Extortion: How attackers double down on threats
Ransomware is one way cybercriminals can pull off an extortion attack, but attackers have a number of other tools in their arsenal to make their campaigns evermore costly for victims.
Cyber extortion definition
In this episode of Cyber Work Applied, Infosec Skills author John Wagnon walks us through a series of attempted extortion attacks against a group of financial institutions — and what we can learn from them.
Cyber Work listeners get free cybersecurity training resources. Click below to get your free courses and other materials.
Cyber extortion examples
Below is the edited transcript of John’s cyber extortion walkthrough video.
What is cyber extortion?
(0:00- 0:35) You've just been breached or threatened with a cyberattack, and now comes a new demand: pay up or it's only going to get worse. Extortion threats like these are not new. What is new is that they've become the norm rather than the exception for a number of cybercriminal groups.
I'm Infosec Skills author John Wagnon, and in this video, I'm going to walk through how extortion is being adopted by cybercriminals. I'm going to tell you a real-life story about a series of attempted extortion attacks against a group of financial institutions.
Phishing simulations & training
Cyber extortion examples
(0:36- 1:27) Cybercrime can be monetized in a variety of ways, but extorting victims directly is often the simplest and most scalable form of attack. Over the past few years, we've seen extortion being added to all types of attacks.
Even ransomware actors, which by their nature are extortionists, are now performing double extortion attacks. Pay up to regain access to your encrypted files and do it by a certain date, or we'll also sell or publicly release all the stolen data.
And it's not just organizations who are being extorted. Cybercriminals may contact individuals who've had sensitive data stolen and pose a similar threat. Pay me a fee, or I'll release your stolen data to your family, friends and social networks. And when it's health data, financial data or data from other thought to be private websites, these types of messages can be particularly effective.
DDoS extortion attacks
(1:28- 2:15) Sometimes cybercriminals attempt extortion with the threat of doing something in the future as is the case with some DDoS extortion attacks. Let me tell you about one such case involving a number of financial institutions.
Several financial institutions in the Asia Pacific received notes from an attacker group that was posing as a different, very well-known attacker group. The notes each told these companies to pay money or else they would launch attacks against them, and then they launched attacks — a scaled-down attack at several companies to prove their point.
The companies got very nervous, and some decided to pay while others decided to harden their defenses and stop the attack. Meanwhile, other financial companies who had not yet received these notes also got nervous because they might be next.
DDoS amplification attack example
(2:16- 3:17) The attackers used a botnet to launch amplification attacks against these victim websites. The peak volume was about 50 gigabits per second, which was large enough to consume the resources of these victims' sites.
So the way that they launched these attacks is they used open DNS, NTP, CLDAP and SSDP and those types of servers on the internet that ride on the UDP protocol or the uniform datagram protocol, which is a connectionless-oriented protocol. That means the sender doesn’t establish a connection with the receiver; rather, the sender just sends the data and hopes that the receiver gets it.
But what this does is it opens the door for attackers to use that underlying protocol to launch DDoS amplification attacks, and in these cases use servers like DNS, NTP, CLDAP and SSDP.
How DDOos amplification works
(3:18- 4:08) What the attackers would do is find these open servers on the internet, and they would send small requests to the servers. They would spoof the sender's IP address and make it look like the victim sites were the ones that were sending these requests. Then these vulnerable servers would then respond with the responses, but they would respond to the victim websites.
The net effect is that a flood of information hits these victim websites. They never asked for the information to begin with, but that's the nature of how these attackers launched this attack.
When you have a botnet that has thousands or maybe even millions of computers all sending requests at the same time, and the responses to the request are very large, it saturates the bandwidth of these victim websites, and they just can't keep up.
How to mitigate DDoS attacks
(4:09- 5:19) The mitigation for this was to block the UDP ports for those specific services at the edge firewalls. Another thing that these attackers use is an HTTPS GET flood. The nature of this portion of the attack was to have the same botnet hit a specific log-on URL and consume the ability for legitimate users to log in to that same URL.
Many companies used security features like rate limiting to limit the number of logons to that specific URL. In rate limiting, you essentially say to the edge security device, “Hey, you can only have this many attempts or users in a certain period of time.” That limits the attackers from being able to exploit that specific URL during a certain period of time.
So as the attack unfolded, the real attacker group found out about all this, and they didn't like the fact that someone else was launching attacks using their name. So they pointed at the posing attacker group that was doing the attack, and they started attacking them, and they ended up shutting them down and stopping the attack.
See Infosec IQ in action
Training with Infosec Skills
(5:20- 5:34) So you can see these attacks are serious. It's important to understand how the attacks work and how you can mitigate them. Check out my Infosec Skills learning path for more information on common attacks and how you can protect against them.
More cybersecurity training resources
Want more free resources? Check out the weekly Cyber Work Podcast for in-depth conversations with cybersecurity practitioners and industry thought leaders.
Cyber Work listeners also get other free cybersecurity training resources. Check out the latest free courses and resources to keep learning!
- Reduce security events
- Reinforce cyber secure behaviors
- Strengthen cybersecurity culture at your organization
In this Series
- Extortion: How attackers double down on threats
- Keeping your inbox safe: How to prevent business email compromise
- The best 9 phishing simulators for employee security awareness training (2023)
- How to set up a phishing attack with the Social-Engineer Toolkit
- How Zoom is being exploited for phishing attacks
- 11 phishing email subject lines your employees need to recognize [Updated 2022]
- Consent phishing: How attackers abuse OAuth 2.0 permissions to dupe users
- The state of BEC in 2021 (and beyond)
- Why employees keep falling for phishing (and the science to help them)
- Phishing attacks doubled last year, according to Anti-Phishing Working Group
- The Phish Scale: How NIST is quantifying employee phishing risk
- 6 most sophisticated phishing attacks of 2020
- JavaScript obfuscator: Overview and technical overview
- Malicious Excel attachments bypass security controls using .NET library
- Phishing with Google Forms, Firebase and Docs: Detection and prevention
- Phishing domain lawsuits and the Computer Fraud and Abuse Act
- Phishing: Reputational damages
- Spearphishing meets vishing: New multi-step attack targets corporate VPNs
- Phishing attack timeline: 21 hours from target to detection
- Overview of phishing techniques: Brand impersonation
- BEC attacks: A business risk your insurance company is unlikely to cover
- Cybercrime at scale: Dissecting a dark web phishing kit
- Lockphish phishing attack: Capturing android PINs & iPhone passcodes over https
- 4 types of phishing domains you should blacklist right now
- Email attack trend predictions for 2020
- 4 tips for phishing field employees [Updated 2020]
- How to scan email headers for phishing and malicious content
- Should you phish-test your remote workforce?
- Overview of phishing techniques: Fake invoice/bills
- Phishing simulations in 5 easy steps — Free phishing training kit
- Overview of phishing techniques: Urgent/limited supplies
- Overview of phishing techniques: Compromised account
- Phishing techniques: Contest winner scam
- Phishing techniques: Expired password/account
- Overview of Phishing Techniques: Fake Websites
- Overview of phishing techniques: Order/delivery notifications
- Phishing technique: Message from a friend/relative
- [Updated] Top 9 coronavirus phishing scams making the rounds
- Phishing technique: Message from the boss
- Cyber Work podcast: Email attack trend predictions for 2020
- Phishing techniques: Clone phishing
- Phishing attachment hides malicious macros from security tools
- Phishing techniques: Asking for sensitive information via email
- PayPal credential phishing with an even bigger hook
- Your 2020 tax scam training guide
- Abusing email rules
- 8 phishing simulation tips to promote more secure behavior
- Top types of Business Email Compromise [BEC]
- Be aware of these 20 new phishing techniques
- Phishing in academic environments
- Phishing-as-a-Service
