FBI to Banks: DDoS Extortions ContinueDon't Pay Attackers or Scammers, Security Experts Warn
Numerous firms across the financial services sector - and beyond - continue to face a variety of distributed-denial-of-attack and data breach extortion attempts.
Attackers' tactics are simple: Sometimes they threaten to disrupt a firm's website, preventing customers from accessing it. And other times they warn that they will release data - which they obtained by hacking into the firm - that contains sensitive information about the organization's employees and customers. Or, the attackers say, the organization can pay them off - typically via bitcoins - to call off the attack or delete the data.
Richard Jacobs, assistant special agenct in charge of the cyber branch at the FBI's New York office, reports that the bureau continues to see a large number of related shakedown attempts, with attackers in April making DDoS extortion threats against more than 100 financial firms, including some big banks and brokerages, MarketWatch reports.
Some firms have reportedly been hit with demands for tens of thousands of dollars, and the FBI says that some victims do pay, even though attackers might never have followed through on their threats. Likewise, the payoff sometimes leads attackers to blackmail victims for even more money. "There are some groups who typically will go away if you don't pay them, but there's no guarantee that's going to happen," Jacobs tells Marketwatch.
Attacks on the Rise
This is far from a new tactic for criminals operating online, and law enforcement experts have long warned organizations to not accede to attackers' demands (see DDoS Extortion Targets Social Network).
"Extortion types of attacks have always been around," says information security expert Brian Honan, who heads Dublin-based BH Consulting and also serves as a cybersecurity advisor to Europol. "They were quite popular during the 1990s and early 2000s, waned for a while, but are now gaining popularity again with criminals. We are seeing a rise in such types of attacks both in the U.S. and in Europe."
Large financial institutions in particular appear to be getting singled out by blackmailers, says financial fraud expert Avivah Litan, an analyst at the consultancy Gartner. "The large banks are under an onslaught of [such] attacks; the smaller banks, I hear mixed things from," she says. But banks don't talk about such attacks much, she adds, "because no one wants the public to know that they're being extorted."
The growth of such shakedown attempts has been driven in part by the increasing availability and ease of use of DDoS-on-demand services, Litan says (see Why Russian Cybercrime Markets Are Thriving). "It's always been easy to get DDoS attacks, but now it's just more organized, more readily available, and you can say, 'I want to do it against these particular U.S. banks or U.K. banks,' for example," she says.
Sometimes, attackers do follow through on their threats by executing DDoS disruptions or leaking data. Earlier this year, for example, a hacking team calling itself "Rex Mundi" demanded a payment of 20,000 euros ($21,000) from French clinical laboratory Labio, or else it would release people's blood test results (see Hackers Wield Extortion). When Labio refused to pay, the hackers dumped the data.
The "Pedro Batista" Scam
But at least some of these shakedown attempts appear to be little more than bluster. For example, one threat researcher - speaking on condition of anonymity - reports that in recent months, an apparently Portugal-based attacker or middleman named "Pedro Batista" has attempted to extort both the Federal Savings Bank, plus the Industrial Bank in China. Batista claimed in an email - sent to the researcher - to have obtained root access to an FSB MySQL database, which supposedly contained extensive information about the firm's clients. For the Industrial Bank of China, Batista also claimed to have stolen a database containing employees' salaries, plus usernames and passwords.
Neither of those firms responded to Information Security Media Group's queries about whether they could confirm having received blackmail notices from Batista, or if they had given in to the extortion demands.
But Mikko Hypponen, chief research officer at F-Secure, says the Pedro Batista shakedown is a scam. "Since 2013, an individual using this name has been contacting security experts, offering vulnerabilities or leaked databases for sale," he tells Information Security Media Group. "Those that have kept up the communication with him have found out that he had no goods or very little goods to actually deliver. He might be able to do some SQL injections to gain partial access to some information, but for the most part, this seems to be some kind of a scam operation."
@osxreverser One "Pedro Batista" has been spamming security people to sell hacked bank DBs since 2013 and still does in 2015. It's a scam." Mikko Hypponen (@mikko) January 30, 2015
How To Respond: 5 Essentials
Organizations can simply ignore those types of scams, security experts say. But dealing with DDoS threats requires a more structured response, says Honan, who offers the following recommendations:
- React: Take the threat seriously, and "spin up" an incident response team to deal with any such attacks or threats.
- Defend: Review DDoS defenses to ensure they can handle attackers' threatened load, and if necessary contract with, subscribe to or buy an anti-DDoS service or tool that can help.
- Alert: Warn the organization's data centers and ISPs about the threatened attack, which they may also be able to help mitigate.
- Report: Tell law enforcement agencies about the threat - even if attackers do not follow through - so they can amass better intelligence to pursue the culprits.
- Plan: Continually review business continuity plans to prepare for any disruption, if it does occur, to avoid excessive disruptions to the business.
Litan likewise advocates technical planning as the primary way to defend against threatened or in-progress DDoS attacks. Furthermore, if an organization's DDoS defenses do fail to mitigate the attack, she says an excellent fallback strategy is to redirect customers to a backup site that attackers don't yet know about. "If you are under attack, you have a miniature website set up that you can immediately redirect your customers to, with most of the functions on the site, so you don't have to deal with extortion attempts - go ahead and DDoS me, it doesn't matter," Litan says. "Some of the large banks have done that, and it has worked effectively."
Above all, Honan says that on behalf of all would-be victims, no targeted organization should ever give in to extortion attempts. "Needless to say, you should not pay the ransom, as you have no guarantee the criminals will not attack you anyway, or that other criminals may target you in the future," Honan says. "And by paying the demands you simply motivate the criminals to carry out similar attacks against you and others."