Your Ad Here

Tuesday, November 11, 2008

Cyber-Extortion: A Review

Cyber-Extortion is the use of computers and communication systems to obtain or attempt to obtain unauthorized access to money or financial gain by threat. Cyber Extortion is so common in the information security arena that it doesn't raise the same attention as in the past.

There are various forms of cyber-extortion, but in general if the hacker’s demand is not met, than an adverse event will occur to the victim or company.

Just recently, Express Script became a victim of a cyber-extortion attack from an incident that occurred in early October of 2009. Express Script received a letter claiming that the company's network had been breached and threatening to release millions of customer records unless the firm paid money to the thieves. The letter listed personal information on 75 of Express Script's members, including their names, dates of birth, social security numbers, and in some cases, their prescription information, the company stated. Express Scripts added that it had reported the crime to the FBI, which is currently investigating.

Often companies will just pay the cyber-extortionist in hopes of having the matter go away without public knowledge. This is due to being penalized by federal regulators, having to notify customers of the matter, the process of conducting damage control, the cost in resolving the matter and losing customer confidence in that industry.

Below are some major cyber extortion events that has occurred world-wide. These were obtained from www.acapsecurity.com:



Barclays Bank, a major international bank, was broken into by a cyber-criminal whose attack focused on the bank's Barclaycard division, which with 8 million cardholders is Europe's largest credit card system. Allegedly the attack included the theft of credit card numbers and valuable customer information, with law enforcement reporting the cyber-criminal did make a $25 million extortion demand on Barclays Bank. The matter is before the courts in London.
Guardian, Oct 19, 2001. Underline added.

A cyber-thief from Kazakhstan broke into the computer networks of the Bloomberg financial news service owned by Michael Bloomberg the current Mayor of New York City. Thereafter the thief became a Cyber-Extortionist by demanding an extortion payment.
U.S. Attorney's Office Press Release, Aug 14, 2000. Underline added.

A cyber-thief broke into the computer networks of Parametric Technology Corporation and thereafter made an extortion demand for $1 million plus $40,000 per month.
St. Petersburg Times, Aug 24, 2000. Underline added.

The Secret Service and the FBI reported that a cyber-criminal had broken into the computer system of Online Resources, a company that offers online banking, electronic payments and other financial services to 525 financial institutions in the U.S. The cyber-thief as part of the attack stole customer records that included names, addresses and bank account numbers. The theft was followed by an extortion demand on at least one bank.
InfoSec News, Feb 8, 2002. Underline added.

On August 21, 2001 a cyber-thief broke into a unit of Ecount, an electronic payment company and allegedly stole 350,000 credit card numbers and thereafter made an extortion demand on the company.
ZDNet News, Oct 11, 2001. Underline added.

Two Russian cyber-criminals broke into hundreds of computer systems, stole sensitive client and financial information and then made extortion demands on the victimized companies.
InfoSec News, Oct 18, 2001. Underline added.

Cyber-criminals broke into the British division of Visa, the major credit card company, and stole data. Visa claims the stolen data was useless information. Obviously the cyber-criminals believed the data was valuable as they made an extortion demand on Visa for approximately $14 million U.S.
InfoSec News, Jan 20, 2000. Underline added.

A cyber-criminal made an extortion demand on CD Universe, an Internet music retailer, claiming he had stolen as many as 300,000 credit card numbers. The alleged cyber-extortionist was suspected of operating from a base in Eastern Europe. On Christmas day the cyber-criminal began posting more that 25,000 of the allegedly stolen card numbers on a web site. Thousands of customers who had shopped at CD Universe cancelled their credit cards.
Mercury News, Jan 26, 2000. Underline added.

A cyber-criminal from Russia broke into one of the New York bank's computer systems stole confidential customer information and extorted money for not releasing the customer information.
Associated Press, Jan 24, 2002. Underline added.

No comments: