Nah, I can think of an easy way.
          This is how I'd do it.
          Actually, many of those who have had ebay or paypal or other 'real money'-linked have had to do this... (Maybe they still do. I have no idea.)
          When signing up for the service, they wanted to verify you had the checking account/information you signed up with. So they'd send you a transfer of anywhere from one cent to $2 or $3 and change. The only way to 'verify' was to use that deposit (some did it twice) as the confirmation code.

          So as long as they custom

      • Only if the attackers are as inept as their victim. If they know what they are doing, they set up a different Bitcoin address to receive the funds of each victim.
    • Killing the golden goose, are we?

  • by Sycraft-fu ( 314770 ) on Tuesday April 26, 2016 @09:12AM (#51989013)

    What the hell can you possibly hope to gain by paying off DDoSers? If you do pay them, they have literally no incentive not to just keep extorting you, and then others can do the same. Ya getting DDoS'd sucks but the good news is any sizable DDoS costs them money too, they have to rent out a botnet so they can't sustain it for very long.

    This is much different than paying "protection money" to a criminal organization in the physical world. While, yes, it is still extortion at least there you have a benefit you get: They will legitimately protect you from other criminals. Organized crime is not interested in others muscling in on their business so they do actually work to protect businesses that buy them off. It is a heavy handed situation, as if you don't pay they will go after you themselves, but you can see why it would make some sense for a business to buy in. If the police are unwilling or unable to protect them, this can.

    With DDoS gangs on the Internet, there's nothing of the sort. They are just saying "Pay us and we won't bother you," but they can go back on that, or double dip. They can easily pretend to be someone else and demand you pay up, and others can also demand you pay up. I think the more you pay the more likely you are to have a reputation of an easy mark who can be extorted at will.

    • Well, most companies are ran by people who have been conditioned by the government Mafia 'to pay or else', so this is the only way they know. I don't have any issues going directly after the specific people that want to steal from me, most folks out there cannot even imagine doing that.

    • by Dwedit ( 232252 )

      "Protection money" doesn't cover protection from other criminals, it only means "nice business you got there, shame if something were to happen to it".

      • by LiENUS ( 207736 )

        "Protection money" doesn't cover protection from other criminals, it only means "nice business you got there, shame if something were to happen to it".

        Not in any sane protection racket scheme, even wikipedia can tell you this
        https://en.wikipedia.org/wiki/Protection_racket [wikipedia.org]

        In an extortion racket, the racketeers agree simply to not attack a business. In a protection racket the criminals agree to defend a business from any attack. Conversely, extortion racketeers will have to defend their clients if threatened by a rival gang to avoid the client transferring their allegiance.

        Yes it's possible for the people running the racket to be morons, but the end result is someone else will come in and sway their client to them and actually protect them from the original gang.

    • "no incentive not to just keep extorting you, and then others can do the same."
      Except for honour, and not wanting to ruin a good thing by convincing the other gazillion businesses to not pay them. They have everyone reason in the world to go on down the list of inexhaustible businesses you have not extorted yet. On a purely profit motive, it is probably not even worth launching a DDoS if your extortion fails, most of the time. You just need a few public demonstrations of what will happen, if 99% of the fail

  • by PvtVoid ( 1252388 ) on Tuesday April 26, 2016 @09:13AM (#51989025)

    ... it would be a pity if anything happened to it.

  • They figured out you don't have to actually do the crime, just threaten to do it convincingly.

  • Given that the attackers can't tell who has paid the extortion fee and who has not,

    Theoretically they could. Just set up a different wallet (or bitcoin address, or whatever the correct term is...) to receive the ransom for each potential victim.

    But if they don't, and 2 victims compare notes, then it is easy to spot.

  • by ArsenneLupin ( 766289 ) on Tuesday April 26, 2016 @09:44AM (#51989263)

    "The extortion emails encourage targeted victims to Google for the Armada Collective," CloudFlare CEO Matthew Prince wrote. "I'm hopeful this article will start appearing near the top of search results and help organizations act more rationally when they receive such a threat."

    ... and it did: https://www.google.com/search?q=armada+collective [google.com] has as a top hit Empty DDoS Threats: Meet the Armada Collective - CloudFlare

  • sad (Score:5, Funny)

    by bigdavex ( 155746 ) on Tuesday April 26, 2016 @09:46AM (#51989277)

    It's a sad day when you can't trust extortionist to make good on their threats. Where's the pride in their craft? Where's the work ethic? Society is in decline.

    • These are the script kiddies of extortionists. They like to call themselves by the cool sounding name ("hacker" or "extortionist") but don't really have the skills needed to pull off what actual hackers/extortionists do. So they bluff their way through and fake some grand schemes in the hopes of gaining everyone's fear/respect for elite skills that they clearly don't have.

  • by Anonymous Coward

    The invisible hand of the market is sometimes attached to an invisible idiot.

  • What about the old days where they just paided bills for stuff like web services where some admin (non IT) just got a bill from some out side place for stuff that they did not even have as part of a scam.

    • I was talking to one of my managers about this sort of thing recently. It wasn't too many years ago that you would get a bill for "paper/toner/etc." You didn't actually buy these products from this company, but they would send out tons of bills and a percentage of companies blindly paid them. It was enough to keep the scammer in business sending out more and more letters.

      On the IT side, we used to get notices from Domain Registry of America to "renew" our domains for the low, low price of $45 a year! Of

  • You have a nice place hear it will be a shame if something bad where to happen.

  • by TheCarp ( 96830 ) <sjc AT carpanet DOT net> on Tuesday April 26, 2016 @10:08AM (#51989387) Homepage

    See, they COULD setup DDOS infrastructure, they could spend time herding bots, and refreshing their botnet, but, every bit of effort they spend is cost. Cost that is being spent on something other than finding people who will pay.

    It is like going to trial, a lot more companies will threaten legal action than will go through with it. Its cheap to threaten, its expensive to follow through, especially if it doesn't work out and becomes 100% cost.

    In short, contacting someone takes effort, following through with a threat takes more on top. The follow through is, quite literally, throwing good money after bad, and has a much lower ROI than the initial contact.

    All they have done is cut out the unprofitable part of their business.

    • by Hentes ( 2461350 )

      I'm not so sure this "hacking" group has any idea how to build a botnet. They have no more technical knowledge than Nigerian scammers.

      • by TheCarp ( 96830 )

        Exactly, makes it even cheaper to not include people with skills they don't actually need. This makes them a lot more lean and increases ROI substantially.

    • by tnk1 ( 899206 )

      I totally agree. Why actually execute an attack, with all the infrastructure setup that entails, when you can just pretend to be a feared attacker and have none of that cost? If they don't pay up, you didn't lose anything. If they do? Your margins are very, very good.

      Obviously, this falls apart if few enough people pay up that your costs for discovering them are higher than your returns. So, there has to at least be a minimum effort to craft your threat in a convincing way.

  • Simply by asking them to pay different, specific amounts. That amount clears? Check off the company who was "charged" that much.
    • In the bitcoin world you track payer with addresses. If you sell song for 99, you give each user a unique address with all the same amount and you know who paid by checking the addresses. Unlike banking, there is unlimited number of addresses you can hold on a single wallet.
  • What if, instead of threatening DDoS, they had chosen their words more carefully. "We have received actionable intelligence that your company is being targeted by $SCARY_HACKER_GROUP. They will DDoS your site on or around $DATE. We have the ability to thwart their actions, but we request a one-time fee of ##BTC to help cover our costs. Please send the payment to $BTC_ADDRESS." Would this be extortion? Is it equivalent to "Nice bar you have here, it would be a shame if something were to happen to it."
    • While people like to imagine they can get away with things on a technicality of careful wording, I expect this would be up to the judgement of the judge/jury of the intent. In this case, if you can't show exactly how you received your intelligence and exactly how you'd stop the hackers, you'll be judged to have criminal intent.

  • are soon parted. To the 14 year olds with $100k in bitcoin: The next scam would be to set yourselves up as an "email threat assessment service." It's a slightly longer con, but they're primed to buy in.
  • We've known about these miscreants for many years [imdb.com], and yet remained negligent. We only have ourselves to blame.

To stay youthful, stay useful.

Working...