Online service foils ransom plot

Extortionists attack business through DoS 

It has become common practise for extortionists to target net firms and threaten to cripple their websites with deluges of data unless they pay a ransom. Not all the e-criminals are able to follow through on their threats but when the Nochex site went down at 8pm it was time to sit up and take notice.

"We get quite a few, maybe once a month so we don't always take it too seriously," he said.

In this instance though Mr Malik did contact his service provider Pipex. "They told us we were being flooded by a zombie attack," he said.

 So-called Distributed Denial-of-Service (DDoS) attacks overwhelm servers with customer requests until they are forced offline. Computers are innocently recruited from all over the world to take part in the attack, each sending only a small part of the entire data flood.

The recruiting of machines to take part in attacks is typically done by infecting them with a virus or worm. The net address of compromised machines - dubbed zombies or bots - is sent back to the criminal, who will use it to launch a DDoS.

The news that Nochex had fallen victim to a DDoS attack forced Mr Malik to open communications with the hijacker, and he offered to wire the money first thing in the morning.

Let battle commence

"I wasn't actually going to pay them but it bought us time to come up with a solution," he said, adding "Who is to say the hijackers wouldn't have come back next month and the month after?"

Other firms however have paid off the blackmailers, seeing it as preferable to have downtime on their site.

Such attacks have typically targeted online gambling and gaming firms, seeing them as malleable victims because of the amount they depend on their sites to generate income. In the run-up to last year's Cheltenham Cup, a highlight in the racing calendar, these sites were targeted.

"A whole raft of them were threatened and they made payment because it was a drop in the ocean compared to what they would lose if the site was down," said Maria Cappella, general manager of sales and marketing for Pipex.

But for Mr Malik paying up was not an option. Instead it was a chance to see whether technology could do battle with the e-criminals and beat them at their own game.

In this particular case the criminals in question were part of a Russian gang, already well known to the UK police but not yet within the grasp of the authorities.

"Do what you have to do," Mr Malik was advised by his contact at New Scotland Yard.

The solution, in this case, was a network product developed by Cisco. Called Cisco Guard it has been created specifically to fight DDoS attacks by sorting the legitimate traffic from traffic intent on attacking servers.

Once installed Mr Malik's attitude was one of "bring it on", confident that the new armour that had been put around the network would remain impenetrable. The attacks did come and have continued to come ever since, but so far the system has remained online.

DDos attacks have become a big problem for businesses in the last 12 months.

At one point in the autumn of last year Pipex was seeing as many as three to five attacks each day, although that number has since slowed down. Most of Pipex's high risk clients, categorised as gaming, gambling and payment gateway sites, have had the Cisco equipment installed and the patterns of attacks are becoming familiar to the backbone engineers.

"We have become veterans at it. Our guys have been doing it for 15 months and we have become quite battle-scarred along the way," said Ms Cappella. Recognising customers' traffic profiles and spotting anomalies are key to foiling attacks although everyone is aware that the criminals will always be looking at new ways to break through the guards.

According to Mr Regan, such attacks are getting more sustained - lasting for days or even weeks - and more and more zombie machines are being recruited into the hijackers' armies.

According to the Honeynet Project, set up to create solutions to security problems, there are over one million zombie computers. Britain has the largest zombie PC population of anywhere in the world.

Mr Malik believes that, as denial of service attacks get stronger and more prevalent, all internet service providers will have to come up with permanent network-based solutions.

It has not been a cheap option for Nochex. In fact, with an initial cost of £20,000 and a further £3,000 a month, it would have been cheaper to pay off the hijackers.

But, as Mr Malik says, "who is to say the hijackers wouldn't have come back next month and the month after?"

More information


  • Average cost of mission critical services compromised $100,000 an hour
  • Britain has largest zombie PC population in the world
  • Over 1m connected computers are zombies
  • 30,000+ internet connected zombie networks in 2004
  • Estimated 25% of all infected PCs are under control of hackers
  • Broadband responsible for 93% increase in infected PCs in 2004
  • 11% of small to medium sized businesses suffered DDoS attacks in the last 12 months

    Continuity Forum Comment

    These actions identify a number of key issues over the increasing use of new technology to commit 'old' crimes. These ransom approaches are little more than a reinvention of the protection rackets of old Chicago and London’s East End, and are based on the harm that will befall anyone who doesn’t pay up.

    A lack of legislation and international co-operation often leaves the culprits of these scams free to continue their activities without fear, as the criminal gangs responsible are careful to distance their activities through the use of Cells, similar to terrorists. This makes it difficult for under resourced Law Enforcement agencies to identify the ringleaders without extensive and detailed detective work. Even when the police work is successful, Jurisdiction issues often make successful prosecution very difficult due to the inconsistencies and differences between in countries legal systems.

    As larger organisations have tightened their defences, the gangs have moved to lower profile targets in the SME sector where experience, resources and skills to defeat the threatened action often just are not available.

    In the opinion of the Forum, far more connected activity needs to be done to inform and protect organisations of the risks and the preventative measures they can take and in particular, ISP’s, software companies and others need to be far more focused upon a collaborative approach to the issues. No single provider or Company has all the answers, but the risks from this type of crime are low and the rewards potentially very lucrative with the gangs able to work virtually unfettered.

    Until measures are aligned and in place, organisations of all sorts are at risk from these groups and government, regulators and others are doing little about it.

    However, the final irony is that if these offences had been committed in the real world rather than cyberspace both the penalties and resources available would be very much higher, so it is perhaps a just reflection of the changing times and another instance of the need of Law Enforcement to catch up with the skills of the criminals. Time will tell!



    If you have any comments on this article or would like to find out more about the work of the Continuity Forum please contact Sara McKenna or Russell at the Continuity Forum directly on 020 8993 1599 or