It's the 21st century's equivalent of a ransom note: Pay up or suffer a massive denial of service attack on your Web site powered by thousands of hijacked "zombie" computers.
"You have 2 choices," Card Services International was told via e-mail earlier this year. "You can ignore this email and try to keep your site up, which will cost you tens of thousands of dollars ... or you can send us $10K by Western Union to make sure your site experiences no problem. If you choose not to pay for our help, then you will probably not be in business much longer, as you will be under attack each weekend for the next 20 weeks."
It wasn't a bluff. The Kentucky-based credit card processing firm suffered about a week's worth of outages before blocking the attack, according to president Jay Broder. The firm didn't pay, and the FBI is investigating the incident.
Such incidents are becoming more common, some experts warn.
"It's an epidemic," said Alan Paller, of the SANS institute, a security training organization. "In the past, extortion was, 'If you don't pay, we will disclose credit card numbers or personal data of customers.' Now, it's 'if you don't pay, we won't allow you to continue to operate.' "
But there's hardly universal agreement on the size and scope of the problem. While there have been a string of reported payoffs by online gambling sites, there is no hard evidence that more general e-commerce sites have buckled under. Some experts are skeptical of widespread extortion claims, which often come from vendors who sell software solutions to denial of service attacks.
The arrests in Russia this summer of three alleged masterminds of an extortion ring targeting online bookies did reveal just how successful such an operation could be: authorities say the suspects had netted hundreds of thousands of dollars from October 2003 through early 2004 in extortion payments.
Online gambling operations rely on their Web pages for all their income, which is why several have paid off, said Mike Paquette, vice president of marketing and product management of Top Layer Networks, which sells denial of service protection tools. He said he's worked with more than 10 clients, all gambling sites, who have hired his company after making a payoff.
Financial sites targeted
In recent months, it appears attackers have trained their sites on larger, more mainstream Internet targets.
Payment processors, which lose money for every moment they are offline, became a target back in April, said Rich Miller, a spokesman for Netcraft Ltd., which studies Internet traffic patterns and denial of service attacks.
"By targeting payment gateways they affect a lot of sites at once. The clients get up in arms," Miller said.
In September, Authorize.net, which processes credit card payments, was knocked offline for part of two weeks, stranding thousands of electronic commerce sites. The attack was part of a deliberate extortion attempt, the company said.
"We received an e-mail delivered to a general business e-mail address," said Authorize.net spokesman David Schwartz. "The basic contents were an extortion threat, a request (that said) 'Pay us a significant amount of money, otherwise we'll attack your servers.' That's basically what happened. We had DoS attacks in the past, but nothing came close to this."
More recently, British-based WorldPay was shut down by a denial of service attack. The firm hasn't said if the incident tied to an extortion extortion attempt.
A computer security worker at a major New York-based financial institution, who requested anonymity, said not only was his bank targeted recently, so were many other major banks, brokers and other financial service providers.
"Our response was 'Go to hell,'" the employee said, adding that while a denial of service attack was attempted, the attacks "usually give up after a little while." He pointed out that every attack exposes some of the compromised computers, known as 'bots,' so it's actually not in an attacker's interest to keep pounding away at a site that isn't paying.
Also, knocking a home page offline for a few hours isn't all that threatening to most banks, he said.
John Pescatore, an analyst at Gartner, agreed that large sites weren't that vulnerable. "There is a great deal of overhype going on," he said. "If you look at the protection the backbone providers have put in, I doubt there'd be the capability to keep a larger guy off the air for more than a few hours."
Legacy of MyDoom
One reason for the increased occurrence of extortion attempts: the incredible success of computer viruses like MyDoom, which have turned thousands of home and university computers into zombies. While the initial crisis from MyDoom died down soon after it was released in January, thousands of computers remain infected with it -- and virus writers continue to write variants and infect a new slate of PCs, said iDefense's Ken Dunham.
Dunham said he's investigated incidents where 120,000 infected computers were directed in a single attack, and he expects even larger armies in the coming months.
"The key here is they've got the tools, the techniques, and the capabilities," he said. "And during the next 6-18 months, the landscape of criminalization on the Net will change." With larger zombie armies, attackers will be able to target larger Web sites and Internet providers, he said.
Even Pescatore, a skeptic about the scale of the problem, concedes that possibility.
"It is an issue that the more bots they have, the harder it becomes. What if (an army of) 100,000 turns into 2 million?" he said.
While there are techniques to spot denial-of-service traffic and filter it out, they aren't foolproof. Internet services mostly rely on having bigger pipes into their service than can be consumed by an army of attacking computers. But it the attack is large enough -- picture a sewer overflowing from an afternoon monsoon -- theoretically, even a large site could be toppled over.
In fact, that's already happened. In June, a denial of service attack knocked Web infrastructure firm Akamai Technologies offline. Akamai provides backup support to Yahoo, Google, Microsoft and Apple and the incident left Web sites at each of those companies unavailable. The Internet equivalent of temporarily disrupting a major television network's broadcasting capability, the attack demonstrated how far attackers had come in their skills.
Could get worse
"It's an arms race," said Top Layer's Paquette. He said he's already seen individual attacks exceeding a gigabit per second -- the equivalent of 1,000 computers pulling a megabit of data per second from a Web site. "What if it were a million computers, a terabit per second? A lot of things could be rendered unavailable."
There are even discussions of denial-of-attack networks for hire. Hackers who "own" large networks of compromised computers rent out time on them, according to some experts. It costs only $150 to take down a small Web site for a day, says iDefense's Dunham.
In congressional testimony during September, Bill Hancock, an executive at Savvis Communications Corp., painted a pessimistic picture. His company had been attacked by an army of 5,000 hijacked computers, also called zombies or bots.
"You can take 10,000 to 20,000 zombies, literally have them turn on a dime, and then reconnect and reattack a completely different site. Now that ... shows that the zombie sophistication is increasing," he told a House subcommittee. "We are going to see more of that happen where ... 5,000 to 6,000 zombies now have all of a sudden become 100,000 -- and now the types of attacks that can kill things like power networks, kill things like water networks ... start to become a very serious reality."
While there are several other practical limitations to generating that kind of attack traffic, the general trend towards larger numbers, spurred by the increased adoption of broadband at home, concerns the SANS Institute's Paller.
"You can't stop the 'DoS' attack. You can't protect yourself against all the vulnerabilities out there," Paller said. "The only way to stop that is to stop hundreds of thousands of machines from being taken over."
Still, other experts say it's important to keep denial of service attacks in perspective. They're nothing new, and in fact, security firms have the upper hand now, they say. In 2000, such an attack shut down a host of major Web sites, including Yahoo.com and CNN.com, for days. Nothing so dramatic has happened since then.
"This has been going on for a while," Pescatore said. "The larger firms really do have the resources to fight these things.