Firms would rather ‘pay criminals’ than fight DDoS attacks


Many firms are paying online gangs protection money rather than putting in place systems to fight off DoS attacks, according to an IBM security researcher.

Speaking at the Virus Bulletin 2005 conference in Dublin, Ireland, Martin Overton of IBM Global Services said organizations, often online gambling websites, fail to report attacks to the police. This happens even though law enforcement agencies have put in place extensive procedures to guard victim's anonymity.

"Criminals are putting the price of extortion below the price of preventing attacks. It's cheaper to pay up even when this encourages them (criminals) even more," said Overton. "More often than not they (websites) pay up."

He said the gangsters priced the extortion below the cost of the clean-up operation to make sure the sites paid up rather than fix the problem.

A third of businesses have been victims of a DDoS attack, according to research by analysts Forrester. More than 40 percent of them have suffered losses of £54,000 from such attacks. Paying up a demand from a cybercriminal only serves to make the criminal make repeated demands for cash.

Most of these attacks use botnets, and Overton said the number of botnets was increasing as the malware used to create them becomes more sophisticated and widespread. The most widely used malware was SDBot, which had over 12,800 variants, a figure that has doubled over the last six months, Overton said.  Part of the reason for this increase is the ready availability of SDBot's source code which has become a favorite among spammers and other criminals.

Overton urged companies to tighten security policies and procedures to overcome the threat from botnets.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.