We all know about DDoS extortion – the process is straightforward. Contact the company, threaten to launch a crippling DDoS attack that will happen unless the company pays a ransom. But what if the actors do not target the company itself to pay the ransom, but its customers?

DDoS extortion was hot stuff in the first half of 2016. While Europol announced the arrest of members of DD4BC, other actors going by names like Kadyrovtsy and Armada Collective emerged. Although there were less reports of DDoS extortion in the second half of 2016, the public release of the Mirai botnet source code offers new opportunities for extortionists.

We’ve already seen examples of this, in the case of a DDoS against Squarespace. On November 22, 2016, the US-based web hosting and building service Squarespace was affected by two distributed denial of service attacks that affected customers between 0029 EST and 0954 EST. Some customers of Squarespace operate e-commerce sites, therefore it was assessed as likely that financial losses were incurred as a result of the attacks. Twitter accounts responded to statements by  Squarespace, claiming to be a previously known threat actor called “vimproducts”, who has advertised DDoS services on the AlphaBay Dark Web marketplace. These accounts were detected claiming responsibility for the DDoS attacks and attempting to extort Squarespace for up to $2,000 USD.

In one post on Pastebin, the author described it as a “crowdfunded extortion”. While there was no evidence of a ransom being paid, it is possible that it was an attempt by vimproducts to generate publicity for their DDoS-as-a-service offering. The targeting of organizations’ customers is a worrying trend.

Vimproducts Squarespace 

Fig 1: Post on Pastebin claiming to be by Vimproducts

 

Vimproducts service 

Fig 2: Vimproducts advertising a DDoS service on a dark web marketplace

More recently, on November 29, 2016, customers of Valartis Bank received ransom messages from an unidentified actor claiming to possess their account data and demanding 10 percent of their balance in order to prevent their data from being leaked. Valartis Bank’s parent company reportedly confirmed a breach took place but stated only payment order information was obtained. Statements made by the author of the messages published in the Bild newspaper suggested a realistic possibility the attackers had attempted to approach the bank itself prior to contacting customers.

The threat of DDoS and extortion attacks on retailers and e-commerce sites are particularly heightened during the run up to Christmas. Actors will likely deem the busy sales period as an opportune moment to showcase their capability or to cause widespread disruption by targeting retailers.

While the case of vimproducts and Squarespace may have occurred as a secondary approach to gaining a ransom payment, what if this was the first target for adversaries? How prepared would companies be to combat this threat? Organizations should consider such alternative scenarios in 2017, as the public release of Mirai can act as a force multiplier for criminal operations.