• silicon.com
• Technology
• Security

By silicon.com, 24 February 2004 12:30

A new breed of hacker is starting to become ever more active on the internet - those who will extort money from businesses in return for not damaging their website. Hackmail - where hacking meets blackmail.

One fairly typical scam works along the lines of making a tiny change to a website and then informing its owners that a far more serious change is on the way if they don't pay up. A variation on the popular 'pay us not to smash up your pub' protection rackets of the East End - an ultimatum which was normally delivered after a little initial damage had already been caused.

Another approach is to threaten a denial of service attack unless a compelling, financial reason not to, is forthcoming. And the power of a denial of service attack should not be underestimated - SCO was crippled for several days following an attack on its website.

This latter approach has come to light this week with news that a number of online bookies are being hackmailed in the run up to a spate of major sporting events, culminating in the summer with Euro 2004 and the Olympic Games.

The Sporting Calendar really kicks off in earnest for bookies on 18 March with the Cheltenham Gold Cup, followed by the running of the Grand National on 3 April. After that there are FA Cup semi-finals, The Derby and Ascot with the added money spinner of the summer's two major quadrennial tournaments. Not forgetting Wimbledon, Test Cricket and the constant coffer-swelling race meets taking place from Kempton to Kelso, via Lingfield and Leicester.

Or to put it another way - the bookies absolutely cannot afford for their websites to go down. Serious downtime would now be measured in terms of millions, rather than hundreds or thousands of pounds.

And that's the lure for the criminals behind such scams. The cost of paying off the criminals is invariably preferable to the cost of letting them 'bring it on'. But if ever there was a case for fearing that paying up will only lead to more trouble further down the line then this is it.

The long-term problem is that this isn't going to go away - no matter how many people companies pay off the threat will never go away, especially when word gets out they are a soft touch. There will always be some other potential exploit and somebody else who sounds like they mean business.

Within law enforcement circles it is feared that many tight-lipped companies have opted to pay out - rather than risk the negative press of being linked to such criminal activity, or risk the ire of the hackmailer.

Online bookies have worked hard to present themselves as sound financial businesses - working in the leisure industry rather than the vice trade. To go to the police now and start talking about racketeering and scams would be seen as a retrograde step.

But that is exactly what must happen. Businesses being threatened in this way must go to the authorities so an understanding of the scale and severity of this issue can be gained and so action can be taken against those who would perpetrate such scams.

Similarly companies must adopt the strategies of many pubs looking to protect themselves. They must - hire the biggest, baddest bouncers in the business.

If you want to keep the criminals out of your business then you need to ensure your techies and your technology are the meanest 'door security' in town.