Online protection rackets target clearing houses

SC Conference: Hackers are going to tell online clearing companies to pay up or face denial-of-service attacks on their Web sites, according to a security expert

Hackers are to threaten online clearing companies to pay up or face denial-of-service attacks on their Web sites, a security expert has predicted.

Credit card firms use clearing companies to authorise consumer transactions from retailers. According to Richard Starnes, director of incident response for Cable and Wireless, hackers will start taking down the Web sites of these companies unless they pay a ransom.

"These attacks are only launched at companies that rely 80 or 90 percent on Internet trading," said Starnes. "And they usually run on thin profit margins. So when [hackers] launch attacks, they hurt and they hurt badly."

Starnes said that by flooding Web sites of clearing houses with data, the attackers would automatically block databases from sending 'accept' or 'deny' commands back to the retailer. It was this that the hacking groups would prey on, he said.

"The organisations that are carrying out DoS attacks know exactly what they are doing," said Starnes. "It's not limited to online gambling. There are other vertical markets that are also being targeted."

A spokeswoman from the National High Tech Crime Unit said: "Any company that does all or most of its business online needs to ensure that its security is up to date and they are flexible to deal with attacks because they are at risk."

Starnes hinted that the small number of attacks he had seen were coming from Russia and Eastern Europe: "It's safe to say that this falls into the category of the usual suspects."

Last year, online betting companies experienced similar attacks. Alan Paller, the director of research for security organisation SANS recently claimed that every online bookie was being hit with the extortion attacks.

Starnes was speaking at the Secure Computing Conference in London.