In response to a Krebs on Security report that details a new email-based extortion scheme is targeting web site owners serving banner ads through Google’s AdSense program, security awareness experts commented below.
In response to a Krebs on Security report that details a new email-based extortion scheme is targeting web site owners serving banner ads through Google’s AdSense program, security awareness experts commented below.
Information Security Buzz (aka ISBuzz News) is an independent resource that provides the experts comments, analysis and opinion on the latest Information Security news and topics
Extortion techniques used by network-based DDoS attackers are now resurfacing. The new wave of business logic attacks are using advanced bots that can mimic human behavior and use hyper-distributed IPs to cause serious disruptions. With dwindling revenues from network DDoS attacks and increasing access to low-cost infrastructure, attackers are improvising and moving up the chain. As more commerce shifts online, attackers will find ways to monetize. Automated threats should be evaluated as a business risk, and every digital business should account for them and deploy bot management solutions to protect their users and proprietary content.
This is quite an interesting attack which seems to be an evolved form of DDoS (distributed denial of service) attacks. Whereas DDoS attacks are usually launched against large organisations to bring them down for a period of time. This particular threat goes out to website owners and tries to extort them or risk losing adsense revenue.
It\’s not clear whether this is a mere threat or whether the criminals actually have the capability or intention of following through with their demands. But it is not something that is outside of the technical capabilities of many criminals, particularly with the large number of IoT devices that get continually compromised and added to botnets.
In the big scheme of things, these are not new threats. We\’ve seen variations of these over the years, and they will continue to evolve. The important thing is for people to not give in to such demands. If they are worried, they should contact Google for adsense support.
This is a very interesting attack – a new approach and I don’t see much that surprises me often in the cybersecurity attack world. The bigger question is could Google detect this sort of fraud if it occurred? What generally happens in previous cases of fraud attacks is that it isn’t detected at all initially. The vendor’s attack sensors see it as valid attack and they block it, accidentally causing a false-positive self-denial of service attack of their own doing. Once the vendor hears enough complaints though and confirms the fraud attack, they can change their sensors to try and rule out or stop the false-positive attacks. The question is how long it takes the vendor to go from “this is a real attack” to “this isn’t a real attack” to “we can tell the difference between a real and fake attack”? Some vendors can do it quickly and others it takes months and years. The last question to ask once the vendor is aware of the fake attack is how hard is it to develop a sensor that can tell the difference between real and fake attacks and how many false-negatives and false-positives they get. I would suspect that Google will respond quickly along with the best if this actually becomes a frequent attack.