Cyber extortion

There is no shortage of things to worry about for business owners: shipping delays, inventory shortages, bad reviews. Well, add one more to the list: cyber extortion. Recently, a number of Volusion store owners reported receiving emails claiming to warn the recipient that, should they fail to pay “a small fee” of 5 bitcoins (~$2,300), a distributed denial of service (DDoS) attack will be launched against their store.

Here is an example of just such an email:

Hello Support,

We are a team of highly skilled independent security consultants. One of your competitors hired us to take your site offline for an entire month (which we have the resources to do but don't like the contact and might be able to work together instead).

We are taking your site offline until we hear from you. Our initial consultation will cost 5 BTC. That price will go up half a btc for every 12 hours we have to keep your site offline. I want to personally assure you that we have the power to keep your site down for an indefinite amount of time. We are the ones who took down xbox live all week (testing ONE of our new servers). In addition to letting your site up and giving you a report of what we found and how to fix it we will also let you know the ONLY way to stop a DDos attack the size we are capable of launching. We will also add you to a blacklist so no one else messes with you.

The BTC can be sent to the following address : 18eJH7jSfStAJB2fzSnqsBYAy2Gdbsrd6f

You can buy btc with cc or bank account at www.circle.com or just google ie.

I know that you are going to try to mitigate but in the end that is only going to cost you a lot more money. You make enough money that just an hour of downtime won't justify the cost. Our team also understands that you will try to mitigate but nothing will stop the attack except my command. Your hosting provider will not be able to help, the authorities won't be able to help you, your firewall is easily bypassed and any ddos service you try to bring in we can bring down (we have done this for a long time). believe it or not we are not the masked attackers stealing credit card numbers. Most of us have families and can't find legitimate jobs in our fields right now and have families to feed.

Regards, GETDD0sed

A DDoS attack is one where a large volume of internet traffic is sent which cannot be handled by a website. This causes your store to be slow to load or entirely unresponsive when shoppers visit. The volume of traffic for many of these attacks can be staggering. Attacks reaching 400, 500 and even 600 gigabits per second have been reported. That would be equal to almost 20,000 times the amount of traffic the average home internet connection can handle.

A good analogy for this type of attack would be if someone hired a mob of people to walk into a brick and mortar store. Sales staff would quickly be overwhelmed and, at some point, legitimate shoppers would not be able to get through the door. For e-commerce businesses, that means shoppers can’t visit your store and you will see a loss of revenue. Some sources have claimed losses can reach $100,000 in revenue for every hour their site is down due to an attack. Additionally, store owners also need to consider the impact to their reputation. Shoppers will be frustrated and lose trust that the store is actually secure.

These attacks are very common on the internet and have been successfully launched against some very recognizable names. Sony’s gaming site and banking giant HSBC are just a few of the recent victims.

So what do you do?

Nothing.

That’s right, your best course of action is to do nothing. Do not respond to the email. Do not pay the ransom. There are three very good reasons for this strategy. First, the attackers may send another request later using another name. Second, they may communicate to other groups that you were willing to pay which could lead to further extortion requests. And third, they may attack anyway which was the case with this company who paid the ransom of $6,000.

If you want to take action, let us know. Report the threat to Volusion support and the information security team can monitor your store for any signs of an attack such as a sudden increase in traffic. Should this occur, rest assured that Volusion utilizes best of breed network defense solutions to prevent exactly these kinds of attacks. Think of these as being the doorman to your store. They inspect the incoming traffic to ensure only real traffic (shoppers) can get in and they turn away the malicious traffic (bad guys).

In most cases, the attackers never actually intend to carry out the DDoS. A recent blog by the CEO of CloudFlare, a leading DDoS prevention company, indicated that despite more than 100 customers reporting threats, they did not find a single example where an attack was launched. Interestingly, the attackers even used the same bitcoin address for ransoms to be sent which means they would never have been able to tell which victim paid and which didn’t.

Despite this, some sources are reporting that this tactic has led to over $100,000 in payments being sent to the extortionists from business owners who are worried about the consequences of an attack which could cost them significant revenue.

It is important to note that not all DDoS extortion threats are fake. Volusion has numerous examples where a customer reports a threat and we observe, and mitigate, a subsequent attack. Volusion always encourages you to reach out if you have questions or want to report any security concerns with your store.