Author: Shashank Singh
It’s a new twist on an old racket that has haunted businesses for centuries — “Give us money or we’ll shut you down”
The trend of common citizen using Internet will keep growing and soon everyone will be “Netizens” by choice or by force. Sooner or later, every one of us will not only be using the Internet but also be developing a pressing need for it. Internet has already become an integral part of our life and will continue to influence every aspect of our day-to-day activity.
Cyber crime is the most dangerous of all crimes because of the magnitude of the loss it is causing today, the ease with which it is committed; its visibility and the disregard of geographical boundaries; the difficulty in investigation, collection of evidence and the successful prosecution of the cyber criminal. Once the Internet becomes an integral part of the daily life of even the common man, which is not far away, cyber crime if not checked in time would be destructive for civilization itself.
The growth of the internet and online commerce has created enormous economic opportunities for not only legitimate businesses but also for criminal gangs. In particular, cyber criminals are taking full advantage of the new technology to update old extortion rackets and shake down companies by threatening to cripple their websites, release confidential customer information, or vandalize networks and erase critical data. Cyber-extortion is a rapidly growing problem for online retailers, financial institutions and web-based companies with seasonally dependent businesses that could be hurt badly by an ill-timed shutdown.
The word ‘extortion’ has been defined by the Britannica Encyclopedia as: “Unlawful exaction of money or property through intimidation or undue exercise of authority. It may include threats of physical harm, criminal prosecution, or public exposure. Some forms of threat, especially those made in writing, are occasionally singled out for separate statutory treatment as blackmail”. But when used in the context of the cyberspace this word acquires a slightly different meaning.
Cybercrimes include attacks on computer security threatening the confidentiality, integrity, or availability of digital data, or they involve the execution of traditional offenses, such as theft and fraud, by means of computers and computerized networks. Among the latter kind of cybercrime is internet extortion. Extortion refers to the making of a particular demand on a person under threat of causing harm. The object of the extortion demand is often of a monetary nature but can also include non-financial considerations, such as sexual favors or discretionary actions.
Extortion activities are typically directed at wealthy individuals or at organizations that have considerable assets. Most nations across the world have laws against extortion, with punishments varying with the degree of seriousness of the circumstances of the offense. This type of extortion or cyber crime is now-a-days more and more often referred to as “ransom-ware”. Thieves and extortionists are increasingly aware of the fact that the computer’s content may be of far greater value than the price of the computer itself.
TYPES OF INTERNET EXTORTION
There are at least five types of internet extortion that can be identified: Firstly, an information system or digital technology, such as the internet or a computer network, can be used as a medium of extortion. For example, in the mid-1990s, a case was exposed whereby a man visited an online chatroom posing as a woman to engage in sexual banter with other visitors. The man would then also pose as the woman’s husband and threaten the other visitors with bodily harm should they not pay a certain amount of money. Because the extortionist did not hide his identity, he was easily discovered and brought to trial. Other such internet extortion schemes involve deliberate attempts to hide one’s identity and the source of communications, for instance by looping and weaving messages through various servers or by establishing email accounts that are anonymous or based on fraudulent credit card information. An extortionist can also use encryption methods to communicate in secrecy with the targeted victim on public forums such as a computer bulletin board.
Secondly, in other extortion plots, the digital technology may become the target of the threat. The technology itself may be valuable to the victim because of the information and data that it contains or, as in the case of the websites, because it is a source of income or represents an important element in a person’s or organization’s public image. Extortion threats have been reported whereby the owners of websites were threatened to have their posted information deleted. On other occasions, the webpages were already disabled after which a threat was made to have the website restored. Another manifestation of this form of internet extortion is website defacement, whereby a website is transformed into pages that contain obscenities or a weblink pointing to a competing organization.
A related method of internet extortion is a denial-of-service attack that makes websites unusable. For example in February 2004 such attacks were launched against the website of the Recording Industry Association of America with a demand to stop prosecuting people who share music on the internet. When the demand was not met, the website became temporarily inaccessible. Internet gambling sites have been among the preferred targets of denial-of-service attacks. A few years ago, for example, some individuals emailed the operator of the Bet Costa Rica International Sports book website, which receives about $2 billion in bets every year. The emailers demanded $40,000 under threat of disabling the site.
In a third form, the digital technology can be used as a medium for the disclosure of embarrassing or harmful information about the victim. The word-wide popularity of the internet has made it possible for information about people and institutions to be available to a global community of spectators. Extortion cases are known whereby celebrities were threatened to have embarrassing pictures posted online unless payments were made.
Fourth, a digital information system can be used as a means of enabling payments or for concealing payments that are part of an extortion plot. In traditional forms of extortion, the moment that payment is made typically exposes the extortionist to the victim, who might have solicited the help of law enforcement authorities. With the internet, however, online payments can be made that involve electronic transfers to various accounts in multiple jurisdictions.
And, fifth, digital technologies can be used as additional instruments in an extortion scheme. The internet contains a lot of information about people, oftentimes posted without their knowledge, and such information can be easily gathered with the help of search engines and software packages. It is relatively easy for an extortionist to so find out embarrassing details about a potential victim.
CHARACTERISTICS OF INTERNET EXTORTION
Internet extortion schemes are observed in many parts of the world (Bednarski 2004). Especially at a more organized level, internet extortion has been repeatedly discovered in the Eastern European countries that have only relatively recently seen their economies move to a free market model. The resulting enhanced opportunities of legitimate economic conduct have also brought about new means for illegitimate enterprises. In most advanced-capitalist nations of the world, however, these opportunities have long existed and fueled an individualist culture that besides many legitimate actions also facilitates extortion. Internet extortion is thus a truly global phenomenon.
The perpetrators of internet extortion can be singular individuals as well as organized crime groups. For example, a group of hackers who had unsuccessfully tried to extort the credit card company Visa, demanding several million dollars in return for credit card information they had stolen, upon their arrest turned out to be a relatively small group of people in their late teens and early twenties. Similarly, the members of a Russian extortion gang, which had demanded several thousands of dollars from owners of gambling websites, were discovered to be just three people, one of whom was a 21-year old college student. On a more organized level, some cyber extortionists function as ‘information merchants,’ who conduct a veritable business in the sale of information and extortion schemes to obtain substantial monetary profits.
The response to extortion threats by the targeted victims also differs. When few years ago a gambling website received an extortion threat a week before a major sport event, the company that owned the site decided not to pay the extortionists, resulting in a two-day period of denial-of-service attacks that disabled the site. But other site owners have given in to the extortion demands. The gambling site MVPsportsbook, for instance, paid extortionists a sum of money that was asked for, because it was judged financially beneficial to do so relative to losing revenue from a disabling of the site.
CYBER EXTORTION – AS AN INCREASING RISK TO THE BUSSINESSES
Criminal gangs are increasingly using the Internet as a tool to extort money from businesses. In recent years more companies have moved their business processes online and e-commerce has been a massive source of growth. However, while the rise of the Internet has brought numerous benefits, it also carries a number of threats in the form of viruses, hackers, worms, and malware. Most companies are aware of these risks and have the appropriate processes and technology in place to mitigate them. But in the last few years these Internet based threats have taken on a more malevolent and sophisticated nature; virus writing is no longer the pastime of teenagers with too much time on their hands – instead, viruses are now being written for organised cyber criminals motivated only by money.
The cyber criminals are increasingly using a method known as Distributed Denial of Service (DDoS) attacks. DDoS attacks are launched with the sole aim of crashing a company’s website or server by bombarding them with packets of data, usually in the form of web requests or e-mails. Unlike single source attacks (which can be stopped relatively easily), the attacker compromises a number of host computers which, in turn, infect thousands of other computers that then operate as agents for the assault. These infected host computers, known as ‘zombies’ or ‘bots’, then start flooding the victim’s website with requests for information – creating a vast and continuous stream of data that overwhelms the target website, thus preventing it from providing any service.
Although they can be executed in minutes, DDoS attacks can last hours, weeks and even months and are capable of bringing unprotected organisations to a grinding halt. All online services will be disrupted which will not only prevent businesses from serving their customers, but will also prevent employees from doing their work. The results will be a loss of customer and shareholder confidence, reduced productivity and a massive dip in revenue. Cyber extortionists are able to demand huge sums of money to cease the attack, yet these amounts are small in comparison with the financial impact of a sustained assault.
The cost of a DDoS attack can be substantial and it has been estimated that as many as 10,000 occur worldwide every day. DDoS extortion attacks were originally used against online gambling sites. Criminal gangs would initiate attacks that would bring the website down just before a major sporting event, inflicting maximum financial damage. Now, however, DDoS attacks are increasingly being used to extort money from all sorts of businesses.
The reality is that no company is safe. The problem is exacerbated by the fact that DDoS attacks do not simply affect the organisations they are targeted at, but can in fact bring down the Internet Service Provider (ISP).
Some companies have chosen to meet the demands of extortionists – this is understandable as the amount being demanded is often far less than the cost of implementing the technology needed to filter network traffic on an ongoing basis. Inevitably, however, companies that have given in to blackmail have found themselves being targeted again. By giving in to extortionists businesses are encouraging such activities and making the problem worse.
Lack of awareness: Despite the substantial damage DDoS attacks can cause, research released by IT Company IntY has revealed an alarming lack of awareness amongst businesses about the threat posed. According to IntY, more than half of UK companies are at risk because this lack of understanding has resulted in a widespread failure to implement the necessary preventative technology. It is vital that senior decision makers wake up to the very real threat posed by DDoS attacks. A failure to do so could have far reaching consequences. While most companies do succeed in getting their business back online following an attack, the damage done to brand integrity will be significant and both customer and shareholder confidence will be affected.
All businesses with an online arm should implement the necessary preventative measures to mitigate the threat of a DDoS attack. Many companies rely on reactive measures such as blackholing, router filters and firewalls, but all these methods are either inefficient, not sophisticated enough to protect against cyber criminals or can only be configured to specific external sources.
A multi-layered approach to defense required: While all these tools do possess crucial security features, they fail to offer sufficient protection against the ever evolving and sophisticated nature of these assaults. If companies are to successfully combat a DDoS attack a truly multi-layered approach to defense must be adopted. Thus it is vital to establish a solid relationship with your service provider to ensure that you are aware of the measures that are available to protect your network and online business. Recent research by Arbor Networks revealed that DDoS attacks are the most crippling threat facing ISPs today, yet only 29 percent of ISPs surveyed offer security and DDoS service levels agreements to their customers.
Because DDoS attacks are launched from thousands of computers around the world it is essential that companies share information about the attacks if they are to be stopped. Such assaults cannot be fought alone and a collaborative effort is vital. A number of ISPs, large (including Belgacomm, Cable & Wireless and COLT) and small, have signed up to Arbor Networks Fingerprint Sharing Alliance which enables them to share detailed attack information in real time and block attacks closer to the source. Once an attack has been identified by one company, the other ISPs in the Alliance are automatically sent the ‘fingerprint’ enabling them to quickly identify and remove infected hosts from the network. This enables businesses and their ISPs to stay abreast of security threats as they arise. The Alliance is helping to break down communication barriers and its rapid growth marks a significant step forward in the fight against cyber criminals.
The threat of being blackmailed by organised criminals using DDoS attacks is very real and businesses cannot afford to be complacent. Such attacks are capable of bringing even the largest companies to their knees. However, standing alone defenses are insufficient to combat these attacks and a comprehensive approach to security must be implemented. Not only should a multi-layered security strategy be instilled at enterprise level, but companies must also work with their ISPs to ensure that they too have taken preventative measures.
The word web- jacking has been derived from the word ‘hi-jacking’. It is a new threat to the cyber world in which the hackers gain access and conrol over the website of another. He may them mutilate or change the information on the site. The purpose at most of the instances is to extort money from the person or the organization who owns the website.
For example, there was a ‘Gold Fish’ case where the site was hacked and the information pertaining to the gold fish was changed. Further, a ransom of US $ 1 million was demanded as ransom. In another case, a database containing highly sensitive and potentially embarrassing commercial information was ransomed for 1 million pounds, with an implicit that the data will be released to the regulatory authorities.
Data ransom may originate externally or internally. There are various ways or technically speaking “levers” available to the extortionist, who may:
· Encrypt vital data using a key known only to himself who then demands payment or issues an order. The extortionist instructs the victim that the decryption key will be released only if his demands are completed with.
· Threaten to sabotage systems, destroy or corrupt data unless payment is received or a demand is met.
· Intimidate the victim organization by threatening to release confidential information, the disclosure of which would inflict loss of confidence, embarrassment, and commercial loss, damage to reputation, legal proceedings, a regulatory enquiry or some other damage.
· Threaten to spread a commercially damaging rumour via anonymous electronic mail, relating to managerial corruption commercial malpractice, corporate liability, viability or share price can be particularly damaging.
· Threaten to disclose IT security exposures, commercial vulnerabilities or a scandal known to the extortionist.
· Have the presumption that the employer is totally dependent on the extortionist’s IT skills and has no recourse to alternative expertise.
· Place a software routine that causes critical operations to terminate or malfunction, rectifiable by only by the extortionist should his demands be met.
· Deliberately sabotage or destroy data or project work , or make it inaccessible , immediately before defecting to a competitor or a new venture .
A crypto virus, crypto trojan or crypto worm is a type of malware that encrypts the data belonging to an individual on a computer, demanding a ransom for its restoration. The term ransom ware is commonly used to describe such software, although the field known as Crypto virology.
This type of ransom attack can be accomplished by attaching a specially crafted file/program to an e-mail message and sending this to the victim. If the victim opens/executes the attachment, the program encrypts a number of files on the victim’s computer. A ransom note is then left behind for the victim. The victim will be unable to open the encrypted files without the correct decryption key. Once the ransom demanded in the ransom note is paid, the cracker may (or may not) send the decryption key, enabling decryption of the “kidnapped” files.
The idea of maliciously encrypting plaintext is not new. The first example is probably the PC Cyborg Trojan that was found in 1989. It encrypted only filenames (using a very weak symmetric cipher) causing the file system to be corrupted. There have been other malware attacks that have maliciously encrypted plaintext since then. The 1996 IEEE paper by Young and Yung reviews the malware that has done this, and shows how public key cryptography may be used in such threats.
A crypto virus, crypto trojan, or crypto worm is defined as malware that contains and uses the public key of its author. In crypto viral extortion, the public key is used to hybrid encrypt the data of the victim and only the private key (which is not in the malware) can be used to recover the data. This is one of a myriad of attacks in the field known as crypto virology.
Since May 2005 malware extortion attacks (that encrypt or delete data) have been appearing in greater numbers .Examples include Gpcode (many variants: Gpcode.ac, Gpcode.ag, etc.).
REGULATION AND ENFORCEMENT POLICIES
Like other cybercrimes, internet extortion has been subject to legal regulation and law enforcement control (Grab sky, Smith and Dempsey 2001). Existing laws on extortion can be applied to internet extortion schemes, but many countries have passed separate laws concerning extortion involving digital technologies.
In the United States, the Computer Fraud and Abuse Act (1996), criminalizes any act of extortion involving computerized means. Other legal means to suppress extortion involve the application of regulations related to extortion cases, such as by means of copyright laws that protect information and on the basis of confidentiality clauses that prohibit to reveal certain kinds of information.
In India, ‘cyber extortion’ as such is not mentioned under any law. But the myth that as surrounded the concerns all over the world that India does not have legal provisions to deal with data protection and computer databases is not true.
Indian Copyright Act, 1957 protects “Databases” as ‘literary works’ under Section 13 (1) (a) of the Act which says that Copyright shall subsists throughout India in original literary, dramatic, musical and artistic works. The definition of literary works “as defined under Section 2(o) of Copyright Act, 1957 includes computer programs, tables and compilations including computer data basis. The term computer ‘Data Base’ has been defined under the Indian Legal System for the first time in the information technology Act, 2000 under Section 43 explanation (ii) as a representation of information, knowledge, facts, concepts or instructions in text, image, audio, video data being prepared or have been prepared in formalized manner or have been produced by the computer, computer system or computer net-work are intended for use in computer, computer system or computer network.
From a policy viewpoint, the popularity of the internet and its spread across the globe pose special problems of law enforcement related to the technological sophistication and international nature of many cybercrimes (Deflem and Shutt, forth.; Grab sky, Smith and Dempsey 2001). Many nations have developed explicit criminal codes against cybercrimes. Accompanying these new laws, law enforcement units specializing in cyber crimes and other high-technological offenses have been set up within the police and security services of many nations. International cooperation among these law enforcement units in extortion cases can rely on Mutual Legal Assistance Treaties that specify cooperation in various aspects of investigation and prosecution.
An important challenge for law enforcement in the case of internet extortion is to retrieve the identity and location of the perpetrator. Encryption of electronic messages enhances the difficulties in tracing the source of internet extortion. And, as is the case with all forms of extortion, the victims of internet extortion schemes are not always willing to report the offense and reveal their vulnerability. Preventive measures are therefore in order to protect against potential extortion schemes in cyberspace.
SUGGESTIONS & RECOMMENDATIONS
In today’s internet-dependent world, online operations have become an increasingly critical part of many businesses. Because criminals never stop trying to find new ways to exploit flaws in technology for their own gain, legitimate businesses must make sure that their risk management programs keep pace with the emerging threats in cyberspace. Indeed the organizations are under a continual threat from the hackers or the extortionists who are using their specialist knowledge are able make use of the security weaknesses that are there in the organization of their databases.
According to a survey companies are still slow to implement preventive strategies and only 21% of the companies surveyed have formal education programs for their employees. Even more shocking is that 63% have not performed a security assessment in the last six months. Such a situation must be prevented and the security of a company must be regularly assessed.
Also, there is the problem of the Distributed Denial of services or DDoS which has been a cause of trouble for the Internet Service Providers (ISPs). Because DDoS attacks are launched from thousands of computers around the world it is essential that companies share information about the attacks if they are to be stopped. Such assaults cannot be fought alone and a collaborative effort is vital.
Companies need to make sure that their networks are hardened and secured. Companies also should make sure that they identify and safeguard all critical and confidential data. Risk managers should know, however, that even the most thorough loss prevention measures will not stop all losses. For that reason, companies need to protect themselves financially with insurance or other forms of risk financing that cover these network-oriented losses.
A traditional technology insurance program, for example, should cover not only professional liability exposures but also network security liability and cyber-extortion threats. Every network risk insurance program should include access to professional network security consultants to help a company deal with extortion threats or any similar attacks as they arise.
Also, must the academically available statistics be generated on the advent and threat of cyber extortion? Further, creation of immediately usable guidelines for organizations that may be “at risk” to extortion may be very instrumental in preventing cyber extortion. The guidelines should describe the most common methods extortionists use against their targets, how to read their information infrastructures against this, and what to do if an organization becomes a victim of extortion.
At a personal level, Anti-viruses, firewalls and other Intrusion detection system must be employed. Thus , it may can be said that securing cyberspace is a difficult strategic challenge that requires coordinated and focused effort from our entire society — the international forums on cyber security , the governments , states and local governments, the private sector and the people . Without the co-ordinate effort of all these prevention of such activities is a Herculean task.