• IT Service Desk Analyst -...
• Business Analyst - MIS & Reporting
• National IT Manager
• Business Development Manager...
• Wintel Systems Specialist

The threat of extortion

Bjarne Matzen, Information Age

06/08/2008 11:46:27

You probably have multi-level firewalls in place. And, you've invested in state-of-the-art monitored intrusion prevention systems. You are even enforcing strong passwords for all the staff in your company. Your privacy data, such as credit card numbers, is only in encrypted databases, too. You are following industry best practices and wish good luck to any hacker trying to penetrate your defences to steal data. Why wouldn't you feel confident you're as well protected as possible?

Unfortunately, that confidence is misguided. If you're involved in any kind of electronic commerce, you may soon be facing a new challenge. And this time, it won't just hit the big companies. To make matters worse, all the above countermeasures will effectively be useless. Following is the anatomy of a "denial-of-business attack" on a typical e-commerce Web site:

When it begins, it will start slowly. At first, it will actually look like your site is picking up business. Order numbers will be up significantly and your manager will smile, already planning to spend his bonus on a holiday in the tropics.

However, on day two of the attack you will start getting the odd complaint from your call centre that customers are receiving goods they didn't order. The warehouse manager may also complain about several items being returned to sender with an incorrect address. You're likely to suspect data corruption or maybe operator errors, so an investigation will be your next logical step.

At this stage, it is mostly a nuisance causing a few people to stay late to sort things out. You don't know what you're facing, so you're still confident you can fix the problems. Internal staff and your software supplier will frantically try to figure out what is going wrong. Unfortunately, all tests will show the systems working flawlessly.

Day three is progressively worse. In the morning the call centre will be flooded with irate callers. You also start getting complaints that people who are not even customers have had their credit card charged for items that were never ordered from your company. You may also get a call from your credit card processor alerting you to an unusual number of failed card authorisations.

Full-scale emergency

You will now know that you have a full-scale emergency. If you don't, the view of the CFO and most of the operations staff standing with lit torches and raised pitchforks in the middle of the ICT department will probably give it away.

It is highly likely that you will push for the only sensible choice: shutting down the site until you can figure out what is going on. Your company has now suffered a full-scale and successful denialof- business attack.

Why would anyone do this? Killing a small business by placing orders that send random goods to random people using random credit cards does not make any sense. Your final clue of what has occurred will arrive in the form of a letter. If a sum of money is sent via Western Union to a person in a disreputable African nation, all your troubles will go away. Of course, you will ask if this can be avoided.

Can you fix the problem? Unfortunately, the majority of organisations would be unable to do much (if anything) about what has already occurred. The simple reason is that they lack the data. They do not keep sufficient IP source data to be able to separate a good order from a bad one, certainly not after it has been placed.

Since all orders will be intermingled, backups would be useless. The only hope you will have is to manually sort out the mess and then put in a targeted defence. That is likely to take time. Before you can do that, you will need to understand how the attack can be isolated and prevented - and for that you once again may not have the data.

Assume your business continuity plans give way to moral misgivings and the extortion money is paid. (That capitulation encourages this criminal behaviour goes without saying.) On a personal level, the flow-on effect may be that your hard-earned end-of-year bonus ends up contributing to a mafia boss's new Mercedes or buying weapons for Taliban fighters in Afghanistan instead of funding that new flat screen TV you had your eye on.

Don't for a moment think that this type of attack is simply a technical challenge. Imagine what would happen to your company's reputation if news of an attack ended up on one of the mainstream current affairs shows. In extreme circumstances, it could spell the end of the business.

Here's the evidence:

1. Banks worldwide are becoming more security savvy and harder to defraud. Therefore, criminals will seek softer targets. It's already happened in the physical world. When banks became too difficult to rob, criminals turned to extorting protection money from smaller stores instead. It's reasonable to believe the physical world criminal business model will be applied to the world of electronic commerce.

2. Currently existing underground Web sites give an alarming insight into hacker specialisations. On these sites (structured much like eBay) you can purchase a batch of credit cards from one vendor, hire a bot-net from another, buy guaranteed undetectable Trojans and obtain a list of money mules hired through phishing. The list of available criminal tools goes on and on. Hackers are even given feedback ratings by their customers based on their quality of the work and can charge accordingly.

3. There is strong circumstantial evidence that at least one major international bank has paid extortion money to avoid a fraud attack. This evidence is based on the fact that the bank in question suffered a major attack at the same time as many of its peers. It then suddenly received relative peace over a long period of time. While there is no hard proof, the data is extremely unusual and compelling.

4. Chasing extortion money over borders is extremely complicated. Prosecutions are rare. In the hypothetical case presented earlier in this article, the amount demanded would most likely be modest - perhaps $50,000-$100,000. By the time police try to obtain arrest warrants in foreign countries the money has most likely already moved half-way around the world, changing hands in many cash transactions. Odds are that if you find the first person in the chain he or she will turn out to be another victim who simply replied to a phishing scam (e.g. offering a home job as a company money transfer representative or a similar money mule scheme common in money laundering).

5. Creating a batch of fake names and addresses to target an e-commerce site is as simple as scanning the phone book. Simply mix names and addresses up a bit and you'll create a nightmare for any logistics system.

6. Creating an effective scripted attack against a Web site is likely to take about an hour with the right tools and expertise.

7. Organised crime and terrorist cells possess the money, motivation and lack of scruples to attempt one of these attacks. They also have the money laundering networks already in place and long-standing experience in using them. The risk to a perpetrator behind one of these attacks would be relatively small.

Before long it is likely that criminals will combine available tools and services together to effectively orchestrate an attack scary enough to make a company decide to pay. Small companies may be the most attractive targets as they are more vulnerable and have less ability to defend themselves due to limited in-house expertise.

Protecting the business

On a practical level, what can you do to protect your business? There are already many strategies banks successfully apply that can pertain to the e-commerce domain as well. Checking incoming IP addresses against known compromised systems (such as the SpamHaus list) or denying the acceptance of orders from foreign country IP addresses are amongst the options.

Using out-of-band order confirmations (such as a one-time SMS password) is also a strong defence. However, the strongest defence lies in quickly reacting when a new threat pattern is identified and responding to that attack - preferably without the need for much programmer time. If a business can thwart the first couple of attacks, chances are that the fraudsters will move on to an easier target.

The best strategic approach is to separate business functionality from security aspects. Do not expect the application itself to deal with new threats. Instead, wrap it in a security layer that can address emerging risks. This is similar to existing solution architectural patterns, where presentation is separated from business logic.

For example, a single specialised security layer (e.g. in the form of an inline filter) can handle the problem. This way, newly identified threats can be quickly eliminated and an applicationwide response implemented - without touching a large number of code points.