Preparing for the rise of digital extortion

Digital transformation is shaking up the finance industry. One driver of change is the widespread availability of digital currencies, such as bitcoin, which have made recent headlines as leading investment banks are investigating their potential as a faster, more efficient way to complete financial transactions. The nature of this blockchain technology makes fraud or hacking virtually impossible, which is further drawing the banks in. In fact, nine of the world’s top banks, including Barclays and Goldman Sachs, have recently signed up to the services of technology firm R3 to test its feasibility and capabilities. Even George Osborne, the UK Chancellor of the Exchequer, has been seen making his first withdrawal from a bitcoin ATM at last year’s Innovate finance conference, with some very clear words in favour of the ‘FinTech’ movement: "My message today is simple: we [Britain] stand at the dawn of new era of banking. Now let's get on with it."

However, the anonymity of bitcoin and ease of conversion into real currency is fuelling a darker association with this technology. Ransom payments commonly conjure up images of hostage taking, pirates and briefcases full of cash. Cyber criminals prefer their payments over the wire – instant, untraceable and zero risk of exploding dye, trackers or fake notes. And who would blame them? In a digital world where the “ammo” is cheap (massive attacks can be launched via subscription services for the same price as a mobile phone contract), it’s not surprising that digital espionage has become a popular method for both tech savvy and novice criminals alike. As a result several organised crime groups (some sophisticated, others opportunistic ‘copycats’) have arisen in response to the emergence of this opportunity. And although the finance sector was the first legitimate business target, the threat has evolved to include every sector that is financially impacted by their websites being offline.

One group, DDoS for Bitcoin (or DD4BC as they are widely known) typifies what has happened to a growing number of victims. Their orchestrated fear campaigns began with a short-lived distributed denial-of-service (DDoS), designed to consume resources and render websites inaccessible, whilst a ransom note demands a subsequent payment along with a threat of additional attacks if it is not paid. In the absence of a highly scalable security solution, victims were often forced to pay up, knowing that further downtime could result in huge losses in online revenue, significant brand damage and SLA-related fines.

Between September 2014 and July 2015, the Akamai Security Engineering & Research Team identified 141 DD4BC attacks, with the largest DDoS attack reported at 56.2 Gbps. The extortionist group threatened to expose targeted organisations via social media, adding to the damage caused by the DDoS attack itself.

As this kind of activity expands and evolves, numerous threat advisories have been released in order to educate those with an online presence and ensure that they are best informed to make intelligent security decisions. Recently these have highlighted several key pieces of information to be aware of:

  • In one threat, DD4BC claimed it had the firepower to launch 400+ Gbps DDoS attacks, though there was no concrete proof it could carry out an assault of that size.
  • Earlier attacks focused on businesses that would avoid reporting the attacks to law enforcement, but this quickly expanded to target legal enterprises, especially in the financial and retail sectors
  • Groups are likely using publicly available tools to launch attacks.
  • DD4BC appeared to use Google IP address ranges, and in some cases AppEngine instances, in its attacks. The IP addresses of some attack sources have been publicised and are available from Akamai.
  • The attack vectors have included NTP flood, CHARGEN attack, SSDP flood DDoS attacks and UDP reflection attacks.
  • Some of the affected business sectors are hosting, domain name services (DNS), email services, high-tech consulting and services, gaming, Bitcoin exchanges and Software-as-a-Service enterprises.
  • One can expect copycats to enter the game, increasing these types of attacks.

It is predicted that these type of extortion activities will not go away any time soon, on the contrary they are expected to grow and target new, previously unexploited industries. As the reliance on online transactions continues to contribute larger percentages of annual revenues, the associated risk with website downtime expands accordingly. It’s not uncommon for the business cost of a successful DDoS attack to reach into the millions and criminals will continue to exploit underinvestment in IT security and limited data centre resources in order to make a quick euro, pound, dollar or other denomination. Although they’ll probably have to convert it from bitcoin first.

Alistair Tooth, Director of Product Marketing (Cloud Security), EMEA, Akamai Technologies

Image Credit: Jeff Wasserman