Criminal extortion is new motivation behind the threat of online attacks When the first extortion e-mail popped into Michael Alculumbre’s inbox, he had no idea it was about to cost his business nearly $500,000.The note arrived in early November of last year, as Alculumbre’s London-based transaction processing company, Protx was being hit by a nasty distributed denial of service (DDoS) attack. Zombie PCs from around the world were flooding Protx.com (the company’s Web site) and the transaction processing server that was the commercial heart of the business.In extortion e-mail’s broken English, someone identifying himself as Tony Martino proposed a classic organized-crime protection scheme. “You should pay $10,000,” Martino wrote. “When we receive money, we stop attack immediately.” The e-mail even promised one year’s protection from other attackers for the $10,000 fee. “Many companies paid us, and use our protection right now,” Martino said. “Think about how much money you lose, while your servers are down.”The Protx attackers had one thing right: online attacks can be expensive. A 2004 PriceWaterhouseCoopers survey of more than 1,000 businesses in the U.K. found that, on average, companies spent more than $17,000 on their worst security incident that year. For large companies, that amount was closer to $210,000, the study found. For companies of either size, most of the loss was due to the disruption in their ability to do business, with expenses for troubleshooting the incident and actual cash spent responding to it accounting for considerably less.It’s expensive Law enforcement authorities told Protx that it was the victim of Russian organized crime, Alculumbre says, but criminal extortion is not the only motivation for such attacks. In April, Australian anti-spyware vendor PC Tools became a target of spyware companies that didn’t want users interested in PC Tools’ spyware-cleansing software to reach the actual PC Tools Web site.Simon Clausen, CEO of PC Tools.Customers whose PCs had already been infected by spyware were greeted with fake pop-up windows and shopping carts when they tried to purchase the company’s Spyware Doctor product, says Simon Clausen, PC Tools’ CEO. Instead of buying his company’s anti-spyware software, they were tricked into purchasing useless products that left their computers infected, he said.Even links that appeared to be from legitimate Web sites like Google or Download.com were modified on fake pages displayed to users, Clausen said. “Any link that said Spyware Doctor would be redirected to the attackers’ sites.” Clausen estimates that as much as 15 percent of his company’s business was lost, representing hundreds of thousands of dollars in missed sales. But the real cost was in lost productivity for his software development team, which was forced to spend hundreds of hours changing PC Tools’ products and Web site in an effort to stay one step ahead of the attackers, he said. “We probably had a dozen people involved pretty heavily in it for about a month or two.”By the time PC Tools developed a way of handling the attack, the company had taken major hits in employee time and in lost business opportunities because of product delays, he said.Online cat and mouse By scrambling its IT staff and prohibiting traffic from zombie servers (at one point, Protx.com simply blocked all traffic originating from the Western United States) that company managed to survive the first wave of the attack against it.But the 13-person company’s biggest cost involved preparing for the next assaults, consisting of thousands of server requests, which came in January and April of 2005.The April attack, which lasted for more than five days, was the most severe, as Protx and the attackers engaged in a kind of online cat and mouse: Just as Alculumbre’s technicians found one way to block the flood of unwanted server messages, the attackers would switch to another tack. At one point, the cybercrooks used a new exploit of Microsoft’s Microsoft Internet Information Services server that caused the Protx Web site to crash whenever certain types of secure messages got through. Protx responded by installing an SSL accelerator and analyzing the messages before letting them through. On the final day of the April assault, the attackers hit Protx with everything they had. At the peak of the assault, the company’s servers were processing 800 megabits of traffic per second, the equivalent of more than 530 T1 lines firing at full capacity.Protx’s administrators spent some long, tense hours over that weekend, scrambling with technicians from the company’s Internet service provider to keep the company’s Web and transaction processing server online. “It’s like being in a war,” said Alculumbre. “My three guys were working with three other technicians in extremely tight hosting facilities, trying to put all this bloody machinery in and wire it up… it looked like Spaghetti Junction. How they ever knew what they were doing was beyond me.”Expanding Horizons Just a few years ago, financially motivated attackers tended to focus on fringe businesses like online gaming sites. But transaction processors like Protx are now choice prey for extortionists, according to Peter Rendall, CEO of Top Layer Networks, a security vendor based in Westboro, Massachusetts. “If you bring down your payment processor, you can bring down hundreds of [online] processors,” he said. ” Transaction processors like Protx will do everything in their power not to be offline; therefore, they are investing heavily in security and bandwidth.”Proportionately, online security costs are greater for smaller companies than for larger ones. According to the 2005 Computer Crime and Security Survey conducted by the Computer Security Institute and the Federal Bureau of Investigation, companies with sales of less than $10 million per year spent $643 per employee on computer security each year. For the largest companies — those with more than $1 billion in annual revenue — the amount spent on security dropped to $247 per employee.The survey found that companies in the utilities business spent the most on computer security — on average, $190 per employee per year. Next highest on the list were transportation and telecommunication companies, with average annual costs per employee of $187 and $132, respectively. But for companies under targeted attack, the costs are decidedly higher. Protx, for example, ended up spending a whopping $38,000 per employee on security over the past year.Protx’s Alculumbre says he had thought that his company was too small to draw the attention of organized crime, but the events of the last year have taught him otherwise. “It’s very alarming for us that an unknown assailant can do so much to a business that I’ve spent so many years trying to build,” he said.Though the first days of the assaults were stressful, Alculumbre that says he’s grown more accustomed to the high costs involved. “If you’re going to be in business, then you have to accept that DDoS attacks are a part of this,” he says. SecurityMalwareCareers