Extortion by computer and internet

Extortion isn't new. But cyber criminals are taking advantage of high-tech developments to squeeze money out of individuals and organizations. Learn how to prevent a variety of threats and the steps to take if your entity is hit.

It's just like any other Monday for Bob, the president of a credit card processing center for online businesses. He makes the half-hour commute into work, fills his favorite coffee mug to the brim, and sits down at his computer to catch up on e-mail. He sees one with an unfamiliar sender's name and a subject line that reads, "Your Customer's Information." Bob knows to be cautious of e-mails received from unknown sources but he can't help himself and opens the message. He's bewildered as he stares at a list of business names he recognizes as his customers. Also on the e-mail are unknown names, 16-digit numbers, and separate three-digit numbers. He doesn't realize it yet but what he's looking at is a list of people who had made purchases, their credit card numbers, and the corresponding business names that had submitted their transactions for processing over the weekend. He reads the instructions: "Send $50,000 in 6 equal wire transfers or this will be sent to all your customers." The empty mug dangles from Bob's fingers while the carpet bleeds brown.

Bob would learn that day that hackers had penetrated his company's network to copy the sensitive data. But because he couldn't possibly believe the threat had any teeth, he shrugged off the e-mail message as a hoax. The next day he realized the threat was a reality when irate customers had tied up all the phone lines trying to get through.

Based on other incidents they had seen, law enforcement officers could only speculate that the hackers were likely to be in Eastern Europe, but since Bob's company hadn't immediately collected the proper evidence it was difficult to build a case. Because customers were unforgiving, Bob quickly found his young business in peril. Six months later after his insurance company denied coverage, he closed his doors and updated his resume.¹  

The cliché, "the more things change the more they stay the same" applies to the new era of extortion. The traditional crime of extortion is defined as an attempt to threaten a person or entity into giving up something in exchange for not being harmed in some way. Cyber extortion merely modernizes this crime by using the Internet and computers to carry out a wide variety of threats. For instance, after a cyber extortionist penetrates a network system, launches a virus, or obtains sensitive information from a database, he can hold the victim at bay. Cyber extortion is tied to many of the malicious acts perpetrated on the Internet. It's quickly becoming a favorite crime because it isn't violent, it promises lucrative payoffs, and it normally guarantees anonymity.

Types of cyber extortion schemes
Extortion attempts over the Internet can range from highly sophisticated and organized to ill-planned and isolated. Let's distinguish targeted versus non-targeted extortion attempts. An individual could become a target because of his position in a company or social status. A cyber extortionist may target an organization because he might want to deflate a stock price, retaliate against a competitor, or simply because it's likely to pay.

Financial institutions and other companies holding enormous amounts of sensitive data are good targets because they can't risk harm to their reputations if the extortionist goes public with the stolen data. Companies on the verge of an initial public offering are also excellent targets (Swartz, 2004). Online gambling sites will find it in their best interest to pay when attacked the day before a major sporting event such as the Super Bowl because of high customer activity they can't risk losing. (Baker & Grow, 2004). Small businesses and strictly e-commerce businesses are also at a higher risk because attackers know that an IT system shut down for even a day can cripple them.

Non-targeted attacks can come at individuals through phishing schemes. Gregory Bednarski, who performed research at The Heinz School of Public Policy at Carnegie Mellon University, says, "The extorters are scanning the Internet for vulnerable systems, and it's no skin off of their nose to send out letters demanding $5,000. If 10 percent of the companies pay, the extortionist is sitting pretty." (Hulme, 2004)

Now let's dive into more specific methods for utilizing computer systems for extortion. If cyber extortionists aren't successful with one method, they will likely try another.

Theft or destruction of data
A cyber extortionist launches a virus to disable an organization's firewall or hack into the system using other methods so he may extract sensitive information. He uses this information to threaten the company that he'll destroy the data or alert the media or customers that the company's system is vulnerable to attacks.

Website defacement
Cyber extortionists can also penetrate a system to alter an organization's Website, and keep customers from viewing products or other revenue-generating information. Another tactic is to place illicit material on a company's Web site to besmirch its good name.

Denial of service attacks
A denial of service (DoS) or quality of service attack aims to keep authorized users from accessing a Web site. The extortionist has multiple personal computers send enormously large and numerous requests to download files or perform searches on the Web site. DoS attacks have become more sophisticated at alarming rates over the past few years. Tens of thousands of personal computers all over the world have been infected with viruses, which then transform into Bots (also known as zombies). Unbeknown to the user, the PC is now a part of a Botnet or group of infected PCs. Botnets have grown from just a handful of PCs in 2002 - distributing less than a gigabit of traffic - to 150,000 machines delivering an assault of 15-gigabits per second (Richmond, 2005).

This is a popular type of attack against on-line gambling establishments and other e-commerce sites. Of course, the business loses profits every moment its customers can't log on to the Web site and eventually may lose them.

Illicit Material
Cyber extortionists install fear in companies by penetrating a system and placing illicit material (such as child pornography) on a company's Web site. Insiders may even download questionable data or images onto a fellow employee's computer.

These cyber extortionists typically choose not to target major companies that usually have deep pockets to absorb any loss of business but instead hit small to mid-size firms, which are more likely to pay them off to keep their businesses afloat and their names out of the media (Stacklin, 2004). Also, according to Stacklin, the cyber extortionists are careful about how much money they demand. They know if the dollar amount is too high that organizations will have to call the police. But if it's a tolerable amount, there's a greater chance the company will pay it and save the embarrassment.

Failed attempts
Failed extortion attempts aren't necessarily good news. The network may still be damaged and companies will still have to pay high fees to security consultants who they hire to counter the attack. And then, of course, we can't forget the wasted time of employees who were working against the attack or were unproductive because they couldn't use their computers.

On Sept. 29, 2004, the management of DigiKnow, a Web site design and development firm, received a threatening phone call from a foreign voice saying that unless they paid a high sum their system would be brought down. The company decided to shut down its system and disconnect from the Internet. The hacker, who had stolen the company's customer list by remotely making a copy, maliciously sent an e-mail to the customers with the subject line of "DigiKnow Corp. Blunders." The e-mail, which came from a Yahoo-Italy account, informed customers that DigiKnow allowed the privacy of its customers to be compromised and they should question the company's security. The cyber extortionists only stole customers' contact information but the nightmare cost the company $250,000 to recover from the incident. It had to repair or replace 40 servers and 50 hard drives, restore data files, and pay incredible overtime to employees for a week (Stacklin, 2004).

Repeat victimization
Even after an organization has been a victim of cyber extortion, it doesn't mean it's out of harm's way. In 2004, Russian hackers extorted money from British on-line gambling sites multiple times. The hackers targeted nine betting companies and attacked each of them three to five times with extortion demands of $5,000 to $50,000. Eventually, the Russian gang caused more than $70 million in damages to the companies. Fearing bad publicity, most of the victims hadn't originally called the police (Isachenkov, 2004).

Detection and investigation of cyber extortion
Human identification and specialized software are the two main techniques for detecting cyber crimes including extortion. Before you try to detect a cyber crime, however, you must prepare an incident response plan. A Computer Security Incident Response Team, commonly called a "Tiger Team" by computer forensic and security specialists, assists organizations in responding to attacks. E. Eugene Schultz and Russell Shumway, in their 2001 book "Incident Response," propose a six-step methodology including preparation, detection, containment, eradication, recovery, and follow-up. Preparing for an incident includes performing risk assessments, adequately preparing for the identified risks, training employees on response procedures, and obtaining necessary resources such as back-up computer equipment. The purpose of containment is to limit the impact, damage, and resulting loss. Steps in this process could include: shutting a system down, modifying firewalls or other configurations, establishing decoy servers, disconnecting the network from the Internet, and/or altering the ISP from which the attack is originating (Legault, 2005). In the eradication stage, the victim's goal is to eliminate the cause. Determine the vulnerability and fix or remove it. In the recovery phase, use back-ups to restore the system after you've determined that it can function properly. Finally, in the follow-up stage, security personnel determine what they've learned about the company's vulnerabilities and an incident response execution.

Internet Service Providers can detect cyber extortionists by increasing their monitoring of traffic. If they see a flood of activity, it could be a DoS attack beginning and they could take measures to stop it or at least help the victim contain the attack faster (Pesola, 2004).

Also, after detecting an extortion scheme, and even before beginning an investigation, you should immediately contact law enforcement, and a competent IT security consultant or investigator. If these professionals decide that the attack is still in progress they'll use specialized software to initiate a "back trace" to obtain the geographical location of the attacker (Middleton, 2004/2005). They'll determine if the intrusion detection system is in place, who first noticed the attack, and whether anything has been touched.

Investigators would then discover more specific details such as the existence of a system backup, if consultants recently performed any service on the network system, and if any new applications had been added. These are only a sampling of inquiries investigators would make before even starting to work on the computer system.
Investigators would make a mirror image of the system for forensic analysis - one of the most important procedures. They would use this copy instead of the original system to collect evidence, which would allow the company to bring the system back online while the investigation continues.

Insurance, loss, and recovery
Before a loss occurs, organizations should review their current general insurance policies. Many will find that their general commercial and liability coverage excludes cyber attacks. However, many insurers now offer cyber policies that cover cyber extortion, cyber terrorism, hacking, viruses, denial of service attacks, and malicious acts by employees. Ask an insurance company several questions when reviewing a cyber policy.

Jan Wleugel, senior vice president at Marsh Canada Ltd, a corporate insurance broker, suggests asking if the policy covers employee theft and breach of privacy because many insurers are deliberately leaving this out. Also determine if the policy covers physical theft of electronic data (Oliver, 2004). A good policy will also cover down-stream liability, in which a company is insured against its systems being used to launch a denial of service attack against another entity ("Insurers to Drop," 2004). Ty Sagalow, COO of American International Group's (AIG) e-business division recommends policies that cover: Web-content liabilities, financial loss resulting from data damage, destruction or corruption, professional errors and omissions, loss of income from network security failures, post-incident public-relations fees, and a criminal reward fund reimbursement (Oliver, 2004).

Insured companies should keep in mind that a claim on a cyber policy will necessitate a comprehensive loss analysis with supporting information. Therefore, it's critical to have adequate risk assessments, financial data related to operations, and effective security measures in place. Without these, it may not be possible to support a claim, which could result in a denial of coverage.

Determining the loss from a cyber extortion attack can be just as frustrating as the attack itself. There are many steps and variables to consider. Here's a list of the losses to be tallied:

• computer equipment that has been damaged or destroyed;
• lost productivity of the employees;
• costs of investigators or security consultants;
• loss of having the Web site available; and
• loss of customer goodwill.

Good business practices and insurance companies dictate that in performing an accurate loss analysis, a company would need adequate information to support it. This includes identifying the replacement costs of computer system equipment, wages paid to employees who became unproductive during an attack, overtime compensation for employees who worked to bring the system back to an operational level, amounts paid to investigators, and business models projecting the rate of sales growth if an attack hadn't occurred. To support the business model, a company consistently needs to track marketing information, sales and Web site activity. This information is critical for completing a loss analysis that will adequately support an insurance claim.

Prepare for the cyber extortionists
There are a multitude of computer security schemes and many of them serve as catalysts for extortion. Lack of adequate security places computer systems, and therefore individuals and organizations, at risk. Continuous security, risk, and education updates are needed in an organization to keep its risk at a tolerable level. We seldom hear about the "Bobs" out there fighting to save their systems during an attack, and in turn, their companies afterward. They are, however, numerous and growing everyday. Prepare now so you don't become one.

1 This is a composite case.  

Sources
Baker, Stephen, & Grow, Brian. (Aug. 9, 2004). "Gambling Sites, This is a Holdup." Business Week, 3895, 60.
Bednarski, Gregory M. (2004). "Enumerating and Reducing the Threat of Transnational Cyber Extortion against Small and Medium Size Organizations." Unpublished master's thesis, Carnegie Mellon, Pittsburgh.
Hulme, George V. (2004). "Extortion Online." Informationweek,
1005, 25.
"Insurers to Drop Hacking Premiums." (April 2004). VNU Business Publications Ltd, 1.
Isachenkov, Vladimir. (July 2004). "Russian Hackers Extort Cash From British Bookmakers." Informationweek, 1.
Legault, Jean-François. (2005). eFraud (1st ed.) (Association of Certified Fraud Examiners, Ed.). Austin, Texas: Association of Certified Fraud Examiners.
Middleton, Bruce. (2005). Cyber Crime Investigator's Field Guide (2nd ed.). Boca Raton, Florida: Auerbach Publications. (Original work published 2004)
Oliver, Lee. (March 2004). "Dot Calm." CB Media Limited, n/a, 84.
Pesola, Maria. (Nov. 5, 2004). "Extortionists
jam online payment site." The Financial Times, p. 2.
Stacklin, Jeff. (October 2004). "Extortionline; Cyber shakedown trend claims DigiKnow as victim." Crain's Cleveland Business, 3.
Swartz, Jon. (October 21, 2004). "Crooks slither into Net's shady nooks and crannies." USA Today, Final Edition, 1B.

Nancy A. Pasternack, CFE, CPA, CIA, is Manager, Forensic Advisory at KPMG and is the former ACFE Education Director.

The Association of Certified Fraud Examiners assumes sole copyright of any article published on ACFE.com. ACFE follows a policy of exclusive publication. Permission of the publisher is required before an article can be copied or reproduced. Requests for reprinting an article in any form must be e-mailed to: FraudMagazine@ACFE.com