IDG News Service - When the first extortion e-mail popped into Michael Alculumbre's in-box, he had no idea it was about to cost his business nearly $500,000.
The note arrived in early November of last year, as Alculumbre's London-based transaction processing company, Protx, was being hit by a nasty distributed denial-of-service (DDoS) attack. Zombie PCs from around the world were flooding, the company's Web site, Protx.com, and the transaction processing server that was the commercial heart of the business.
In the extortion e-mail's broken English, someone identifying himself as Tony Martino proposed a classic organized-crime protection scheme. "You should pay $10,000," Martino wrote. "When we receive money, we stop attack immediately." The e-mail even promised one year's protection from other attackers for the $10,000 fee.
"Many companies paid us, and use our protection right now," Martino's message said. "Think about how much money you lose, while your servers are down."
The attackers had one thing right: Online attacks can be expensive. A 2004 PricewaterhouseCoopers survey of more than 1,000 businesses in the U.K. found that companies spent an average of more than $17,000 on their worst security incident that year. For large companies, that amount was closer to $210,000, the study found. For companies of all sizes, most of the loss was due to the disruption in their ability to do business, with expenses for troubleshooting the incident and actual cash spent responding to it accounting for considerably less.
It's Expensive
Law enforcement authorities told Protx that it was the victim of Russian organized crime, Alculumbre says, but criminal extortion is not the only motivation for such attacks. In April, Australian antispyware vendor PC Tools Pty. became a target of spyware companies that didn't want users who were interested in PC Tools' spyware-cleansing software to reach the actual PC Tools Web site.
Customers whose PCs had already been infected by spyware were greeted with fake pop-up windows and shopping carts when they tried to purchase the company's Spyware Doctor product, said Simon Clausen, PC Tools' CEO. Instead of buying his company's antispyware software, they were tricked into purchasing useless products that left their computers infected, he said.
Even links that appeared to be from legitimate Web sites like Google or Download.com were modified on fake pages displayed to users, Clausen said. "Any link that said Spyware Doctor would be redirected to the attackers' sites."
Clausen estimates that as much as 15% of his company's business was lost, representing hundreds of thousands of dollars in missed sales. But the real cost was in lost productivity
Free Insider GuideCopyright © 1994 - 2012 Computerworld Inc. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of Computerworld Inc. is prohibited. Computerworld and Computerworld.com and the respective logos are trademarks of International Data Group Inc.
