"Embarrassed" firms paying off DDoS extortion demands

Despite the numbers of companies involved, victims are too embarassed to report the crime, claims a UK security expert.

Alan Paller, director of research for security organisation SANS, said online extortion was rife and that cybercrime was set to get worse.

"Six or seven thousand organisations are paying online extortion demands," said Paller on Friday at the SANS Institute's Top 20 Vulnerabilities conference. "The epidemic of cybercrime is growing. You don't hear much about it because it's extortion and people feel embarrassed to talk about it."

"Every online gambling site is paying extortion," Paller claimed. "Hackers use DDoS [denial-of-service] attacks using botnets to do it. Then they say 'pay us $40,000 or we'll do it again'."

Paller added he was concerned that the same techniques used for extortion - i.e. DDoS attacks - could easily be used to target organisations in the critical national infrastructure (CNI).

The director of the National Infrastructure Security Co-ordination Centre (NISCC), Roger Cumming, shared Paller's concern.

"There's an enormous amount of extortion," said Cumming. "We are concerned about the technologies of extracting money could be used to endanger the CNI. One of the things we are talking about is how to mitigate that threat."

Paller called for vendors raise their game - he said that security vulnerabilities were their responsibility to fix and that their products should comply with the SANS top 20 vulnerabilities.

"Applications breaking after patching is the operating system vendor's fault," he said. "They tell developers to build applications on unprotected systems. But the other half of the game is that application vendors should have to test their products on safer systems – you do that with procurement."

A spokesman for at least one prominent UK gambling site said that he would rather not comment on the whole issue.

Dan Ilett writes for ZDNet UK