Authorize.Net Battles Extortion AttemptsBy Wayne Rash | Posted 2004-09-29 Email Print
The credit card processing company puts its multipronged security defense to work as a flood of ransom demands and DDoS attacks prompts FBI involvement.Corey Mandell knew things weren't good when he got the ransom letter. Mandell had experienced such things before, and he knew that Authorize.Net, a Bellevue, Wash., credit card processing company, would be in for a tough time. What he didn't realize until later is that it would be much worse than he had anticipated.
The DDoS (distributed denial of service) attacks began Sept. 15, and they continue to this day. "We received an extortion letter demanding a large sum of money," said Mandell, who is vice president of development and operations at Authorize.Net. "We were able to handle the attack" at first, he said, explaining that the company had tailored its response based on past attacks against it and others in the same business. But things got worse in a hurry.
"The second and third attacks were bigger than anything we'd ever seen," Mandell said. He said it was clear that the attackers were using a bot network because of the wide number of IP addresses that they used.
"We installed a variety of appliances," he said, noting that because the new appliances use a mix of deterministic and heuristic methods, the multipronged defense would work. It did. In short order, while the attacks continued, his customers were reaching him without a problem.
Mandell said that when he chose the products to protect his enterprise, he didn't limit himself to just preventing SYN floods or even just DDoS attacks. He chose products that would protect against a wide variety of methods. While he declined to say what appliances and other products the company actually bought, he did say that the solution is capable of handling a much bugger business than his is now.
While the attacks no longer pose a significant threat to the operations of Authorize.Net, that doesn't mean the problem has gone away. Instead, the most important phase is now under waytracking down and arresting the people who are attacking it.
Mandell said one of the first things the company did was call the FBI's Cyber-Crime division in Utah and get them on the case. The FBI is actively involved in hunting down the bad guys. While that agency will not discuss an active investigation, Mandell said he has some indication that they're making progress. "There's a pattern here," he said, and that is leading the FBI to dig even deeper.
Next Page: A pattern of extortion?
While his company seems to have gained the upper hand in today's cyber-crime battles, Mandell said he expects the such incidents to continue. He's not alone. Peter Tippett, chief technology officer at of TruSecure, soon to become Cybertrust, said extortion rackets are up 20-fold this year. "Bot nets are the first to use new exploits," he said, and in many cases they take the lead on developing attacks on those exploits.
Tippett said the problem with bot nets and the DDoS attacks they produce is made worse by the vulnerability of so many commercial sites. He said all but the largest e-commerce sites seem to be waiting to move ahead with products that can prevent or at least mitigate such attacks, opting to hold back until one is already under way.
"They follow the money," said David Kennedy, a senior risk analyst at TruSecure. He said the trend started with some gaming sites in the United Kingdom, where the bad guys were emboldened by the success they had there in collecting ransom money. He said he wasn't surprised to see the attacks move to the financial services industry in the United States.
Kennedy said much of the activity and control over the bot nets are centered in eastern Europe, although it would be an oversimplification to say all of the attackers are based there. But he noted that some of the worst activity is ultimately based in the United States. In one case he knows of, Kennedy said one firm hired bot net controllers to attack rivals.
Unfortunately, there is no easy solution to stopping the extortions or the attacks that go with them. But Mandell suggested a few steps that he called vital, the most important of which is calling the FBI. He said the second most important step is for affected businesses to help each other deal with the attacks so they won't succeed. "We need to present a united front," he said.
Companies also should make sure that they have enough bandwidth so they can't be saturated by a DDoS attack, no matter how big, Mandell said. He warned that it's necessary to take such preventive steps, since when attacks do come, they could effectively put an unprepared company out of business.
Tippett suggested that companies that depend on e-commerce should have more than one pathway to the Internet, and there should be separate local loops to those pathways.
Tippet and Mandell both noted that while there is no single solution that works against all attacks, it's important to start using solutions that do work, even if they're not perfect. Tippett noted that by using two or three different technologies, a company can protect itself against nearly any attack of this sort.
But still, the attacks continue. Mandell said a new attack began against Authorize.Net Wednesday. "This one is different," he said, adding that since there has been no extortion letter with this latest round, it could have some other reason. He said he thinks all of the attention being paid to the first set of attacks against his company may have encouraged someone else.
He noted that the FBI is on the latest case as well. And meanwhile, two more companies, this time providers of credit card merchant accounts, are under attack. These companies, identified by Kennedy as Authorize-IT in Ohio and 2Checkout in Kentucky, may also have been the recipients of extortion attempts. No word from the FBI as to whether they're on the case there.
Check out eWEEK.com's Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzer's Weblog.