Hackers are now resorting to extortion and threats of cyberattacks in order to get financial companies to pay up, and in some cases it’s working.
Since April, more than 100 big banks and brokerages have received distributed denial of service (DDoS) threats, the Federal Bureau of Investigations Agent Richard Jacobs told MarketWatch late last week.
Hackers issue these threats by demanding companies pay a certain amount of money, which typically runs in the tens of thousands of dollars, or risk their websites being jammed up with traffic and rendered useless.
And many would rather just pay up than face the consequences.
In some cases, the companies that pay hackers to back down end up becoming even bigger targets because they show a willingness to engage. But if firms are able to trace back the threats, they may be able to determine how likely the criminals are to follow through if their demands are not met.
"There are some groups who typically will go away if you don’t pay them, but there’s no guarantee that’s going to happen,” Jacobs told MarketWatch, noting that not all of the companies that are targeted will actually experience attacks.
According to information services and analytics company Neustar, a distributed denial of service outage could result in the loss of more than $100,000 an hour for targeted companies in the financial sector.
While DDoS attacks are nothing new (many banks faced these types of threats in 2012 and 2013), recent years have seen an increase in the number of reported incidents. Earlier this year, Banque Cantonale de Geneve (BCGE) of Switzerland refused to pay a ransom and faced hackers releasing the information of 30,000 of its clients.
A group calling itself Rex Mundi said it hacked into the servers of BCGE and downloaded 30,192 emails from customers. The group provided the text of two of the emails as proof, and demanded that the bank pay a ransom of €10,000 ($12,000) or the group said it would publish the messages.
In an effort to combat DDoS attacks, as well as provide companies with guidance on how to handle them, the Federal Financial Institutions Examination Council issued a joint statement notifying companies about the risks associated with DDoS threats and a six-step guide for risk mitigation.
When attacks do happen, Jacobs told MarketWatch the FBI does not provide guidance on whether to pay or not pay hackers. Instead, it really comes down to determining if not paying is worth the risk.
"How important is that access to that website to your business? They have to make their own calls,” Jacobs said. “If you’re a discount broker and that’s the only way your customers can trade, that would be a concern. If it’s just a website that’s used for general news and information, maybe it’s not so difficult to have it down for an hour or two."
In its ongoing attempts to bring cybercriminals to justice as quickly as possible, the FBI announced the offering of $4.2 million in reward money for helping to bring down those on its Top 5 most-wanted list.
The hackers sought by the FBI have been tied to theft of sensitive data including health care, employment and banking information. In other cases they have persuaded victims to pay a ransom to regain control of their computers or devices, and they have even been accused of running “fake” online auctions.